Merge staging-next into staging

2 years ago · dcb2e8ee4c
parent e4fcd01b7d 5fa63a7863
commit dcb2e8ee4c
623 changed files with 7828 additions and 7256 deletions
--- a/lib/systems/doubles.nix
+++ b/lib/systems/doubles.nix
@ -96,7 +96,9 @@ in {
                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnueabi; })
                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnueabihf; })
                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnuabin32; })
-                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnuabi64; });
+                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnuabi64; })
+                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnuabielfv1; })
+                  ++ filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnuabielfv2; });
  illumos       = filterDoubles predicates.isSunOS;
  linux         = filterDoubles predicates.isLinux;
  netbsd        = filterDoubles predicates.isNetBSD;
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@ -22,12 +22,11 @@ rec {
  };

  ppc64 = {
-    config = "powerpc64-unknown-linux-gnu";
-    gcc = { abi = "elfv2"; }; # for gcc configuration
+    config = "powerpc64-unknown-linux-gnuabielfv2";
  };
  ppc64-musl = {
    config = "powerpc64-unknown-linux-musl";
-    gcc = { abi = "elfv2"; }; # for gcc configuration
+    gcc = { abi = "elfv2"; };
  };

  sheevaplug = {
--- a/lib/systems/inspect.nix
+++ b/lib/systems/inspect.nix
@ -13,6 +13,13 @@ rec {
    isx86_64       = { cpu = { family = "x86"; bits = 64; }; };
    isPower        = { cpu = { family = "power"; }; };
    isPower64      = { cpu = { family = "power"; bits = 64; }; };
+    # This ABI is the default in NixOS PowerPC64 BE, but not on mainline GCC,
+    # so it sometimes causes issues in certain packages that makes the wrong
+    # assumption on the used ABI.
+    isAbiElfv2 = [
+      { abi = { abi = "elfv2"; }; }
+      { abi = { name = "musl"; }; cpu = { family = "power"; bits = 64; }; }
+    ];
    isx86          = { cpu = { family = "x86"; }; };
    isAarch32      = { cpu = { family = "arm"; bits = 32; }; };
    isAarch64      = { cpu = { family = "arm"; bits = 64; }; };
@ -65,7 +72,7 @@ rec {
    isNone         = { kernel = kernels.none; };

    isAndroid      = [ { abi = abis.android; } { abi = abis.androideabi; } ];
-    isGnu          = with abis; map (a: { abi = a; }) [ gnuabi64 gnu gnueabi gnueabihf ];
+    isGnu          = with abis; map (a: { abi = a; }) [ gnuabi64 gnu gnueabi gnueabihf gnuabielfv1 gnuabielfv2 ];
    isMusl         = with abis; map (a: { abi = a; }) [ musl musleabi musleabihf muslabin32 muslabi64 ];
    isUClibc       = with abis; map (a: { abi = a; }) [ uclibc uclibceabi uclibceabihf ];

--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@ -353,6 +353,11 @@ rec {
            The "gnu" ABI is ambiguous on 32-bit ARM. Use "gnueabi" or "gnueabihf" instead.
          '';
        }
+        { assertion = platform: with platform; !(isPower64 && isBigEndian);
+          message = ''
+            The "gnu" ABI is ambiguous on big-endian 64-bit PowerPC. Use "gnuabielfv2" or "gnuabielfv1" instead.
+          '';
+        }
      ];
    };
    gnuabi64     = { abi = "64"; };
@ -364,6 +369,9 @@ rec {
    gnuabin32    = { abi = "n32"; };
    muslabin32   = { abi = "n32"; };

+    gnuabielfv2  = { abi = "elfv2"; };
+    gnuabielfv1  = { abi = "elfv1"; };
+
    musleabi     = { float = "soft"; };
    musleabihf   = { float = "hard"; };
    musl         = {};
@ -467,6 +475,8 @@ rec {
            if lib.versionAtLeast (parsed.cpu.version or "0") "6"
            then abis.gnueabihf
            else abis.gnueabi
+          # Default ppc64 BE to ELFv2
+          else if isPower64 parsed && isBigEndian parsed then abis.gnuabielfv2
          else abis.gnu
        else                     abis.unknown;
    };
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -4428,6 +4428,12 @@
    githubId = 74379;
    name = "Florian Pester";
  };
+  fmoda3 = {
+    email = "fmoda3@mac.com";
+    github = "fmoda3";
+    githubId = 1746471;
+    name = "Frank Moda III";
+  };
  fmthoma = {
    email = "f.m.thoma@googlemail.com";
    github = "fmthoma";
@ -5781,6 +5787,16 @@
    github = "jacg";
    githubId = 2570854;
  };
+  jakehamilton = {
+    name = "Jake Hamilton";
+    email = "jake.hamilton@hey.com";
+    matrix = "@jakehamilton:matrix.org";
+    github = "jakehamilton";
+    githubId = 7005773;
+    keys = [{
+      fingerprint = "B982 0250 1720 D540 6A18  2DA8 188E 4945 E85B 2D21";
+    }];
+  };
  jasoncarr = {
    email = "jcarr250@gmail.com";
    github = "jasoncarr0";
@ -6540,6 +6556,12 @@
    githubId = 705123;
    name = "Jan Tojnar";
  };
+  jtrees = {
+    email = "me@jtrees.io";
+    github = "jtrees";
+    githubId = 5802758;
+    name = "Joshua Trees";
+  };
  juaningan = {
    email = "juaningan@gmail.com";
    github = "uningan";
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -188,6 +188,14 @@
          <link xlink:href="options.html#opt-services.hadoop.hbase.enable">services.hadoop.hbase</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>,
+          an SMS alerting tool for the Prometheus Alertmanager.
+          Available as
+          <link linkend="opt-services.prometheus.sachet.enable">services.prometheus.sachet</link>.
+        </para>
+      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>,
@ -255,6 +263,14 @@
          <link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://writefreely.org">WriteFreely</link>,
+          a simple blogging platform with ActivityPub support. Available
+          as
+          <link xlink:href="options.html#opt-services.writefreely.enable">services.writefreely</link>.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-22.11-incompatibilities">
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -70,6 +70,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).

+- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
+
 - [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
  Available as [services.infnoise](options.html#opt-services.infnoise.enable).

@ -92,6 +94,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
 Available as [services.patroni](options.html#opt-services.patroni.enable).

+- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
--- a/nixos/lib/make-options-doc/mergeJSON.py
+++ b/nixos/lib/make-options-doc/mergeJSON.py
@ -151,7 +151,7 @@ def p_manpage(md):
    md.inline.rules.append('manpage')

 def p_admonition(md):
-    ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::\n', flags=re.MULTILINE|re.DOTALL)
+    ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::$\n*', flags=re.MULTILINE|re.DOTALL)
    def parse(self, m, state):
        return {
            'type': 'admonition',
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -35,7 +35,7 @@ in

    networking.hostFiles = lib.mkOption {
      type = types.listOf types.path;
-      defaultText = literalDocBook "Hosts from <option>networking.hosts</option> and <option>networking.extraHosts</option>";
+      defaultText = literalMD "Hosts from {option}`networking.hosts` and {option}`networking.extraHosts`";
      example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]'';
      description = lib.mdDoc ''
        Files that should be concatenated together to form {file}`/etc/hosts`.
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -263,7 +263,7 @@ in {
          (drv: drv.override { pulseaudio = overriddenPackage; })
          cfg.extraModules;
        modulePaths = builtins.map
-          (drv: "${drv}/${overriddenPackage.pulseDir}/modules")
+          (drv: "${drv}/lib/pulseaudio/modules")
          # User-provided extra modules take precedence
          (overriddenModules ++ [ overriddenPackage ]);
      in lib.concatStringsSep ":" modulePaths;
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -78,10 +78,11 @@ in
      defaultPackages = mkOption {
        type = types.listOf types.package;
        default = defaultPackages;
-        defaultText = literalDocBook ''
-          these packages, with their <literal>meta.priority</literal> numerically increased
+        defaultText = literalMD ''
+          these packages, with their `meta.priority` numerically increased
          (thus lowering their installation priority):
-          <programlisting>${defaultPackagesText}</programlisting>
+
+              ${defaultPackagesText}
        '';
        example = [];
        description = lib.mdDoc ''
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -17,35 +17,35 @@ let
      ]);

  passwordDescription = ''
-    The options <option>hashedPassword</option>,
-    <option>password</option> and <option>passwordFile</option>
+    The options {option}`hashedPassword`,
+    {option}`password` and {option}`passwordFile`
    controls what password is set for the user.
-    <option>hashedPassword</option> overrides both
-    <option>password</option> and <option>passwordFile</option>.
-    <option>password</option> overrides <option>passwordFile</option>.
+    {option}`hashedPassword` overrides both
+    {option}`password` and {option}`passwordFile`.
+    {option}`password` overrides {option}`passwordFile`.
    If none of these three options are set, no password is assigned to
    the user, and the user will not be able to do password logins.
-    If the option <option>users.mutableUsers</option> is true, the
+    If the option {option}`users.mutableUsers` is true, the
    password defined in one of the three options will only be set when
    the user is created for the first time. After that, you are free to
    change the password with the ordinary user management commands. If
-    <option>users.mutableUsers</option> is false, you cannot change
+    {option}`users.mutableUsers` is false, you cannot change
    user passwords, they will always be set according to the password
    options.
  '';

  hashedPasswordDescription = ''
-    To generate a hashed password run <literal>mkpasswd -m sha-512</literal>.
+    To generate a hashed password run `mkpasswd -m sha-512`.

-    If set to an empty string (<literal>""</literal>), this user will
+    If set to an empty string (`""`), this user will
    be able to log in without being asked for a password (but not via remote
-    services such as SSH, or indirectly via <command>su</command> or
-    <command>sudo</command>). This should only be used for e.g. bootable
+    services such as SSH, or indirectly via {command}`su` or
+    {command}`sudo`). This should only be used for e.g. bootable
    live systems. Note: this is different from setting an empty password,
-    which can be achieved using <option>users.users.&lt;name?&gt;.password</option>.
+    which can be achieved using {option}`users.users.<name?>.password`.

-    If set to <literal>null</literal> (default) this user will not
-    be able to log in using a password (i.e. via <command>login</command>
+    If set to `null` (default) this user will not
+    be able to log in using a password (i.e. via {command}`login`
    command).
  '';

@ -234,7 +234,7 @@ let
      hashedPassword = mkOption {
        type = with types; nullOr (passwdEntry str);
        default = null;
-        description = ''
+        description = lib.mdDoc ''
          Specifies the hashed password for the user.
          ${passwordDescription}
          ${hashedPasswordDescription}
@ -244,7 +244,7 @@ let
      password = mkOption {
        type = with types; nullOr str;
        default = null;
-        description = ''
+        description = lib.mdDoc ''
          Specifies the (clear text) password for the user.
          Warning: do not set confidential information here
          because it is world-readable in the Nix store. This option
@ -256,11 +256,11 @@ let
      passwordFile = mkOption {
        type = with types; nullOr str;
        default = null;
-        description = ''
+        description = lib.mdDoc ''
          The full path to a file that contains the user's password. The password
          file is read on each system activation. The file should contain
          exactly one line, which should be the password in an encrypted form
-          that is suitable for the <literal>chpasswd -e</literal> command.
+          that is suitable for the `chpasswd -e` command.
          ${passwordDescription}
        '';
      };
@ -268,13 +268,13 @@ let
      initialHashedPassword = mkOption {
        type = with types; nullOr (passwdEntry str);
        default = null;
-        description = ''
+        description = lib.mdDoc ''
          Specifies the initial hashed password for the user, i.e. the
          hashed password assigned if the user does not already
-          exist. If <option>users.mutableUsers</option> is true, the
+          exist. If {option}`users.mutableUsers` is true, the
          password can be changed subsequently using the
-          <command>passwd</command> command. Otherwise, it's
-          equivalent to setting the <option>hashedPassword</option> option.
+          {command}`passwd` command. Otherwise, it's
+          equivalent to setting the {option}`hashedPassword` option.

          ${hashedPasswordDescription}
        '';
@ -458,25 +458,25 @@ in {
    users.mutableUsers = mkOption {
      type = types.bool;
      default = true;
-      description = ''
-        If set to <literal>true</literal>, you are free to add new users and groups to the system
-        with the ordinary <literal>useradd</literal> and
-        <literal>groupadd</literal> commands. On system activation, the
-        existing contents of the <literal>/etc/passwd</literal> and
-        <literal>/etc/group</literal> files will be merged with the
-        contents generated from the <literal>users.users</literal> and
-        <literal>users.groups</literal> options.
+      description = lib.mdDoc ''
+        If set to `true`, you are free to add new users and groups to the system
+        with the ordinary `useradd` and
+        `groupadd` commands. On system activation, the
+        existing contents of the `/etc/passwd` and
+        `/etc/group` files will be merged with the
+        contents generated from the `users.users` and
+        `users.groups` options.
        The initial password for a user will be set
-        according to <literal>users.users</literal>, but existing passwords
+        according to `users.users`, but existing passwords
        will not be changed.

-        <warning><para>
-        If set to <literal>false</literal>, the contents of the user and
+        ::: {.warning}
+        If set to `false`, the contents of the user and
        group files will simply be replaced on system activation. This also
        holds for the user passwords; all changed
        passwords will be reset according to the
-        <literal>users.users</literal> configuration on activation.
-        </para></warning>
+        `users.users` configuration on activation.
+        :::
      '';
    };

--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -183,8 +183,8 @@ in
    pruneNames = mkOption {
      type = listOf str;
      default = lib.optionals (!isFindutils) [ ".bzr" ".cache" ".git" ".hg" ".svn" ];
-      defaultText = literalDocBook ''
-        <literal>[ ".bzr" ".cache" ".git" ".hg" ".svn" ]</literal>, if
+      defaultText = literalMD ''
+        `[ ".bzr" ".cache" ".git" ".hg" ".svn" ]`, if
        supported by the locate implementation (i.e. mlocate or plocate).
      '';
      description = lib.mdDoc ''
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -692,6 +692,7 @@
  ./services/monitoring/prometheus/alertmanager.nix
  ./services/monitoring/prometheus/exporters.nix
  ./services/monitoring/prometheus/pushgateway.nix
+  ./services/monitoring/prometheus/sachet.nix
  ./services/monitoring/prometheus/xmpp-alerts.nix
  ./services/monitoring/riemann.nix
  ./services/monitoring/riemann-dash.nix
@ -1118,6 +1119,7 @@
  ./services/web-apps/wiki-js.nix
  ./services/web-apps/whitebophir.nix
  ./services/web-apps/wordpress.nix
+  ./services/web-apps/writefreely.nix
  ./services/web-apps/youtrack.nix
  ./services/web-apps/zabbix.nix
  ./services/web-servers/agate.nix
--- a/nixos/modules/programs/gnupg.nix
+++ b/nixos/modules/programs/gnupg.nix
@ -71,7 +71,7 @@ in
      type = types.nullOr (types.enum pkgs.pinentry.flavors);
      example = "gnome3";
      default = defaultPinentryFlavor;
-      defaultText = literalDocBook ''matching the configured desktop environment'';
+      defaultText = literalMD ''matching the configured desktop environment'';
      description = lib.mdDoc ''
        Which pinentry interface to use. If not null, the path to the
        pinentry binary will be passed to gpg-agent via commandline and
--- a/nixos/modules/services/audio/mpdscribble.nix
+++ b/nixos/modules/services/audio/mpdscribble.nix
@ -128,9 +128,9 @@ in {
          mpdCfg.credentials).passwordFile
      else
        null;
-      defaultText = literalDocBook ''
+      defaultText = literalMD ''
        The first password file with read access configured for MPD when using a local instance,
-        otherwise <literal>null</literal>.
+        otherwise `null`.
      '';
      type = types.nullOr types.str;
      description = lib.mdDoc ''
--- a/nixos/modules/services/blockchain/ethereum/geth.nix
+++ b/nixos/modules/services/blockchain/ethereum/geth.nix
@ -61,6 +61,35 @@ let
        };
      };

+      authrpc = {
+        enable = lib.mkEnableOption "Go Ethereum Auth RPC API";
+        address = mkOption {
+          type = types.str;
+          default = "127.0.0.1";
+          description = lib.mdDoc "Listen address of Go Ethereum Auth RPC API.";
+        };
+
+        port = mkOption {
+          type = types.port;
+          default = 8551;
+          description = lib.mdDoc "Port number of Go Ethereum Auth RPC API.";
+        };
+
+        vhosts = mkOption {
+          type = types.nullOr (types.listOf types.str);
+          default = ["localhost"];
+          description = lib.mdDoc "List of virtual hostnames from which to accept requests.";
+          example = ["localhost" "geth.example.org"];
+        };
+
+        jwtsecret = mkOption {
+          type = types.str;
+          default = "";
+          description = lib.mdDoc "Path to a JWT secret for authenticated RPC endpoint.";
+          example = "/var/run/geth/jwtsecret";
+        };
+      };
+
      metrics = {
        enable = lib.mkEnableOption "Go Ethereum prometheus metrics";
        address = mkOption {
@ -136,7 +165,10 @@ in
      cfg.package
    ]) eachGeth);

-    systemd.services = mapAttrs' (gethName: cfg: (
+    systemd.services = mapAttrs' (gethName: cfg: let
+      stateDir = "goethereum/${gethName}/${if (cfg.network == null) then "mainnet" else cfg.network}";
+      dataDir = "/var/lib/${stateDir}";
+    in (
      nameValuePair "geth-${gethName}" (mkIf cfg.enable {
      description = "Go Ethereum node (${gethName})";
      wantedBy = [ "multi-user.target" ];
@ -145,7 +177,7 @@ in
      serviceConfig = {
        DynamicUser = true;
        Restart = "always";
-        StateDirectory = "goethereum/${gethName}/${if (cfg.network == null) then "mainnet" else cfg.network}";
+        StateDirectory = stateDir;

        # Hardening measures
        PrivateTmp = "true";
@ -169,8 +201,10 @@ in
          ${if cfg.websocket.enable then ''--ws --ws.addr ${cfg.websocket.address} --ws.port ${toString cfg.websocket.port}'' else ""} \
          ${optionalString (cfg.websocket.apis != null) ''--ws.api ${lib.concatStringsSep "," cfg.websocket.apis}''} \
          ${optionalString cfg.metrics.enable ''--metrics --metrics.addr ${cfg.metrics.address} --metrics.port ${toString cfg.metrics.port}''} \
+          --authrpc.addr ${cfg.authrpc.address} --authrpc.port ${toString cfg.authrpc.port} --authrpc.vhosts ${lib.concatStringsSep "," cfg.authrpc.vhosts} \
+          ${if (cfg.authrpc.jwtsecret != "") then ''--authrpc.jwtsecret ${cfg.authrpc.jwtsecret}'' else ''--authrpc.jwtsecret ${dataDir}/geth/jwtsecret''} \
          ${lib.escapeShellArgs cfg.extraArgs} \
-          --datadir /var/lib/goethereum/${gethName}/${if (cfg.network == null) then "mainnet" else cfg.network}
+          --datadir ${dataDir}
      '';
    }))) eachGeth;

--- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix
+++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix
@ -23,9 +23,9 @@ in {
          take 3 (splitString "." config.services.kubernetes.apiserver.serviceClusterIpRange
        ))
      ) + ".254";
-      defaultText = literalDocBook ''
-        The <literal>x.y.z.254</literal> IP of
-        <literal>config.${options.services.kubernetes.apiserver.serviceClusterIpRange}</literal>.
+      defaultText = literalMD ''
+        The `x.y.z.254` IP of
+        `config.${options.services.kubernetes.apiserver.serviceClusterIpRange}`.
      '';
      type = types.str;
    };
--- a/nixos/modules/services/cluster/kubernetes/kubelet.nix
+++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix
@ -40,7 +40,7 @@ let
      key = mkOption {
        description = lib.mdDoc "Key of taint.";
        default = name;
-        defaultText = literalDocBook "Name of this submodule.";
+        defaultText = literalMD "Name of this submodule.";
        type = str;
      };
      value = mkOption {
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@ -281,9 +281,9 @@ in
        type = types.path;
        internal = true;
        default = etcSlurm;
-        defaultText = literalDocBook ''
+        defaultText = literalMD ''
          Directory created from generated config files and
-          <literal>config.${opt.extraConfigPaths}</literal>.
+          `config.${opt.extraConfigPaths}`.
        '';
        description = ''
          Path to directory with slurm config files. This option is set by default from the
--- a/nixos/modules/services/continuous-integration/buildbot/master.nix
+++ b/nixos/modules/services/continuous-integration/buildbot/master.nix
@ -94,7 +94,7 @@ in {
        type = types.path;
        description = lib.mdDoc "Optionally pass master.cfg path. Other options in this configuration will be ignored.";
        default = defaultMasterCfg;
-        defaultText = literalDocBook ''generated configuration file'';
+        defaultText = literalMD ''generated configuration file'';
        example = "/etc/nixos/buildbot/master.cfg";
      };

--- a/nixos/modules/services/continuous-integration/buildkite-agents.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix
@ -168,7 +168,7 @@ let
      hooksPath = mkOption {
        type = types.path;
        default = hooksDir config;
-        defaultText = literalDocBook "generated from <option>services.buildkite-agents.&lt;name&gt;.hooks</option>";
+        defaultText = literalMD "generated from {option}`services.buildkite-agents.<name>.hooks`";
        description = lib.mdDoc ''
          Path to the directory storing the hooks.
          Consider using {option}`services.buildkite-agents.<name>.hooks.<name>`
--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
@ -10,7 +10,7 @@
 let
  inherit (lib)
    filterAttrs
-    literalDocBook
+    literalMD
    literalExpression
    mkIf
    mkOption
@ -235,7 +235,7 @@ in
    tomlFile = mkOption {
      type = types.path;
      internal = true;
-      defaultText = literalDocBook "generated <literal>hercules-ci-agent.toml</literal>";
+      defaultText = literalMD "generated `hercules-ci-agent.toml`";
      description = ''
        The fully assembled config file.
      '';
--- a/nixos/modules/services/games/quake3-server.nix
+++ b/nixos/modules/services/games/quake3-server.nix
@ -71,7 +71,7 @@ in {
      baseq3 = mkOption {
        type = types.either types.package types.path;
        default = defaultBaseq3;
-        defaultText = literalDocBook "Manually downloaded Quake 3 installation directory.";
+        defaultText = literalMD "Manually downloaded Quake 3 installation directory.";
        example = "/var/lib/q3ds";
        description = lib.mdDoc ''
          Path to the baseq3 files (pak*.pk3). If this is on the nix store (type = package) all .pk3 files should be saved
--- a/nixos/modules/services/hardware/thinkfan.nix
+++ b/nixos/modules/services/hardware/thinkfan.nix
@ -43,24 +43,26 @@ let
      };
      query = mkOption {
        type = types.str;
-        description = ''
+        description = lib.mdDoc ''
          The query string used to match one or more ${name}s: can be
          a fullpath to the temperature file (single ${name}) or a fullpath
          to a driver directory (multiple ${name}s).

-          <note><para>
-            When multiple ${name}s match, the query can be restricted using the
-            <option>name</option> or <option>indices</option> options.
-          </para></note>
+          ::: {.note}
+          When multiple ${name}s match, the query can be restricted using the
+          {option}`name` or {option}`indices` options.
+          :::
        '';
      };
      indices = mkOption {
        type = with types; nullOr (listOf ints.unsigned);
        default = null;
-        description = ''
+        description = lib.mdDoc ''
          A list of ${name}s to pick in case multiple ${name}s match the query.

-          <note><para>Indices start from 0.</para></note>
+          ::: {.note}
+          Indices start from 0.
+          :::
        '';
      };
    } // optionalAttrs (name == "sensor") {
@ -81,18 +83,18 @@ let
    // { "${type}" = query; };

  syntaxNote = name: ''
-    <note><para>
-      This section slightly departs from the thinkfan.conf syntax.
-      The type and path must be specified like this:
-      <literal>
-        type = "tpacpi";
-        query = "/proc/acpi/ibm/${name}";
-      </literal>
-      instead of a single declaration like:
-      <literal>
-        - tpacpi: /proc/acpi/ibm/${name}
-      </literal>
-    </para></note>
+    ::: {.note}
+    This section slightly departs from the thinkfan.conf syntax.
+    The type and path must be specified like this:
+    ```
+      type = "tpacpi";
+      query = "/proc/acpi/ibm/${name}";
+    ```
+    instead of a single declaration like:
+    ```
+      - tpacpi: /proc/acpi/ibm/${name}
+    ```
+    :::
  '';

 in {
@ -104,13 +106,13 @@ in {
      enable = mkOption {
        type = types.bool;
        default = false;
-        description = ''
+        description = lib.mdDoc ''
          Whether to enable thinkfan, a fan control program.

-          <note><para>
-            This module targets IBM/Lenovo thinkpads by default, for
-            other hardware you will have configure it more carefully.
-          </para></note>
+          ::: {.note}
+          This module targets IBM/Lenovo thinkpads by default, for
+          other hardware you will have configure it more carefully.
+          :::
        '';
        relatedPackages = [ "thinkfan" ];
      };
@ -131,9 +133,11 @@ in {
            query = "/proc/acpi/ibm/thermal";
          }
        ];
-        description = ''
+        description = lib.mdDoc ''
          List of temperature sensors thinkfan will monitor.
-        '' + syntaxNote "thermal";
+
+          ${syntaxNote "thermal"}
+        '';
      };

      fans = mkOption {
@ -143,9 +147,11 @@ in {
            query = "/proc/acpi/ibm/fan";
          }
        ];
-        description = ''
+        description = lib.mdDoc ''
          List of fans thinkfan will control.
-        '' + syntaxNote "fan";
+
+          ${syntaxNote "fan"}
+        '';
      };

      levels = mkOption {
--- a/nixos/modules/services/mail/public-inbox.nix
+++ b/nixos/modules/services/mail/public-inbox.nix
@ -6,8 +6,6 @@ let
  cfg = config.services.public-inbox;
  stateDir = "/var/lib/public-inbox";

-  manref = name: vol: "<citerefentry><refentrytitle>${name}</refentrytitle><manvolnum>${toString vol}</manvolnum></citerefentry>";
-
  gitIni = pkgs.formats.gitIni { listsAsDuplicateKeys = true; };
  iniAtom = elemAt gitIni.type/*attrsOf*/.functor.wrapped/*attrsOf*/.functor.wrapped/*either*/.functor.wrapped 0;

@ -18,7 +16,7 @@ let
    args = mkOption {
      type = with types; listOf str;
      default = [];
-      description = "Command-line arguments to pass to ${manref "public-inbox-${proto}d" 1}.";
+      description = lib.mdDoc "Command-line arguments to pass to {manpage}`public-inbox-${proto}d(1)`.";
    };
    port = mkOption {
      type = with types; nullOr (either str port);
@ -34,13 +32,13 @@ let
      type = with types; nullOr str;
      default = null;
      example = "/path/to/fullchain.pem";
-      description = "Path to TLS certificate to use for connections to ${manref "public-inbox-${proto}d" 1}.";
+      description = lib.mdDoc "Path to TLS certificate to use for connections to {manpage}`public-inbox-${proto}d(1)`.";
    };
    key = mkOption {
      type = with types; nullOr str;
      default = null;
      example = "/path/to/key.pem";
-      description = "Path to TLS key to use for connections to ${manref "public-inbox-${proto}d" 1}.";
+      description = lib.mdDoc "Path to TLS key to use for connections to {manpage}`public-inbox-${proto}d(1)`.";
    };
  };

@ -198,15 +196,15 @@ in
        options.watch = mkOption {
          type = with types; listOf str;
          default = [];
-          description = "Paths for ${manref "public-inbox-watch" 1} to monitor for new mail.";
+          description = lib.mdDoc "Paths for {manpage}`public-inbox-watch(1)` to monitor for new mail.";
          example = [ "maildir:/path/to/test.example.com.git" ];
        };
        options.watchheader = mkOption {
          type = with types; nullOr str;
          default = null;
          example = "List-Id:<test@example.com>";
-          description = ''
-            If specified, ${manref "public-inbox-watch" 1} will only process
+          description = lib.mdDoc ''
+            If specified, {manpage}`public-inbox-watch(1)` will only process
            mail containing a matching header.
          '';
        };
@ -253,7 +251,7 @@ in
      args = mkOption {
        type = with types; listOf str;
        default = [];
-        description = "Command-line arguments to pass to ${manref "public-inbox-mda" 1}.";
+        description = lib.mdDoc "Command-line arguments to pass to {manpage}`public-inbox-mda(1)`.";
      };
    };
    postfix.enable = mkEnableOption "the integration into Postfix";
@ -302,16 +300,16 @@ in
        options.publicinboxmda.spamcheck = mkOption {
          type = with types; enum [ "spamc" "none" ];
          default = "none";
-          description = ''
-            If set to spamc, ${manref "public-inbox-watch" 1} will filter spam
+          description = lib.mdDoc ''
+            If set to spamc, {manpage}`public-inbox-watch(1)` will filter spam
            using SpamAssassin.
          '';
        };
        options.publicinboxwatch.spamcheck = mkOption {
          type = with types; enum [ "spamc" "none" ];
          default = "none";
-          description = ''
-            If set to spamc, ${manref "public-inbox-watch" 1} will filter spam
+          description = lib.mdDoc ''
+            If set to spamc, {manpage}`public-inbox-watch(1)` will filter spam
            using SpamAssassin.
          '';
        };
--- a/nixos/modules/services/misc/gitweb.nix
+++ b/nixos/modules/services/misc/gitweb.nix
@ -47,7 +47,7 @@ in
        $highlight_bin = "${pkgs.highlight}/bin/highlight";
        ${cfg.extraConfig}
      '';
-      defaultText = literalDocBook "generated config file";
+      defaultText = literalMD "generated config file";
      type = types.path;
      readOnly = true;
      internal = true;
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -430,13 +430,14 @@ in
            };
            config = {
              from = mkDefault { type = "indirect"; id = name; };
-              to = mkIf (config.flake != null) (mkDefault
+              to = mkIf (config.flake != null) (mkDefault (
                {
                  type = "path";
                  path = config.flake.outPath;
                } // filterAttrs
-                (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
-                config.flake);
+                  (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
+                  config.flake
+              ));
            };
          }
        ));
--- a/nixos/modules/services/misc/plex.nix
+++ b/nixos/modules/services/misc/plex.nix
@ -134,6 +134,7 @@ in

        ExecStart = "${cfg.package}/bin/plexmediaserver";
        KillSignal = "SIGQUIT";
+        PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid";
        Restart = "on-failure";
      };

--- a/nixos/modules/services/misc/rippled.nix
+++ b/nixos/modules/services/misc/rippled.nix
@ -401,7 +401,7 @@ in
      config = mkOption {
        internal = true;
        default = pkgs.writeText "rippled.conf" rippledCfg;
-        defaultText = literalDocBook "generated config file";
+        defaultText = literalMD "generated config file";
      };
    };
  };
--- a/nixos/modules/services/monitoring/prometheus/default.nix
+++ b/nixos/modules/services/monitoring/prometheus/default.nix
@ -99,14 +99,14 @@ let

  mkDefOpt = type: defaultStr: description: mkOpt type (description + ''

-    Defaults to <literal>${defaultStr}</literal> in prometheus
-    when set to <literal>null</literal>.
+    Defaults to ````${defaultStr}```` in prometheus
+    when set to `null`.
  '');

  mkOpt = type: description: mkOption {
    type = types.nullOr type;
    default = null;
-    inherit description;
+    description = lib.mdDoc description;
  };

  mkSdConfigModule = extraOptions: types.submodule {
@ -288,7 +288,7 @@ let

        If honor_labels is set to "false", label conflicts are
        resolved by renaming conflicting labels in the scraped data
-        to "exported_&lt;original-label&gt;" (for example
+        to "exported_\<original-label\>" (for example
        "exported_instance", "exported_job") and then attaching
        server-side labels. This is useful for use cases such as
        federation, where all labels specified in the target should
@ -299,10 +299,10 @@ let
        honor_timestamps controls whether Prometheus respects the timestamps present
        in scraped data.

-        If honor_timestamps is set to <literal>true</literal>, the timestamps of the metrics exposed
+        If honor_timestamps is set to `true`, the timestamps of the metrics exposed
        by the target will be used.

-        If honor_timestamps is set to <literal>false</literal>, the timestamps of the metrics exposed
+        If honor_timestamps is set to `false`, the timestamps of the metrics exposed
        by the target will be ignored.
      '';

@ -323,13 +323,13 @@ let
      bearer_token = mkOpt types.str ''
        Sets the `Authorization` header on every scrape request with
        the configured bearer token. It is mutually exclusive with
-        <option>bearer_token_file</option>.
+        {option}`bearer_token_file`.
      '';

      bearer_token_file = mkOpt types.str ''
        Sets the `Authorization` header on every scrape request with
        the bearer token read from the configured file. It is mutually
-        exclusive with <option>bearer_token</option>.
+        exclusive with {option}`bearer_token`.
      '';

      tls_config = mkOpt promTypes.tls_config ''
@ -379,7 +379,7 @@ let
      gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) ''
        List of Google Compute Engine service discovery configurations.

-        See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the relevant Prometheus configuration docs</link>
+        See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config)
        for more detail.
      '';

@ -591,7 +591,7 @@ let

    allow_stale = mkOpt types.bool ''
      Allow stale Consul results
-      (see <link xlink:href="https://www.consul.io/api/index.html#consistency-modes"/>).
+      (see <https://www.consul.io/api/index.html#consistency-modes>).

      Will reduce load on Consul.
    '';
@ -632,16 +632,16 @@ let
        options = {
          name = mkOption {
            type = types.str;
-            description = ''
+            description = lib.mdDoc ''
              Name of the filter. The available filters are listed in the upstream documentation:
-              Services: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/ServiceList"/>
-              Tasks: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/TaskList"/>
-              Nodes: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/NodeList"/>
+              Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList>
+              Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList>
+              Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList>
            '';
          };
          values = mkOption {
            type = types.str;
-            description = ''
+            description = lib.mdDoc ''
              Value for the filter.
            '';
          };
@ -707,12 +707,12 @@ let

      access_key = mkOpt types.str ''
        The AWS API key id. If blank, the environment variable
-        <literal>AWS_ACCESS_KEY_ID</literal> is used.
+        `AWS_ACCESS_KEY_ID` is used.
      '';

      secret_key = mkOpt types.str ''
        The AWS API key secret. If blank, the environment variable
-         <literal>AWS_SECRET_ACCESS_KEY</literal> is used.
+         `AWS_SECRET_ACCESS_KEY` is used.
      '';

      profile = mkOpt types.str ''
@ -738,8 +738,8 @@ let
          options = {
            name = mkOption {
              type = types.str;
-              description = ''
-                See <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html">this list</link>
+              description = lib.mdDoc ''
+                See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html)
                for the available filters.
              '';
            };
@ -747,7 +747,7 @@ let
            values = mkOption {
              type = types.listOf types.str;
              default = [ ];
-              description = ''
+              description = lib.mdDoc ''
                Value of the filter.
              '';
            };
@ -806,7 +806,7 @@ let
      filter = mkOpt types.str ''
        Filter can be used optionally to filter the instance list by other
        criteria Syntax of this filter string is described here in the filter
-        query parameter section: <link xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list"/>.
+        query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>.
      '';

      refresh_interval = mkDefOpt types.str "60s" ''
@ -822,7 +822,7 @@ let
        The tag separator used to separate concatenated GCE instance network tags.

        See the GCP documentation on network tags for more information:
-        <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags"/>
+        <https://cloud.google.com/vpc/docs/add-remove-network-tags>
      '';
    };
  };
@ -917,7 +917,7 @@ let
            options = {
              role = mkOption {
                type = types.str;
-                description = ''
+                description = lib.mdDoc ''
                  Selector role
                '';
              };
@ -976,11 +976,11 @@ let
      '';

      access_key = mkOpt types.str ''
-        The AWS API keys. If blank, the environment variable <literal>AWS_ACCESS_KEY_ID</literal> is used.
+        The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used.
      '';

      secret_key = mkOpt types.str ''
-        The AWS API keys. If blank, the environment variable <literal>AWS_SECRET_ACCESS_KEY</literal> is used.
+        The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used.
      '';

      profile = mkOpt types.str ''
@ -1030,14 +1030,14 @@ let

    auth_token = mkOpt types.str ''
      Optional authentication information for token-based authentication:
-      <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/>
-      It is mutually exclusive with <literal>auth_token_file</literal> and other authentication mechanisms.
+      <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token>
+      It is mutually exclusive with `auth_token_file` and other authentication mechanisms.
    '';

    auth_token_file = mkOpt types.str ''
      Optional authentication information for token-based authentication:
-      <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/>
-      It is mutually exclusive with <literal>auth_token</literal> and other authentication mechanisms.
+      <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token>
+      It is mutually exclusive with `auth_token` and other authentication mechanisms.
    '';
  };

@ -1299,7 +1299,7 @@ let
      };

      groups = mkOpt (types.listOf types.str) ''
-        A list of groups for which targets are retrieved, only supported when targeting the <literal>container</literal> role.
+        A list of groups for which targets are retrieved, only supported when targeting the `container` role.
        If omitted all containers owned by the requesting account are scraped.
      '';

--- a/nixos/modules/services/monitoring/prometheus/sachet.nix
+++ b/nixos/modules/services/monitoring/prometheus/sachet.nix
@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.prometheus.sachet;
+  configFile = pkgs.writeText "sachet.yml" (builtins.toJSON cfg.configuration);
+in
+{
+  options = {
+    services.prometheus.sachet = {
+      enable = mkEnableOption "Sachet, an SMS alerting tool for the Prometheus Alertmanager";
+
+      configuration = mkOption {
+        type = types.nullOr types.attrs;
+        default = null;
+        example = literalExample ''
+          {
+            providers = {
+              twilio = {
+                # environment variables gets expanded at runtime
+                account_sid = "$TWILIO_ACCOUNT";
+                auth_token = "$TWILIO_TOKEN";
+              };
+            };
+            templates = [ ./some-template.tmpl ];
+            receivers = [{
+              name = "pager";
+              provider = "twilio";
+              to = [ "+33123456789" ];
+              text = "{{ template \"message\" . }}";
+            }];
+          }
+        '';
+        description = ''
+          Sachet's configuration as a nix attribute set.
+        '';
+      };
+
+      address = mkOption {
+        type = types.str;
+        default = "localhost";
+        description = ''
+          The address Sachet will listen to.
+        '';
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 9876;
+        description = ''
+          The port Sachet will listen to.
+        '';
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = singleton {
+      assertion = cfg.configuration != null;
+      message = "Cannot enable Sachet without a configuration.";
+    };
+
+    systemd.services.sachet = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "network-online.target" ];
+      script = ''
+        ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > /tmp/sachet.yaml
+        exec ${pkgs.prometheus-sachet}/bin/sachet -config /tmp/sachet.yaml -listen-address ${cfg.address}:${builtins.toString cfg.port}
+      '';
+
+      serviceConfig = {
+        Restart = "always";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+
+        DynamicUser = true;
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp/";
+      };
+    };
+  };
+}
--- a/nixos/modules/services/monitoring/thanos.nix
+++ b/nixos/modules/services/monitoring/thanos.nix
@ -8,7 +8,7 @@ let
  nullOpt = type: description: mkOption {
    type = types.nullOr type;
    default = null;
-    inherit description;
+    description = lib.mdDoc description;
  };

  optionToArgs = opt: v  : optional (v != null)  ''--${opt}="${toString v}"'';
@ -18,8 +18,8 @@ let

  mkParamDef = type: default: description: mkParam type (description + ''

-    Defaults to <literal>${toString default}</literal> in Thanos
-    when set to <literal>null</literal>.
+    Defaults to `${toString default}` in Thanos
+    when set to `null`.
  '');

  mkParam = type: description: {
@ -32,7 +32,7 @@ let
    option = mkOption {
      type = types.bool;
      default = false;
-      inherit description;
+      description = lib.mdDoc description;
    };
  };

@ -41,7 +41,7 @@ let
    option = mkOption {
      type = types.listOf types.str;
      default = [];
-      inherit description;
+      description = lib.mdDoc description;
    };
  };

@ -50,7 +50,7 @@ let
    option = mkOption {
      type = types.attrsOf types.str;
      default = {};
-      inherit description;
+      description = lib.mdDoc description;
    };
  };

@ -59,7 +59,7 @@ let
    option = mkOption {
      type = types.str;
      inherit default;
-      inherit description;
+      description = lib.mdDoc description;
    };
  };

@ -83,8 +83,8 @@ let
  mkArgumentsOption = cmd: mkOption {
    type = types.listOf types.str;
    default = argumentsOf cmd;
-    defaultText = literalDocBook ''
-      calculated from <literal>config.services.thanos.${cmd}</literal>
+    defaultText = literalMD ''
+      calculated from `config.services.thanos.${cmd}`
    '';
    description = lib.mdDoc ''
      Arguments to the `thanos ${cmd}` command.
@ -141,13 +141,13 @@ let
          option = nullOpt types.attrs ''
            Tracing configuration.

-            When not <literal>null</literal> the attribute set gets converted to
+            When not `null` the attribute set gets converted to
            a YAML file and stored in the Nix store. The option
-            <option>tracing.config-file</option> will default to its path.
+            {option}`tracing.config-file` will default to its path.

-            If <option>tracing.config-file</option> is set this option has no effect.
+            If {option}`tracing.config-file` is set this option has no effect.

-            See format details: <link xlink:href="https://thanos.io/tracing.md/#configuration"/>
+            See format details: <https://thanos.io/tracing.md/#configuration>
          '';
        };
    };
@ -155,11 +155,11 @@ let
    common = cfg: params.log // params.tracing cfg // {

      http-address = mkParamDef types.str "0.0.0.0:10902" ''
-        Listen <literal>host:port</literal> for HTTP endpoints.
+        Listen `host:port` for HTTP endpoints.
      '';

      grpc-address = mkParamDef types.str "0.0.0.0:10901" ''
-        Listen <literal>ip:port</literal> address for gRPC endpoints (StoreAPI).
+        Listen `ip:port` address for gRPC endpoints (StoreAPI).

        Make sure this address is routable from other components.
      '';
@ -206,13 +206,13 @@ let
          option = nullOpt types.attrs ''
            Object store configuration.

-            When not <literal>null</literal> the attribute set gets converted to
+            When not `null` the attribute set gets converted to
            a YAML file and stored in the Nix store. The option
-            <option>objstore.config-file</option> will default to its path.
+            {option}`objstore.config-file` will default to its path.

-            If <option>objstore.config-file</option> is set this option has no effect.
+            If {option}`objstore.config-file` is set this option has no effect.

-            See format details: <link xlink:href="https://thanos.io/storage.md/#configuration"/>
+            See format details: <https://thanos.io/storage.md/#configuration>
          '';
        };
    };
@ -254,7 +254,7 @@ let
    store = params.common cfg.store // params.objstore cfg.store // {

      stateDir = mkStateDirParam "data-dir" "thanos-store" ''
-        Data directory relative to <literal>/var/lib</literal>
+        Data directory relative to `/var/lib`
        in which to cache remote blocks.
      '';

@ -269,7 +269,7 @@ let
      store.grpc.series-sample-limit = mkParamDef types.int 0 ''
        Maximum amount of samples returned via a single Series call.

-        <literal>0</literal> means no limit.
+        `0` means no limit.

        NOTE: for efficiency we take 120 as the number of samples in chunk (it
        cannot be bigger than that), so the actual number of samples might be
@ -327,14 +327,14 @@ let

      grpc-client-server-name = mkParam types.str ''
        Server name to verify the hostname on the returned gRPC certificates.
-        See <link xlink:href="https://tools.ietf.org/html/rfc4366#section-3.1"/>
+        See <https://tools.ietf.org/html/rfc4366#section-3.1>
      '';

      web.route-prefix = mkParam types.str ''
        Prefix for API and UI endpoints.

        This allows thanos UI to be served on a sub-path. This option is
-        analogous to <option>web.route-prefix</option> of Promethus.
+        analogous to {option}`web.route-prefix` of Promethus.
      '';

      web.external-prefix = mkParam types.str ''
@ -342,7 +342,7 @@ let
        interface.

        Actual endpoints are still served on / or the
-        <option>web.route-prefix</option>. This allows thanos UI to be served
+        {option}`web.route-prefix`. This allows thanos UI to be served
        behind a reverse proxy that strips a URL sub-path.
      '';

@ -351,15 +351,15 @@ let
        redirects.

        This option is ignored if the option
-        <literal>web.external-prefix</literal> is set.
+        `web.external-prefix` is set.

        Security risk: enable this option only if a reverse proxy in front of
        thanos is resetting the header.

-        The setting <literal>web.prefix-header="X-Forwarded-Prefix"</literal>
+        The setting `web.prefix-header="X-Forwarded-Prefix"`
        can be useful, for example, if Thanos UI is served via Traefik reverse
-        proxy with <literal>PathPrefixStrip</literal> option enabled, which
-        sends the stripped prefix value in <literal>X-Forwarded-Prefix</literal>
+        proxy with `PathPrefixStrip` option enabled, which
+        sends the stripped prefix value in `X-Forwarded-Prefix`
        header. This allows thanos UI to be served on a sub-path.
      '';

@ -376,7 +376,7 @@ let
        deduplicated.

        Still you will be able to query without deduplication using
-        <literal>dedup=false</literal> parameter.
+        `dedup=false` parameter.
      '';

      selector-labels = mkAttrsParam "selector-label" ''
@ -386,8 +386,8 @@ let
      store.addresses = mkListParam "store" ''
        Addresses of statically configured store API servers.

-        The scheme may be prefixed with <literal>dns+</literal> or
-        <literal>dnssrv+</literal> to detect store API servers through
+        The scheme may be prefixed with `dns+` or
+        `dnssrv+` to detect store API servers through
        respective DNS lookups.
      '';

@ -411,12 +411,12 @@ let
      query.auto-downsampling = mkFlagParam ''
        Enable automatic adjustment (step / 5) to what source of data should
        be used in store gateways if no
-        <literal>max_source_resolution</literal> param is specified.
+        `max_source_resolution` param is specified.
      '';

      query.partial-response = mkFlagParam ''
        Enable partial response for queries if no
-        <literal>partial_response</literal> param is specified.
+        `partial_response` param is specified.
      '';

      query.default-evaluation-interval = mkParamDef types.str "1m" ''
@ -426,7 +426,7 @@ let
      store.response-timeout = mkParamDef types.str "0ms" ''
        If a Store doesn't send any data in this specified duration then a
        Store will be ignored and partial data will be returned if it's
-        enabled. <literal>0</literal> disables timeout.
+        enabled. `0` disables timeout.
      '';
    };

@ -440,7 +440,7 @@ let
      '';

      stateDir = mkStateDirParam "data-dir" "thanos-rule" ''
-        Data directory relative to <literal>/var/lib</literal>.
+        Data directory relative to `/var/lib`.
      '';

      rule-files = mkListParam "rule-file" ''
@ -464,9 +464,9 @@ let

        Ruler claims success if push to at least one alertmanager from
        discovered succeeds. The scheme may be prefixed with
-        <literal>dns+</literal> or <literal>dnssrv+</literal> to detect
+        `dns+` or `dnssrv+` to detect
        Alertmanager IPs through respective DNS lookups. The port defaults to
-        <literal>9093</literal> or the SRV record's value. The URL path is
+        `9093` or the SRV record's value. The URL path is
        used as a prefix for the regular Alertmanager API path.
      '';

@ -491,7 +491,7 @@ let

        This allows thanos UI to be served on a sub-path.

-        This option is analogous to <literal>--web.route-prefix</literal> of Promethus.
+        This option is analogous to `--web.route-prefix` of Promethus.
      '';

      web.external-prefix = mkParam types.str ''
@ -499,7 +499,7 @@ let
        interface.

        Actual endpoints are still served on / or the
-        <option>web.route-prefix</option>. This allows thanos UI to be served
+        {option}`web.route-prefix`. This allows thanos UI to be served
        behind a reverse proxy that strips a URL sub-path.
      '';

@ -508,23 +508,23 @@ let
        redirects.

        This option is ignored if the option
-        <option>web.external-prefix</option> is set.
+        {option}`web.external-prefix` is set.

        Security risk: enable this option only if a reverse proxy in front of
        thanos is resetting the header.

-        The header <literal>X-Forwarded-Prefix</literal> can be useful, for
+        The header `X-Forwarded-Prefix` can be useful, for
        example, if Thanos UI is served via Traefik reverse proxy with
-        <literal>PathPrefixStrip</literal> option enabled, which sends the
-        stripped prefix value in <literal>X-Forwarded-Prefix</literal>
+        `PathPrefixStrip` option enabled, which sends the
+        stripped prefix value in `X-Forwarded-Prefix`
        header. This allows thanos UI to be served on a sub-path.
      '';

      query.addresses = mkListParam "query" ''
        Addresses of statically configured query API servers.

-        The scheme may be prefixed with <literal>dns+</literal> or
-        <literal>dnssrv+</literal> to detect query API servers through
+        The scheme may be prefixed with `dns+` or
+        `dnssrv+` to detect query API servers through
        respective DNS lookups.
      '';

@ -545,11 +545,11 @@ let
    compact = params.log // params.tracing cfg.compact // params.objstore cfg.compact // {

      http-address = mkParamDef types.str "0.0.0.0:10902" ''
-        Listen <literal>host:port</literal> for HTTP endpoints.
+        Listen `host:port` for HTTP endpoints.
      '';

      stateDir = mkStateDirParam "data-dir" "thanos-compact" ''
-        Data directory relative to <literal>/var/lib</literal>
+        Data directory relative to `/var/lib`
        in which to cache blocks and process compactions.
      '';

@ -562,28 +562,28 @@ let
      retention.resolution-raw = mkParamDef types.str "0d" ''
        How long to retain raw samples in bucket.

-        <literal>0d</literal> - disables this retention
+        `0d` - disables this retention
      '';

      retention.resolution-5m = mkParamDef types.str "0d" ''
        How long to retain samples of resolution 1 (5 minutes) in bucket.

-        <literal>0d</literal> - disables this retention
+        `0d` - disables this retention
      '';

      retention.resolution-1h = mkParamDef types.str "0d" ''
        How long to retain samples of resolution 2 (1 hour) in bucket.

-        <literal>0d</literal> - disables this retention
+        `0d` - disables this retention
      '';

      startAt = {
        toArgs = _opt: startAt: flagToArgs "wait" (startAt == null);
        option = nullOpt types.str ''
-          When this option is set to a <literal>systemd.time</literal>
+          When this option is set to a `systemd.time`
          specification the Thanos compactor will run at the specified period.

-          When this option is <literal>null</literal> the Thanos compactor service
+          When this option is `null` the Thanos compactor service
          will run continuously. So it will not exit after all compactions have
          been processed but wait for new work.
        '';
@ -609,7 +609,7 @@ let
    downsample = params.log // params.tracing cfg.downsample // params.objstore cfg.downsample // {

      stateDir = mkStateDirParam "data-dir" "thanos-downsample" ''
-        Data directory relative to <literal>/var/lib</literal>
+        Data directory relative to `/var/lib`
        in which to cache blocks and process downsamplings.
      '';

@ -622,7 +622,7 @@ let
      '';

      stateDir = mkStateDirParam "tsdb.path" "thanos-receive" ''
-        Data directory relative to <literal>/var/lib</literal> of TSDB.
+        Data directory relative to `/var/lib` of TSDB.
      '';

      labels = mkAttrsParam "labels" ''
@ -635,7 +635,7 @@ let
      tsdb.retention = mkParamDef types.str "15d" ''
        How long to retain raw samples on local storage.

-        <literal>0d</literal> - disables this retention
+        `0d` - disables this retention
      '';
    };

--- a/nixos/modules/services/networking/dnscrypt-proxy2.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix
@ -56,7 +56,7 @@ in
        ''}
        ${pkgs.remarshal}/bin/json2toml < config.json > $out
      '';
-      defaultText = literalDocBook "TOML file generated from <option>services.dnscrypt-proxy2.settings</option>";
+      defaultText = literalMD "TOML file generated from {option}`services.dnscrypt-proxy2.settings`";
    };
  };

--- a/nixos/modules/services/networking/ferm.nix
+++ b/nixos/modules/services/networking/ferm.nix
@ -30,7 +30,7 @@ in {
      config = mkOption {
        description = lib.mdDoc "Verbatim ferm.conf configuration.";
        default = "";
-        defaultText = literalDocBook "empty firewall, allows any traffic";
+        defaultText = literalMD "empty firewall, allows any traffic";
        type = types.lines;
      };
      package = mkOption {
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -417,7 +417,7 @@ in
      checkReversePath = mkOption {
        type = types.either types.bool (types.enum ["strict" "loose"]);
        default = kernelHasRPFilter;
-        defaultText = literalDocBook "<literal>true</literal> if supported by the chosen kernel";
+        defaultText = literalMD "`true` if supported by the chosen kernel";
        example = "loose";
        description =
          lib.mdDoc ''
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@ -88,7 +88,7 @@ in
        name = "nftables-rules";
        text = cfg.ruleset;
      };
-      defaultText = literalDocBook ''a file with the contents of <option>networking.nftables.ruleset</option>'';
+      defaultText = literalMD ''a file with the contents of {option}`networking.nftables.ruleset`'';
      description =
        lib.mdDoc ''
          The ruleset file to be used with nftables.  Should be in a format that
--- a/nixos/modules/services/networking/searx.nix
+++ b/nixos/modules/services/networking/searx.nix
@ -195,7 +195,10 @@ in
        ExecStart = "${cfg.package}/bin/searx-run";
      } // optionalAttrs (cfg.environmentFile != null)
        { EnvironmentFile = builtins.toPath cfg.environmentFile; };
-      environment.SEARX_SETTINGS_PATH = cfg.settingsFile;
+      environment = {
+        SEARX_SETTINGS_PATH = cfg.settingsFile;
+        SEARXNG_SETTINGS_PATH = cfg.settingsFile;
+      };
    };

    systemd.services.uwsgi = mkIf (cfg.runInUwsgi)
--- a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix
@ -57,12 +57,12 @@ rec {

  documentDefault = description : strongswanDefault :
    if strongswanDefault == null
-    then description
-    else description + ''
+    then mdDoc description
+    else mdDoc (description + ''


-      StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal>
-    '';
+      StrongSwan default: ````${builtins.toJSON strongswanDefault}````
+    '');

  single = f: name: value: { ${name} = f value; };

@ -121,7 +121,7 @@ rec {
    option = mkOption {
      type = types.attrsOf option;
      default = {};
-      inherit description;
+      description = mdDoc description;
    };
    render = single (attrs:
      (paramsToRenderedStrings attrs
@ -139,7 +139,7 @@ rec {
    option = mkOption {
      type = types.attrsOf option;
      default = {};
-      inherit description;
+      description = mdDoc description;
    };
    render = prefix: attrs:
      let prefixedAttrs = mapAttrs' (name: nameValuePair "${prefix}-${name}") attrs;
--- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
--- a/nixos/modules/services/networking/vsftpd.nix
+++ b/nixos/modules/services/networking/vsftpd.nix
@ -27,7 +27,8 @@ let
      type = types.bool;
      name = nixosName;
      value = mkOption {
-        inherit description default;
+        description = lib.mdDoc description;
+        inherit default;
        type = types.bool;
      };
    };
@ -68,16 +69,16 @@ let
      Whether users are included.
    '')
    (yesNoOption "userlistDeny" "userlist_deny" false ''
-      Specifies whether <option>userlistFile</option> is a list of user
+      Specifies whether {option}`userlistFile` is a list of user
      names to allow or deny access.
-      The default <literal>false</literal> means whitelist/allow.
+      The default `false` means whitelist/allow.
    '')
    (yesNoOption "forceLocalLoginsSSL" "force_local_logins_ssl" false ''
-      Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
+      Only applies if {option}`sslEnable` is true. Non anonymous (local) users
      must use a secure SSL connection to send a password.
    '')
    (yesNoOption "forceLocalDataSSL" "force_local_data_ssl" false ''
-      Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
+      Only applies if {option}`sslEnable` is true. Non anonymous (local) users
      must use a secure SSL connection for sending/receiving data on data connection.
    '')
    (yesNoOption "portPromiscuous" "port_promiscuous" false ''
@ -86,17 +87,17 @@ let
      know what you are doing!
    '')
    (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true  ''
-      Only applies if <option>ssl_enable</option> is activated. If
+      Only applies if {option}`ssl_enable` is activated. If
      enabled, this option will permit TLS v1 protocol connections.
      TLS v1 connections are preferred.
    '')
    (yesNoOption "ssl_sslv2" "ssl_sslv2" false ''
-      Only applies if <option>ssl_enable</option> is activated. If
+      Only applies if {option}`ssl_enable` is activated. If
      enabled, this option will permit SSL v2 protocol connections.
      TLS v1 connections are preferred.
    '')
    (yesNoOption "ssl_sslv3" "ssl_sslv3" false ''
-      Only applies if <option>ssl_enable</option> is activated. If
+      Only applies if {option}`ssl_enable` is activated. If
      enabled, this option will permit SSL v3 protocol connections.
      TLS v1 connections are preferred.
    '')
@ -184,9 +185,9 @@ in
        type = types.nullOr types.str;
        example = "/etc/vsftpd/userDb";
        default = null;
-        description = ''
-          Only applies if <option>enableVirtualUsers</option> is true.
-          Path pointing to the <literal>pam_userdb</literal> user
+        description = lib.mdDoc ''
+          Only applies if {option}`enableVirtualUsers` is true.
+          Path pointing to the `pam_userdb` user
          database used by vsftpd to authenticate the virtual users.

          This user list should be stored in the Berkeley DB database
@ -194,21 +195,21 @@ in

          To generate a new user database, create a text file, add
          your users using the following format:
-          <programlisting>
+          ```
          user1
          password1
          user2
          password2
-          </programlisting>
+          ```

-          You can then install <literal>pkgs.db</literal> to generate
+          You can then install `pkgs.db` to generate
          the Berkeley DB using
-          <programlisting>
+          ```
          db_load -T -t hash -f logins.txt userDb.db
-          </programlisting>
+          ```

-          Caution: <literal>pam_userdb</literal> will automatically
-          append a <literal>.db</literal> suffix to the filename you
+          Caution: `pam_userdb` will automatically
+          append a `.db` suffix to the filename you
          provide though this option. This option shouldn't include
          this filetype suffix.
        '';
--- a/nixos/modules/services/networking/xrdp.nix
+++ b/nixos/modules/services/networking/xrdp.nix
@ -100,7 +100,7 @@ in
      confDir = mkOption {
        type = types.path;
        default = confDir;
-        defaultText = literalDocBook "generated from configuration";
+        defaultText = literalMD "generated from configuration";
        description = lib.mdDoc "The location of the config files for xrdp.";
      };
    };
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@ -9,7 +9,7 @@ let
  stateDir = "/var/lib/tor";
  runDir = "/run/tor";
  descriptionGeneric = option: ''
-    See <link xlink:href="https://2019.www.torproject.org/docs/tor-manual.html.en#${option}">torrc manual</link>.
+    See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en#${option}).
  '';
  bindsPrivilegedPort =
    any (p0:
@ -30,22 +30,22 @@ let
  optionBool = optionName: mkOption {
    type = with types; nullOr bool;
    default = null;
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionInt = optionName: mkOption {
    type = with types; nullOr int;
    default = null;
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionString = optionName: mkOption {
    type = with types; nullOr str;
    default = null;
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionStrings = optionName: mkOption {
    type = with types; listOf str;
    default = [];
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionAddress = mkOption {
    type = with types; nullOr str;
@ -69,7 +69,7 @@ let
  optionPorts = optionName: mkOption {
    type = with types; listOf port;
    default = [];
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionIsolablePort = with types; oneOf [
    port (enum ["auto"])
@ -89,7 +89,7 @@ let
  optionIsolablePorts = optionName: mkOption {
    default = [];
    type = with types; either optionIsolablePort (listOf optionIsolablePort);
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  isolateFlags = [
    "IsolateClientAddr"
@ -144,17 +144,17 @@ let
        };
      }))
    ]))];
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionBandwith = optionName: mkOption {
    type = with types; nullOr (either int str);
    default = null;
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };
  optionPath = optionName: mkOption {
    type = with types; nullOr path;
    default = null;
-    description = descriptionGeneric optionName;
+    description = lib.mdDoc (descriptionGeneric optionName);
  };

  mkValueString = k: v:
@ -262,7 +262,7 @@ in
        };

        onionServices = mkOption {
-          description = descriptionGeneric "HiddenServiceDir";
+          description = lib.mdDoc (descriptionGeneric "HiddenServiceDir");
          default = {};
          example = {
            "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" = {
@ -271,11 +271,14 @@ in
          };
          type = types.attrsOf (types.submodule ({name, config, ...}: {
            options.clientAuthorizations = mkOption {
-              description = ''
+              description = lib.mdDoc ''
                Clients' authorizations for a v3 onion service,
                as a list of files containing each one private key, in the format:
-                <screen>descriptor:x25519:&lt;base32-private-key&gt;</screen>
-              '' + descriptionGeneric "_client_authorization";
+                ```
+                descriptor:x25519:<base32-private-key>
+                ```
+                ${descriptionGeneric "_client_authorization"}
+              '';
              type = with types; listOf path;
              default = [];
              example = ["/run/keys/tor/alice.prv.x25519"];
@ -429,7 +432,7 @@ in
        };

        onionServices = mkOption {
-          description = descriptionGeneric "HiddenServiceDir";
+          description = lib.mdDoc (descriptionGeneric "HiddenServiceDir");
          default = {};
          example = {
            "example.org/www" = {
@ -462,7 +465,7 @@ in
              '';
            };
            options.authorizeClient = mkOption {
-              description = descriptionGeneric "HiddenServiceAuthorizeClient";
+              description = lib.mdDoc (descriptionGeneric "HiddenServiceAuthorizeClient");
              default = null;
              type = types.nullOr (types.submodule ({...}: {
                options = {
@ -487,17 +490,20 @@ in
              }));
            };
            options.authorizedClients = mkOption {
-              description = ''
+              description = lib.mdDoc ''
                Authorized clients for a v3 onion service,
                as a list of public key, in the format:
-                <screen>descriptor:x25519:&lt;base32-public-key&gt;</screen>
-              '' + descriptionGeneric "_client_authorization";
+                ```
+                descriptor:x25519:<base32-public-key>
+                ```
+                ${descriptionGeneric "_client_authorization"}
+              '';
              type = with types; listOf str;
              default = [];
              example = ["descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"];
            };
            options.map = mkOption {
-              description = descriptionGeneric "HiddenServicePort";
+              description = lib.mdDoc (descriptionGeneric "HiddenServicePort");
              type = with types; listOf (oneOf [
                port (submodule ({...}: {
                  options = {
@ -518,14 +524,15 @@ in
              apply = map (v: if isInt v then {port=v; target=null;} else v);
            };
            options.version = mkOption {
-              description = descriptionGeneric "HiddenServiceVersion";
+              description = lib.mdDoc (descriptionGeneric "HiddenServiceVersion");
              type = with types; nullOr (enum [2 3]);
              default = null;
            };
            options.settings = mkOption {
-              description = ''
+              description = lib.mdDoc ''
                Settings of the onion service.
-              '' + descriptionGeneric "_hidden_service_options";
+                ${descriptionGeneric "_hidden_service_options"}
+              '';
              default = {};
              type = types.submodule {
                freeformType = with types;
@ -535,18 +542,18 @@ in
                options.HiddenServiceAllowUnknownPorts = optionBool "HiddenServiceAllowUnknownPorts";
                options.HiddenServiceDirGroupReadable = optionBool "HiddenServiceDirGroupReadable";
                options.HiddenServiceExportCircuitID = mkOption {
-                  description = descriptionGeneric "HiddenServiceExportCircuitID";
+                  description = lib.mdDoc (descriptionGeneric "HiddenServiceExportCircuitID");
                  type = with types; nullOr (enum ["haproxy"]);
                  default = null;
                };
                options.HiddenServiceMaxStreams = mkOption {
-                  description = descriptionGeneric "HiddenServiceMaxStreams";
+                  description = lib.mdDoc (descriptionGeneric "HiddenServiceMaxStreams");
                  type = with types; nullOr (ints.between 0 65535);
                  default = null;
                };
                options.HiddenServiceMaxStreamsCloseCircuit = optionBool "HiddenServiceMaxStreamsCloseCircuit";
                options.HiddenServiceNumIntroductionPoints = mkOption {
-                  description = descriptionGeneric "HiddenServiceNumIntroductionPoints";
+                  description = lib.mdDoc (descriptionGeneric "HiddenServiceNumIntroductionPoints");
                  type = with types; nullOr (ints.between 0 20);
                  default = null;
                };
@ -605,7 +612,7 @@ in
          options.ClientAutoIPv6ORPort = optionBool "ClientAutoIPv6ORPort";
          options.ClientDNSRejectInternalAddresses = optionBool "ClientDNSRejectInternalAddresses";
          options.ClientOnionAuthDir = mkOption {
-            description = descriptionGeneric "ClientOnionAuthDir";
+            description = lib.mdDoc (descriptionGeneric "ClientOnionAuthDir");
            default = null;
            type = with types; nullOr path;
          };
@ -618,7 +625,7 @@ in
          options.ConstrainedSockets = optionBool "ConstrainedSockets";
          options.ContactInfo = optionString "ContactInfo";
          options.ControlPort = mkOption rec {
-            description = descriptionGeneric "ControlPort";
+            description = lib.mdDoc (descriptionGeneric "ControlPort");
            default = [];
            example = [{port = 9051;}];
            type = with types; oneOf [port (enum ["auto"]) (listOf (oneOf [
@ -653,7 +660,7 @@ in
          options.DormantTimeoutDisabledByIdleStreams = optionBool "DormantTimeoutDisabledByIdleStreams";
          options.DirCache = optionBool "DirCache";
          options.DirPolicy = mkOption {
-            description = descriptionGeneric "DirPolicy";
+            description = lib.mdDoc (descriptionGeneric "DirPolicy");
            type = with types; listOf str;
            default = [];
            example = ["accept *:*"];
@ -680,7 +687,7 @@ in
          options.ExitPortStatistics = optionBool "ExitPortStatistics";
          options.ExitRelay = optionBool "ExitRelay"; # default is null and like "auto"
          options.ExtORPort = mkOption {
-            description = descriptionGeneric "ExtORPort";
+            description = lib.mdDoc (descriptionGeneric "ExtORPort");
            default = null;
            type = with types; nullOr (oneOf [
              port (enum ["auto"]) (submodule ({...}: {
@ -709,7 +716,7 @@ in
          options.GeoIPv6File = optionPath "GeoIPv6File";
          options.GuardfractionFile = optionPath "GuardfractionFile";
          options.HidServAuth = mkOption {
-            description = descriptionGeneric "HidServAuth";
+            description = lib.mdDoc (descriptionGeneric "HidServAuth");
            default = [];
            type = with types; listOf (oneOf [
              (submodule {
@ -760,7 +767,7 @@ in
          options.ProtocolWarnings = optionBool "ProtocolWarnings";
          options.PublishHidServDescriptors = optionBool "PublishHidServDescriptors";
          options.PublishServerDescriptor = mkOption {
-            description = descriptionGeneric "PublishServerDescriptor";
+            description = lib.mdDoc (descriptionGeneric "PublishServerDescriptor");
            type = with types; nullOr (enum [false true 0 1 "0" "1" "v3" "bridge"]);
            default = null;
          };
@ -778,7 +785,7 @@ in
          options.ServerDNSResolvConfFile = optionPath "ServerDNSResolvConfFile";
          options.ServerDNSSearchDomains = optionBool "ServerDNSSearchDomains";
          options.ServerTransportPlugin = mkOption {
-            description = descriptionGeneric "ServerTransportPlugin";
+            description = lib.mdDoc (descriptionGeneric "ServerTransportPlugin");
            default = null;
            type = with types; nullOr (submodule ({...}: {
              options = {
@ -797,13 +804,13 @@ in
          options.ShutdownWaitLength = mkOption {
            type = types.int;
            default = 30;
-            description = descriptionGeneric "ShutdownWaitLength";
+            description = lib.mdDoc (descriptionGeneric "ShutdownWaitLength");
          };
          options.SocksPolicy = optionStrings "SocksPolicy" // {
            example = ["accept *:*"];
          };
          options.SOCKSPort = mkOption {
-            description = descriptionGeneric "SOCKSPort";
+            description = lib.mdDoc (descriptionGeneric "SOCKSPort");
            default = if cfg.settings.HiddenServiceNonAnonymousMode == true then [{port = 0;}] else [];
            defaultText = literalExpression ''
              if config.${opt.settings}.HiddenServiceNonAnonymousMode == true
@ -816,7 +823,7 @@ in
          options.TestingTorNetwork = optionBool "TestingTorNetwork";
          options.TransPort = optionIsolablePorts "TransPort";
          options.TransProxyType = mkOption {
-            description = descriptionGeneric "TransProxyType";
+            description = lib.mdDoc (descriptionGeneric "TransProxyType");
            type = with types; nullOr (enum ["default" "TPROXY" "ipfw" "pf-divert"]);
            default = null;
          };
--- a/nixos/modules/services/web-apps/discourse.nix
+++ b/nixos/modules/services/web-apps/discourse.nix
@ -100,9 +100,9 @@ in
      enableACME = lib.mkOption {
        type = lib.types.bool;
        default = cfg.sslCertificate == null && cfg.sslCertificateKey == null;
-        defaultText = lib.literalDocBook ''
-          <literal>true</literal>, unless <option>services.discourse.sslCertificate</option>
-          and <option>services.discourse.sslCertificateKey</option> are set.
+        defaultText = lib.literalMD ''
+          `true`, unless {option}`services.discourse.sslCertificate`
+          and {option}`services.discourse.sslCertificateKey` are set.
        '';
        description = lib.mdDoc ''
          Whether an ACME certificate should be used to secure
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@ -20,7 +20,7 @@ let
    mkDefault
    literalExpression
    isAttrs
-    literalDocBook
+    literalMD
    maintainers
    catAttrs
    collect
@ -165,7 +165,7 @@ in
          mkOption {
            type = port;
            default = dbPorts.${cfg.database.type};
-            defaultText = literalDocBook "default port of selected database";
+            defaultText = literalMD "default port of selected database";
            description = lib.mdDoc ''
              Port of the database to connect to.
            '';
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -527,7 +527,7 @@ in {
    occ = mkOption {
      type = types.package;
      default = occ;
-      defaultText = literalDocBook "generated script";
+      defaultText = literalMD "generated script";
      internal = true;
      description = ''
        The nextcloud-occ program preconfigured to target this Nextcloud instance.
--- a/nixos/modules/services/web-apps/writefreely.nix
+++ b/nixos/modules/services/web-apps/writefreely.nix
@ -0,0 +1,485 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (builtins) toString;
+  inherit (lib) types mkIf mkOption mkDefault;
+  inherit (lib) optional optionals optionalAttrs optionalString;
+
+  inherit (pkgs) sqlite;
+
+  format = pkgs.formats.ini {
+    mkKeyValue = key: value:
+      let
+        value' = if builtins.isNull value then
+          ""
+        else if builtins.isBool value then
+          if value == true then "true" else "false"
+        else
+          toString value;
+      in "${key} = ${value'}";
+  };
+
+  cfg = config.services.writefreely;
+
+  isSqlite = cfg.database.type == "sqlite3";
+  isMysql = cfg.database.type == "mysql";
+  isMysqlLocal = isMysql && cfg.database.createLocally == true;
+
+  hostProtocol = if cfg.acme.enable then "https" else "http";
+
+  settings = cfg.settings // {
+    app = cfg.settings.app or { } // {
+      host = cfg.settings.app.host or "${hostProtocol}://${cfg.host}";
+    };
+
+    database = if cfg.database.type == "sqlite3" then {
+      type = "sqlite3";
+      filename = cfg.settings.database.filename or "writefreely.db";
+      database = cfg.database.name;
+    } else {
+      type = "mysql";
+      username = cfg.database.user;
+      password = "#dbpass#";
+      database = cfg.database.name;
+      host = cfg.database.host;
+      port = cfg.database.port;
+      tls = cfg.database.tls;
+    };
+
+    server = cfg.settings.server or { } // {
+      bind = cfg.settings.server.bind or "localhost";
+      gopher_port = cfg.settings.server.gopher_port or 0;
+      autocert = !cfg.nginx.enable && cfg.acme.enable;
+      templates_parent_dir =
+        cfg.settings.server.templates_parent_dir or cfg.package.src;
+      static_parent_dir = cfg.settings.server.static_parent_dir or assets;
+      pages_parent_dir =
+        cfg.settings.server.pages_parent_dir or cfg.package.src;
+      keys_parent_dir = cfg.settings.server.keys_parent_dir or cfg.stateDir;
+    };
+  };
+
+  configFile = format.generate "config.ini" settings;
+
+  assets = pkgs.stdenvNoCC.mkDerivation {
+    pname = "writefreely-assets";
+
+    inherit (cfg.package) version src;
+
+    nativeBuildInputs = with pkgs.nodePackages; [ less ];
+
+    buildPhase = ''
+      mkdir -p $out
+
+      cp -r static $out/
+    '';
+
+    installPhase = ''
+      less_dir=$src/less
+      css_dir=$out/static/css
+
+      lessc $less_dir/app.less $css_dir/write.css
+      lessc $less_dir/fonts.less $css_dir/fonts.css
+      lessc $less_dir/icons.less $css_dir/icons.css
+      lessc $less_dir/prose.less $css_dir/prose.css
+    '';
+  };
+
+  withConfigFile = text: ''
+    db_pass=${
+      optionalString (cfg.database.passwordFile != null)
+      "$(head -n1 ${cfg.database.passwordFile})"
+    }
+
+    cp -f ${configFile} '${cfg.stateDir}/config.ini'
+    sed -e "s,#dbpass#,$db_pass,g" -i '${cfg.stateDir}/config.ini'
+    chmod 440 '${cfg.stateDir}/config.ini'
+
+    ${text}
+  '';
+
+  withMysql = text:
+    withConfigFile ''
+      query () {
+        local result=$(${config.services.mysql.package}/bin/mysql \
+          --user=${cfg.database.user} \
+          --password=$db_pass \
+          --database=${cfg.database.name} \
+          --silent \
+          --raw \
+          --skip-column-names \
+          --execute "$1" \
+        )
+
+        echo $result
+      }
+
+      ${text}
+    '';
+
+  withSqlite = text:
+    withConfigFile ''
+      query () {
+        local result=$(${sqlite}/bin/sqlite3 \
+          '${cfg.stateDir}/${settings.database.filename}'
+          "$1" \
+        )
+
+        echo $result
+      }
+
+      ${text}
+    '';
+in {
+  options.services.writefreely = {
+    enable =
+      lib.mkEnableOption "Writefreely, build a digital writing community";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.writefreely;
+      defaultText = lib.literalExpression "pkgs.writefreely";
+      description = "Writefreely package to use.";
+    };
+
+    stateDir = mkOption {
+      type = types.path;
+      default = "/var/lib/writefreely";
+      description = "The state directory where keys and data are stored.";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "writefreely";
+      description = "User under which Writefreely is ran.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "writefreely";
+      description = "Group under which Writefreely is ran.";
+    };
+
+    host = mkOption {
+      type = types.str;
+      default = "";
+      description = "The public host name to serve.";
+      example = "example.com";
+    };
+
+    settings = mkOption {
+      default = { };
+      description = ''
+        Writefreely configuration (<filename>config.ini</filename>). Refer to
+        <link xlink:href="https://writefreely.org/docs/latest/admin/config" />
+        for details.
+      '';
+
+      type = types.submodule {
+        freeformType = format.type;
+
+        options = {
+          app = {
+            theme = mkOption {
+              type = types.str;
+              default = "write";
+              description = "The theme to apply.";
+            };
+          };
+
+          server = {
+            port = mkOption {
+              type = types.port;
+              default = if cfg.nginx.enable then 18080 else 80;
+              defaultText = "80";
+              description = "The port WriteFreely should listen on.";
+            };
+          };
+        };
+      };
+    };
+
+    database = {
+      type = mkOption {
+        type = types.enum [ "sqlite3" "mysql" ];
+        default = "sqlite3";
+        description = "The database provider to use.";
+      };
+
+      name = mkOption {
+        type = types.str;
+        default = "writefreely";
+        description = "The name of the database to store data in.";
+      };
+
+      user = mkOption {
+        type = types.nullOr types.str;
+        default = if cfg.database.type == "mysql" then "writefreely" else null;
+        defaultText = "writefreely";
+        description = "The database user to connect as.";
+      };
+
+      passwordFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = "The file to load the database password from.";
+      };
+
+      host = mkOption {
+        type = types.str;
+        default = "localhost";
+        description = "The database host to connect to.";
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 3306;
+        description = "The port used when connecting to the database host.";
+      };
+
+      tls = mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          "Whether or not TLS should be used for the database connection.";
+      };
+
+      migrate = mkOption {
+        type = types.bool;
+        default = true;
+        description =
+          "Whether or not to automatically run migrations on startup.";
+      };
+
+      createLocally = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          When <option>services.writefreely.database.type</option> is set to
+          <code>"mysql"</code>, this option will enable the MySQL service locally.
+        '';
+      };
+    };
+
+    admin = {
+      name = mkOption {
+        type = types.nullOr types.str;
+        description = "The name of the first admin user.";
+        default = null;
+      };
+
+      initialPasswordFile = mkOption {
+        type = types.path;
+        description = ''
+          Path to a file containing the initial password for the admin user.
+          If not provided, the default password will be set to <code>nixos</code>.
+        '';
+        default = pkgs.writeText "default-admin-pass" "nixos";
+        defaultText = "/nix/store/xxx-default-admin-pass";
+      };
+    };
+
+    nginx = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          "Whether or not to enable and configure nginx as a proxy for WriteFreely.";
+      };
+
+      forceSSL = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether or not to force the use of SSL.";
+      };
+    };
+
+    acme = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          "Whether or not to automatically fetch and configure SSL certs.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.host != "";
+        message = "services.writefreely.host must be set";
+      }
+      {
+        assertion = isMysqlLocal -> cfg.database.passwordFile != null;
+        message =
+          "services.writefreely.database.passwordFile must be set if services.writefreely.database.createLocally is set to true";
+      }
+      {
+        assertion = isSqlite -> !cfg.database.createLocally;
+        message =
+          "services.writefreely.database.createLocally has no use when services.writefreely.database.type is set to sqlite3";
+      }
+    ];
+
+    users = {
+      users = optionalAttrs (cfg.user == "writefreely") {
+        writefreely = {
+          group = cfg.group;
+          home = cfg.stateDir;
+          isSystemUser = true;
+        };
+      };
+
+      groups =
+        optionalAttrs (cfg.group == "writefreely") { writefreely = { }; };
+    };
+
+    systemd.tmpfiles.rules =
+      [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" ];
+
+    systemd.services.writefreely = {
+      after = [ "network.target" ]
+        ++ optional isSqlite "writefreely-sqlite-init.service"
+        ++ optional isMysql "writefreely-mysql-init.service"
+        ++ optional isMysqlLocal "mysql.service";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.stateDir;
+        Restart = "always";
+        RestartSec = 20;
+        ExecStart =
+          "${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' serve";
+        AmbientCapabilities =
+          optionalString (settings.server.port < 1024) "cap_net_bind_service";
+      };
+
+      preStart = ''
+        if ! test -d "${cfg.stateDir}/keys"; then
+          mkdir -p ${cfg.stateDir}/keys
+
+          # Key files end up with the wrong permissions by default.
+          # We need to correct them so that Writefreely can read them.
+          chmod -R 750 "${cfg.stateDir}/keys"
+
+          ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' keys generate
+        fi
+      '';
+    };
+
+    systemd.services.writefreely-sqlite-init = mkIf isSqlite {
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.stateDir;
+        ReadOnlyPaths = optional (cfg.admin.initialPasswordFile != null)
+          cfg.admin.initialPasswordFile;
+      };
+
+      script = let
+        migrateDatabase = optionalString cfg.database.migrate ''
+          ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' db migrate
+        '';
+
+        createAdmin = optionalString (cfg.admin.name != null) ''
+          if [[ $(query "SELECT COUNT(*) FROM users") == 0 ]]; then
+            admin_pass=$(head -n1 ${cfg.admin.initialPasswordFile})
+
+            ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' --create-admin ${cfg.admin.name}:$admin_pass
+          fi
+        '';
+      in withSqlite ''
+        if ! test -f '${settings.database.filename}'; then
+          ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' db init
+        fi
+
+        ${migrateDatabase}
+
+        ${createAdmin}
+      '';
+    };
+
+    systemd.services.writefreely-mysql-init = mkIf isMysql {
+      wantedBy = [ "multi-user.target" ];
+      after = optional isMysqlLocal "mysql.service";
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.stateDir;
+        ReadOnlyPaths = optional isMysqlLocal cfg.database.passwordFile
+          ++ optional (cfg.admin.initialPasswordFile != null)
+          cfg.admin.initialPasswordFile;
+      };
+
+      script = let
+        updateUser = optionalString isMysqlLocal ''
+          # WriteFreely currently *requires* a password for authentication, so we
+          # need to update the user in MySQL accordingly. By default MySQL users
+          # authenticate with auth_socket or unix_socket.
+          # See: https://github.com/writefreely/writefreely/issues/568
+          ${config.services.mysql.package}/bin/mysql --skip-column-names --execute "ALTER USER '${cfg.database.user}'@'localhost' IDENTIFIED VIA unix_socket OR mysql_native_password USING PASSWORD('$db_pass'); FLUSH PRIVILEGES;"
+        '';
+
+        migrateDatabase = optionalString cfg.database.migrate ''
+          ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' db migrate
+        '';
+
+        createAdmin = optionalString (cfg.admin.name != null) ''
+          if [[ $(query 'SELECT COUNT(*) FROM users') == 0 ]]; then
+            admin_pass=$(head -n1 ${cfg.admin.initialPasswordFile})
+            ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' --create-admin ${cfg.admin.name}:$admin_pass
+          fi
+        '';
+      in withMysql ''
+        ${updateUser}
+
+        if [[ $(query "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = '${cfg.database.name}'") == 0 ]]; then
+          ${cfg.package}/bin/writefreely -c '${cfg.stateDir}/config.ini' db init
+        fi
+
+        ${migrateDatabase}
+
+        ${createAdmin}
+      '';
+    };
+
+    services.mysql = mkIf isMysqlLocal {
+      enable = true;
+      package = mkDefault pkgs.mariadb;
+      ensureDatabases = [ cfg.database.name ];
+      ensureUsers = [{
+        name = cfg.database.user;
+        ensurePermissions = {
+          "${cfg.database.name}.*" = "ALL PRIVILEGES";
+          # WriteFreely requires the use of passwords, so we need permissions
+          # to `ALTER` the user to add password support and also to reload
+          # permissions so they can be used.
+          "*.*" = "CREATE USER, RELOAD";
+        };
+      }];
+    };
+
+    services.nginx = lib.mkIf cfg.nginx.enable {
+      enable = true;
+      recommendedProxySettings = true;
+
+      virtualHosts."${cfg.host}" = {
+        enableACME = cfg.acme.enable;
+        forceSSL = cfg.nginx.forceSSL;
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString settings.server.port}";
+        };
+      };
+    };
+  };
+}
--- a/nixos/modules/services/web-servers/lighttpd/collectd.nix
+++ b/nixos/modules/services/web-servers/lighttpd/collectd.nix
@ -30,8 +30,8 @@ in
    collectionCgi = mkOption {
      type = types.path;
      default = defaultCollectionCgi;
-      defaultText = literalDocBook ''
-        <literal>config.${options.services.collectd.package}</literal> configured for lighttpd
+      defaultText = literalMD ''
+        `config.${options.services.collectd.package}` configured for lighttpd
      '';
      description = lib.mdDoc ''
        Path to collection.cgi script from (collectd sources)/contrib/collection.cgi
--- a/nixos/modules/services/web-servers/trafficserver/default.nix
+++ b/nixos/modules/services/web-servers/trafficserver/default.nix
@ -62,7 +62,7 @@ in
    ipAllow = mkOption {
      type = types.nullOr yaml.type;
      default = lib.importJSON ./ip_allow.json;
-      defaultText = literalDocBook "upstream defaults";
+      defaultText = literalMD "upstream defaults";
      example = literalExpression ''
        {
          ip_allow = [{
@ -85,7 +85,7 @@ in
    logging = mkOption {
      type = types.nullOr yaml.type;
      default = lib.importJSON ./logging.json;
-      defaultText = literalDocBook "upstream defaults";
+      defaultText = literalMD "upstream defaults";
      example = { };
      description = lib.mdDoc ''
        Configure logs.
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@ -24,7 +24,7 @@ let
    Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
    Xft.hinting: ${if fontconfig.hinting.enable then "1" else "0"}
    Xft.autohint: ${if fontconfig.hinting.autohint then "1" else "0"}
-    Xft.hintstyle: hintslight
+    Xft.hintstyle: ${fontconfig.hinting.style}
  '';

  # file provided by services.xserver.displayManager.sessionData.wrapper
@ -285,7 +285,7 @@ in
            defaultSessionFromLegacyOptions
          else
            null;
-        defaultText = literalDocBook ''
+        defaultText = literalMD ''
          Taken from display manager settings or window manager settings, if either is set.
        '';
        example = "gnome";
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -143,7 +143,7 @@ in
      readOnly = true;
      internal = true;
      default = systemActivationScript (removeAttrs config.system.activationScripts [ "script" ]) true;
-      defaultText = literalDocBook "generated activation script";
+      defaultText = literalMD "generated activation script";
    };

    system.userActivationScripts = mkOption {
--- a/nixos/modules/system/boot/plymouth.nix
+++ b/nixos/modules/system/boot/plymouth.nix
@ -75,10 +75,10 @@ in

      themePackages = mkOption {
        default = lib.optional (cfg.theme == "breeze") nixosBreezePlymouth;
-        defaultText = literalDocBook ''
+        defaultText = literalMD ''
          A NixOS branded variant of the breeze theme when
-          <literal>config.${opt.theme} == "breeze"</literal>, otherwise
-          <literal>[ ]</literal>.
+          `config.${opt.theme} == "breeze"`, otherwise
+          `[ ]`.
        '';
        type = types.listOf types.package;
        description = lib.mdDoc ''
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@ -611,7 +611,7 @@ in
        then "zstd"
        else "gzip"
      );
-      defaultText = literalDocBook "<literal>zstd</literal> if the kernel supports it (5.9+), <literal>gzip</literal> if not";
+      defaultText = literalMD "`zstd` if the kernel supports it (5.9+), `gzip` if not";
      type = types.either types.str (types.functionTo types.str);
      description = ''
        The compressor to use on the initrd image. May be any of:
--- a/nixos/modules/system/boot/systemd/shutdown.nix
+++ b/nixos/modules/system/boot/systemd/shutdown.nix
@ -33,26 +33,30 @@ in {
    systemd.shutdownRamfs.contents."/shutdown".source = "${config.systemd.package}/lib/systemd/systemd-shutdown";
    systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"];

+    systemd.mounts = [{
+      what = "tmpfs";
+      where = "/run/initramfs";
+      type = "tmpfs";
+    }];
+
    systemd.services.generate-shutdown-ramfs = {
      description = "Generate shutdown ramfs";
      wantedBy = [ "shutdown.target" ];
      before = [ "shutdown.target" ];
      unitConfig = {
        DefaultDependencies = false;
+        RequiresMountsFor = "/run/initramfs";
        ConditionFileIsExecutable = [
          "!/run/initramfs/shutdown"
        ];
      };

-      path = [pkgs.util-linux pkgs.makeInitrdNGTool];
-      serviceConfig.Type = "oneshot";
-      script = ''
-        mkdir -p /run/initramfs
-        if ! mountpoint -q /run/initramfs; then
-          mount -t tmpfs tmpfs /run/initramfs
-        fi
-        make-initrd-ng ${ramfsContents} /run/initramfs
-      '';
+      serviceConfig = {
+        Type = "oneshot";
+        ProtectSystem = "strict";
+        ReadWritePaths = "/run/initramfs";
+        ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs";
+      };
    };
  };
 }
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@ -209,7 +209,7 @@ in
        readOnly = true;
        type = types.bool;
        default = inInitrd || inSystem;
-        defaultText = literalDocBook "<literal>true</literal> if ZFS filesystem support is enabled";
+        defaultText = literalMD "`true` if ZFS filesystem support is enabled";
        description = lib.mdDoc "True if ZFS filesystem support is enabled";
      };

--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@ -172,13 +172,13 @@ let
        type = types.enum (lib.attrNames tempaddrValues);
        default = cfg.tempAddresses;
        defaultText = literalExpression ''config.networking.tempAddresses'';
-        description = ''
+        description = lib.mdDoc ''
          When IPv6 is enabled with SLAAC, this option controls the use of
          temporary address (aka privacy extensions) on this
          interface. This is used to reduce tracking.

          See also the global option
-          <xref linkend="opt-networking.tempAddresses"/>, which
+          [](#opt-networking.tempAddresses), which
          applies to all interfaces where this is not set.

          Possible values are:
@ -227,15 +227,19 @@ let
          { address = "192.168.2.0"; prefixLength = 24; via = "192.168.1.1"; }
        ];
        type = with types; listOf (submodule (routeOpts 4));
-        description = ''
+        description = lib.mdDoc ''
          List of extra IPv4 static routes that will be assigned to the interface.
-          <warning><para>If the route type is the default <literal>unicast</literal>, then the scope
-          is set differently depending on the value of <option>networking.useNetworkd</option>:
-          the script-based backend sets it to <literal>link</literal>, while networkd sets
-          it to <literal>global</literal>.</para></warning>
+
+          ::: {.warning}
+          If the route type is the default `unicast`, then the scope
+          is set differently depending on the value of {option}`networking.useNetworkd`:
+          the script-based backend sets it to `link`, while networkd sets
+          it to `global`.
+          :::
+
          If you want consistency between the two implementations,
          set the scope of the route manually with
-          <literal>networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }]</literal>
+          `networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }]`
          for example.
        '';
      };
@ -407,17 +411,10 @@ let
      description = "generate IPv6 temporary addresses and use these as source addresses in routing";
    };
  };
-  tempaddrDoc = ''
-    <itemizedlist>
-     ${concatStringsSep "\n" (mapAttrsToList (name: { description, ... }: ''
-       <listitem>
-         <para>
-           <literal>"${name}"</literal> to ${description};
-         </para>
-       </listitem>
-     '') tempaddrValues)}
-    </itemizedlist>
-  '';
+  tempaddrDoc = concatStringsSep "\n"
+    (mapAttrsToList
+      (name: { description, ... }: ''- `"${name}"` to ${description};'')
+      tempaddrValues);

  hostidFile = pkgs.runCommand "gen-hostid" { preferLocalBuild = true; } ''
      hi="${cfg.hostId}"
@ -1241,17 +1238,15 @@ in
            type = types.nullOr types.str;
            default = null;
            example = "02:00:00:00:00:01";
-            description = ''
-              MAC address to use for the device. If <literal>null</literal>, then the MAC of the
+            description = lib.mdDoc ''
+              MAC address to use for the device. If `null`, then the MAC of the
              underlying hardware WLAN device is used.

              INFO: Locally administered MAC addresses are of the form:
-              <itemizedlist>
-              <listitem><para>x2:xx:xx:xx:xx:xx</para></listitem>
-              <listitem><para>x6:xx:xx:xx:xx:xx</para></listitem>
-              <listitem><para>xA:xx:xx:xx:xx:xx</para></listitem>
-              <listitem><para>xE:xx:xx:xx:xx:xx</para></listitem>
-              </itemizedlist>
+              - x2:xx:xx:xx:xx:xx
+              - x6:xx:xx:xx:xx:xx
+              - xA:xx:xx:xx:xx:xx
+              - xE:xx:xx:xx:xx:xx
            '';
          };

@ -1287,10 +1282,10 @@ in
        if ''${config.${opt.enableIPv6}} then "default" else "disabled"
      '';
      type = types.enum (lib.attrNames tempaddrValues);
-      description = ''
+      description = lib.mdDoc ''
        Whether to enable IPv6 Privacy Extensions for interfaces not
        configured explicitly in
-        <xref linkend="opt-networking.interfaces._name_.tempAddress"/>.
+        [](#opt-networking.interfaces._name_.tempAddress).

        This sets the ipv6.conf.*.use_tempaddr sysctl for all
        interfaces. Possible values are:
--- a/nixos/modules/virtualisation/digital-ocean-init.nix
+++ b/nixos/modules/virtualisation/digital-ocean-init.nix
@ -20,7 +20,7 @@ in {
  options.virtualisation.digitalOcean.defaultConfigFile = mkOption {
    type = types.path;
    default = defaultConfigFile;
-    defaultText = literalDocBook ''
+    defaultText = literalMD ''
      The default configuration imports user-data if applicable and
      `(modulesPath + "/virtualisation/digital-ocean-config.nix")`.
    '';
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -622,6 +622,7 @@ in {
  wmderland = handleTest ./wmderland.nix {};
  wpa_supplicant = handleTest ./wpa_supplicant.nix {};
  wordpress = handleTest ./wordpress.nix {};
+  writefreely = handleTest ./web-apps/writefreely.nix {};
  xandikos = handleTest ./xandikos.nix {};
  xautolock = handleTest ./xautolock.nix {};
  xfce = handleTest ./xfce.nix {};
--- a/nixos/tests/minecraft-server.nix
+++ b/nixos/tests/minecraft-server.nix
@ -18,6 +18,8 @@ in import ./make-test-python.nix ({ pkgs, ... }: {
      serverProperties = {
        enable-rcon = true;
        level-seed = seed;
+        level-type = "flat";
+        generate-structures = false;
        online-mode = false;
        "rcon.password" = rcon-pass;
        "rcon.port" = rcon-port;
--- a/nixos/tests/web-apps/writefreely.nix
+++ b/nixos/tests/web-apps/writefreely.nix
@ -0,0 +1,44 @@
+{ system ? builtins.currentSystem, config ? { }
+, pkgs ? import ../../.. { inherit system config; } }:
+
+with import ../../lib/testing-python.nix { inherit system pkgs; };
+with pkgs.lib;
+
+let
+  writefreelyTest = { name, type }:
+    makeTest {
+      name = "writefreely-${name}";
+
+      nodes.machine = { config, pkgs, ... }: {
+        services.writefreely = {
+          enable = true;
+          host = "localhost:3000";
+          admin.name = "nixos";
+
+          database = {
+            inherit type;
+            createLocally = type == "mysql";
+            passwordFile = pkgs.writeText "db-pass" "pass";
+          };
+
+          settings.server.port = 3000;
+        };
+      };
+
+      testScript = ''
+        start_all()
+        machine.wait_for_unit("writefreely.service")
+        machine.wait_for_open_port(3000)
+        machine.succeed("curl --fail http://localhost:3000")
+      '';
+    };
+in {
+  sqlite = writefreelyTest {
+    name = "sqlite";
+    type = "sqlite3";
+  };
+  mysql = writefreelyTest {
+    name = "mysql";
+    type = "mysql";
+  };
+}
--- a/pkgs/applications/accessibility/wvkbd/default.nix
+++ b/pkgs/applications/accessibility/wvkbd/default.nix
@ -13,13 +13,13 @@

 stdenv.mkDerivation rec {
  pname = "wvkbd";
-  version = "0.9";
+  version = "0.10";

  src = fetchFromGitHub {
    owner = "jjsullivan5196";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-Dcb1mnqvf2MvwljWuqMV/8AyF/aGMcDiz4cRQ9NAFtM=";
+    sha256 = "sha256-h/hXHQfLiDkVKYZFsjyq2+w1Pnn3lR6H+r+fXYkP5ZY=";
  };

  nativeBuildInputs = [ pkg-config ];
--- a/pkgs/applications/audio/bambootracker/default.nix
+++ b/pkgs/applications/audio/bambootracker/default.nix
@ -12,14 +12,14 @@

 mkDerivation rec {
  pname = "bambootracker";
-  version = "0.5.1";
+  version = "0.5.2";

  src = fetchFromGitHub {
    owner = "BambooTracker";
    repo = "BambooTracker";
    rev = "v${version}";
    fetchSubmodules = true;
-    sha256 = "sha256-AEELUJYiapF/sBWRXXuBXUHwnKp0szdIOCNVMYufv94=";
+    sha256 = "sha256-+9PmpmsF08oU//pJOWaoGQzG7a2O13kYqKbGwVRAMlU=";
  };

  nativeBuildInputs = [ qmake qttools pkg-config ];
--- a/pkgs/applications/audio/mympd/default.nix
+++ b/pkgs/applications/audio/mympd/default.nix
@ -8,28 +8,38 @@
 , lua5_3
 , libid3tag
 , flac
-, pcre
+, pcre2
+, gzip
+, perl
 }:

 stdenv.mkDerivation rec {
  pname = "mympd";
-  version = "8.0.4";
+  version = "9.5.2";

  src = fetchFromGitHub {
    owner = "jcorporation";
    repo = "myMPD";
    rev = "v${version}";
-    sha256 = "sha256-hpUoXqblhHreDZg8fDD5S4UG+ltptIbzP9LKyQ/WbX0=";
+    sha256 = "sha256-WmGaZXITvrp7ml7s7FPyp3Q3072KU/P6UombBj99fX0=";
  };

-  nativeBuildInputs = [ pkg-config cmake ];
+  nativeBuildInputs = [
+    pkg-config
+    cmake
+    gzip
+    perl
+  ];
+  preConfigure = ''
+    env MYMPD_BUILDDIR=$PWD/build ./build.sh createassets
+  '';
  buildInputs = [
    libmpdclient
    openssl
    lua5_3
    libid3tag
    flac
-    pcre
+    pcre2
  ];

  cmakeFlags = [
@ -43,7 +53,7 @@ stdenv.mkDerivation rec {
  hardeningDisable = [ "strictoverflow" ];

  meta = {
-    homepage = "https://jcorporation.github.io/mympd";
+    homepage = "https://jcorporation.github.io/myMPD";
    description = "A standalone and mobile friendly web mpd client with a tiny footprint and advanced features";
    maintainers = [ lib.maintainers.doronbehar ];
    platforms = lib.platforms.linux;
--- a/pkgs/applications/audio/netease-cloud-music-gtk/cargo-lock.patch
+++ b/pkgs/applications/audio/netease-cloud-music-gtk/cargo-lock.patch
--- a/pkgs/applications/audio/netease-cloud-music-gtk/default.nix
+++ b/pkgs/applications/audio/netease-cloud-music-gtk/default.nix
@ -1,5 +1,6 @@
 { lib
 , stdenv
+, fetchpatch
 , fetchFromGitHub
 , rustPlatform
 , meson
@ -21,20 +22,26 @@

 stdenv.mkDerivation rec {
  pname = "netease-cloud-music-gtk";
-  version = "2.0.1";
+  version = "2.0.2";

  src = fetchFromGitHub {
    owner = "gmg137";
    repo = pname;
    rev = version;
-    hash = "sha256-dlJZvmfw9+cavAysxVzCekgPdygg5zbU3ZR5BOjPk08=";
+    hash = "sha256-0pmuzdRQBdUS4ORh3zJQWb/hbhk7SY3P4QMwoy4Mgp8=";
  };

-  patches = [ ./cargo-lock.patch ];
+  patches = [
+    (fetchpatch {
+      name = "add-cargo-lock-for-2.0.2.patch";
+      url = "https://github.com/gmg137/netease-cloud-music-gtk/commit/21b5d40d49e661fe7bd35ed10bb8b883ef7fcd9f.patch";
+      hash = "sha256-pSgc+yJQMNyLPYUMc1Kp/Kr+++2tH8srIM5PgVeoZ+E=";
+    })
+  ];

  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit src patches;
-    hash = "sha256-mJyjWEBsLhHwJCeZyRdby/K/jse0F9UBwfQxkNtZito=";
+    hash = "sha256-7Z5i5Xqtk4ZbBXSVYg1e05ENa2swC88Ctd2paE60Yyo=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/audio/netease-cloud-music-gtk/update-cargo-lock.sh
+++ b/pkgs/applications/audio/netease-cloud-music-gtk/update-cargo-lock.sh
@ -1,20 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p coreutils ripgrep git cargo
-
-# Ref: https://github.com/NixOS/nixpkgs/blob/nixos-21.05/pkgs/applications/audio/netease-music-tui/update-cargo-lock.sh
-
-set -eu -vx
-
-here=$PWD
-version=$(rg '^  version = "' default.nix | cut -d '"' -f 2)
-checkout=$(mktemp -d)
-
-git clone -b "$version" --depth=1 https://github.com/gmg137/netease-cloud-music-gtk "$checkout"
-cd "$checkout"
-
-cargo generate-lockfile
-git add -f Cargo.lock
-git diff HEAD -- Cargo.lock > "$here"/cargo-lock.patch
-
-cd "$here"
-rm -rf "$checkout"
--- a/pkgs/applications/audio/picard/default.nix
+++ b/pkgs/applications/audio/picard/default.nix
@ -18,13 +18,13 @@ let
 in
 pythonPackages.buildPythonApplication rec {
  pname = "picard";
-  version = "2.8.1";
+  version = "2.8.3";

  src = fetchFromGitHub {
    owner = "metabrainz";
    repo = pname;
    rev = "refs/tags/release-${version}";
-    sha256 = "sha256-KEKOouTNmmZiPyKo8xCQv6Zkreidtz2DaEbHjuwJJvY=";
+    sha256 = "sha256-KUHciIlwaKXvyCCkAzdh1vpe9cunDizrMUl0SoCpxgY=";
  };

  nativeBuildInputs = [ gettext qt5.wrapQtAppsHook qt5.qtbase ]
--- a/pkgs/applications/audio/praat/default.nix
+++ b/pkgs/applications/audio/praat/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "praat";
-  version = "6.2.10";
+  version = "6.2.16";

  src = fetchFromGitHub {
    owner = "praat";
    repo = "praat";
    rev = "v${version}";
-    sha256 = "sha256-IYbPMjKWDQQrF+JiqBQ2wsjY+Ms93tEdsG75CxipwaI=";
+    sha256 = "sha256-k6wFTwXMXpLb+nddJ6fOfhzCOrcbQR7Pot8rmrx2gYs=";
  };

  configurePhase = ''
--- a/pkgs/applications/audio/songrec/default.nix
+++ b/pkgs/applications/audio/songrec/default.nix
@ -11,16 +11,16 @@

 rustPlatform.buildRustPackage rec {
  pname = "songrec";
-  version = "0.3.0";
+  version = "0.3.2";

  src = fetchFromGitHub {
    owner = "marin-m";
    repo = pname;
    rev = version;
-    sha256 = "sha256-aHZH3sQNUUPcMRySy8Di0XUoFo4qjGi2pi0phLwORaA=";
+    sha256 = "sha256-cUiy8ApeUv1K8SEH4APMTvbieGTt4kZYhyB9iGJd/IY=";
  };

-  cargoSha256 = "sha256-EpkB43rMUJO6ouUV9TmQ+RSnGhX32DZHpKic1E6lUyU=";
+  cargoSha256 = "sha256-Tlq4qDp56PXP4N1UyHjtQoRgDrc/19vIv8uml/lAqqc=";

  nativeBuildInputs = [ pkg-config ];

--- a/pkgs/applications/audio/tauon/default.nix
+++ b/pkgs/applications/audio/tauon/default.nix
@ -108,7 +108,7 @@ stdenv.mkDerivation rec {
    install -Dm755 tauon.py $out/bin/tauon
    mkdir -p $out/share/tauon
    cp -r lib $out
-    cp -r assets input.txt t_modules theme $out/share/tauon
+    cp -r assets input.txt t_modules theme templates $out/share/tauon

    wrapPythonPrograms

--- a/pkgs/applications/blockchains/go-ethereum/default.nix
+++ b/pkgs/applications/blockchains/go-ethereum/default.nix
@ -9,13 +9,13 @@ let

 in buildGoModule rec {
  pname = "go-ethereum";
-  version = "1.10.21";
+  version = "1.10.23";

  src = fetchFromGitHub {
    owner = "ethereum";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-qaM1I3ytMZN+5v/Oj47n3Oc21Jk7DtjfWA/xDprbn/M=";
+    sha256 = "sha256-1fEmtbHKrjuyIVrGr/vTudZ99onkNjEMvyBJt4I8KK4=";
  };

  vendorSha256 = "sha256-Dj+xN8lr98LJyYr2FwJ7yUIJkUeUrr1fkcbj4hShJI0=";
@ -46,6 +46,9 @@ in buildGoModule rec {
    "cmd/utils"
  ];

+  # Following upstream: https://github.com/ethereum/go-ethereum/blob/v1.10.23/build/ci.go#L218
+  tags = [ "urfave_cli_no_docs" ];
+
  # Fix for usb-related segmentation faults on darwin
  propagatedBuildInputs =
    lib.optionals stdenv.isDarwin [ libobjc IOKit ];
@ -56,6 +59,6 @@ in buildGoModule rec {
    homepage = "https://geth.ethereum.org/";
    description = "Official golang implementation of the Ethereum protocol";
    license = with licenses; [ lgpl3Plus gpl3Plus ];
-    maintainers = with maintainers; [ adisbladis lionello RaghavSood ];
+    maintainers = with maintainers; [ adisbladis RaghavSood ];
  };
 }
--- a/pkgs/applications/blockchains/litecoin/default.nix
+++ b/pkgs/applications/blockchains/litecoin/default.nix
@ -6,23 +6,24 @@
 , withGui ? true, libevent
 , qtbase, qttools
 , zeromq
+, fmt
 }:

 with lib;

 mkDerivation rec {
  pname = "litecoin" + optionalString (!withGui) "d";
-  version = "0.18.1";
+  version = "0.21.2.1";

  src = fetchFromGitHub {
    owner = "litecoin-project";
    repo = "litecoin";
    rev = "v${version}";
-    sha256 = "11753zhyx1kmrlljc6kbjwrcb06dfcrsqvmw3iaki9a132qk6l5c";
+    sha256 = "sha256-WJFdac5hGrHy9o3HzjS91zH+4EtJY7kUJAQK+aZaEyo=";
  };

  nativeBuildInputs = [ pkg-config autoreconfHook ];
-  buildInputs = [ openssl db48 boost zlib zeromq
+  buildInputs = [ openssl db48 boost zlib zeromq fmt
                  miniupnpc glib protobuf util-linux libevent ]
                  ++ optionals stdenv.isDarwin [ AppKit ]
                  ++ optionals withGui [ qtbase qttools qrencode ];
@ -34,6 +35,11 @@ mkDerivation rec {

  enableParallelBuilding = true;

+  doCheck = true;
+  checkPhase = ''
+    ./src/test/test_litecoin
+  '';
+
  meta = {
    broken = (stdenv.isLinux && stdenv.isAarch64) || stdenv.isDarwin;
    description = "A lite version of Bitcoin using scrypt as a proof-of-work algorithm";
--- a/pkgs/applications/editors/cudatext/default.nix
+++ b/pkgs/applications/editors/cudatext/default.nix
@ -31,20 +31,20 @@ let
    (name: spec:
      fetchFromGitHub {
        repo = name;
-        inherit (spec) owner rev sha256;
+        inherit (spec) owner rev hash;
      }
    )
    (lib.importJSON ./deps.json);
 in
 stdenv.mkDerivation rec {
  pname = "cudatext";
-  version = "1.168.0";
+  version = "1.169.2";

  src = fetchFromGitHub {
    owner = "Alexey-T";
    repo = "CudaText";
    rev = version;
-    sha256 = "sha256-/06eZ79Zeq6jtcfq+lOcumBgP59bqCX/Km7k21FroSc=";
+    hash = "sha256-EQAoKft/L4sbdY8hOvyu+Cy+3I8Lt4g1KTxTlSYALac=";
  };

  postPatch = ''
--- a/pkgs/applications/editors/cudatext/deps.json
+++ b/pkgs/applications/editors/cudatext/deps.json
@ -2,56 +2,56 @@
  "EncConv": {
    "owner": "Alexey-T",
    "rev": "2022.06.19",
-    "sha256": "sha256-M00rHH3dG6Vx6MEALxRNlnLLfX/rRI+rdTS7riOhgeg="
+    "hash": "sha256-M00rHH3dG6Vx6MEALxRNlnLLfX/rRI+rdTS7riOhgeg="
  },
  "ATBinHex-Lazarus": {
    "owner": "Alexey-T",
    "rev": "2022.06.14",
-    "sha256": "sha256-3QhARraYURW5uCf2f4MZfUbxdbsg9h7BlXUxKcz4jwA="
+    "hash": "sha256-3QhARraYURW5uCf2f4MZfUbxdbsg9h7BlXUxKcz4jwA="
  },
  "ATFlatControls": {
    "owner": "Alexey-T",
-    "rev": "2022.07.17",
-    "sha256": "sha256-KMGmimbtUQHa8i5wt4KLA/HotLbb/ISzdznmdqPXkNU="
+    "rev": "2022.08.28",
+    "hash": "sha256-jkVHwPQGPtLeSRy502thPIrDWzkkwvlnyGcTzjgFgIc="
  },
  "ATSynEdit": {
    "owner": "Alexey-T",
-    "rev": "2022.07.27",
-    "sha256": "sha256-SGozuk0pvp0+PwAFbGG+QMUhQ2A6mXKr31u10WIveh0="
+    "rev": "2022.08.28",
+    "hash": "sha256-U/UD3vPnIdQUe/1g/mKgs5yGirsIB/uHTjD0MOouAyI="
  },
  "ATSynEdit_Cmp": {
    "owner": "Alexey-T",
-    "rev": "2022.05.04",
-    "sha256": "sha256-6O4RijSejPogokLSBuC6pKrOpihMi/ykS06YyV64Sak="
+    "rev": "2022.08.28",
+    "hash": "sha256-/MWC4BoU/4kflvbly0phh+cfIR8rNwgWFtrXnmxk0Ks="
  },
  "EControl": {
    "owner": "Alexey-T",
-    "rev": "2022.07.20",
-    "sha256": "sha256-pCIt21m34BuDbWLn+CQwqsMQHVWHtctME63Bjx1B9hE="
+    "rev": "2022.08.22",
+    "hash": "sha256-o87V32HhFpCeSxhgkfKiL69oCcmpiReVmiNBPyv1kc4="
  },
  "ATSynEdit_Ex": {
    "owner": "Alexey-T",
    "rev": "2022.07.20",
-    "sha256": "sha256-f/BdOMcx7NTpKgaFTz4MbK3O0GcUepyMPyRdhnZImjU="
+    "hash": "sha256-f/BdOMcx7NTpKgaFTz4MbK3O0GcUepyMPyRdhnZImjU="
  },
  "Python-for-Lazarus": {
    "owner": "Alexey-T",
    "rev": "2021.10.27",
-    "sha256": "sha256-ikXdDUMJ9MxRejEVAhwUsXYVh0URVFHzEpnXuN5NGpA="
+    "hash": "sha256-ikXdDUMJ9MxRejEVAhwUsXYVh0URVFHzEpnXuN5NGpA="
  },
  "Emmet-Pascal": {
    "owner": "Alexey-T",
    "rev": "2022.01.17",
-    "sha256": "sha256-5yqxRW7xFJ4MwHjKnxYL8/HrCDLn30a1gyQRjGMx/qw="
+    "hash": "sha256-5yqxRW7xFJ4MwHjKnxYL8/HrCDLn30a1gyQRjGMx/qw="
  },
  "CudaText-lexers": {
    "owner": "Alexey-T",
    "rev": "2021.07.09",
-    "sha256": "sha256-OyC85mTMi9m5kbtx8TAK2V4voL1i+J+TFoLVwxlHiD4="
+    "hash": "sha256-OyC85mTMi9m5kbtx8TAK2V4voL1i+J+TFoLVwxlHiD4="
  },
  "bgrabitmap": {
    "owner": "bgrabitmap",
-    "rev": "v11.5",
-    "sha256": "sha256-Pevh+yhtN3oSSvbQfnO7SM6UHBVe0sSpbK8ss98XqcU="
+    "rev": "v11.5.2",
+    "hash": "sha256-aGNKkLDbGTeFgFEhuX7R2BXhnllsanJmk4k+1muiSD8="
  }
 }
--- a/pkgs/applications/editors/cudatext/update.sh
+++ b/pkgs/applications/editors/cudatext/update.sh
@ -20,7 +20,7 @@ hash=$(nix-prefetch-url --quiet --unpack --type sha256 $url)
 sriHash=$(nix hash to-sri --type sha256 $hash)

 sed -i "s#version = \".*\"#version = \"$version\"#" default.nix
-sed -i "s#sha256 = \".*\"#sha256 = \"$sriHash\"#" default.nix
+sed -i "s#hash = \".*\"#hash = \"$sriHash\"#" default.nix

 while IFS=$'\t' read repo owner rev; do
  latest=$(curl -s https://api.github.com/repos/${owner}/${repo}/releases/latest | jq -r '.tag_name')
@ -28,6 +28,6 @@ while IFS=$'\t' read repo owner rev; do
    url="https://github.com/${owner}/${repo}/archive/refs/tags/${latest}.tar.gz"
    hash=$(nix-prefetch-url --quiet --unpack --type sha256 $url)
    sriHash=$(nix hash to-sri --type sha256 $hash)
-    jq ".\"${repo}\".rev = \"${latest}\" | .\"${repo}\".sha256 = \"${sriHash}\"" deps.json | sponge deps.json
+    jq ".\"${repo}\".rev = \"${latest}\" | .\"${repo}\".hash = \"${sriHash}\"" deps.json | sponge deps.json
  fi
 done <<< $(jq -r 'to_entries[]|[.key,.value.owner,.value.rev]|@tsv' deps.json)
--- a/pkgs/applications/editors/eclipse/build-eclipse.nix
+++ b/pkgs/applications/editors/eclipse/build-eclipse.nix
@ -17,9 +17,10 @@ stdenv.mkDerivation rec {
    categories = [ "Development" ];
  };

+  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [
    fontconfig freetype glib gsettings-desktop-schemas gtk jdk libX11
-    libXrender libXtst libsecret makeWrapper zlib
+    libXrender libXtst libsecret zlib
  ] ++ lib.optional (webkitgtk != null) webkitgtk;

  buildCommand = ''
--- a/pkgs/applications/editors/emacs/elisp-packages/apheleia/default.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/apheleia/default.nix
@ -1,34 +0,0 @@
-{ lib
-, stdenv
-, trivialBuild
-, fetchFromGitHub
-, emacs
-}:
-
-trivialBuild rec {
-  pname = "apheleia";
-  version = "1.2";
-
-  src = fetchFromGitHub {
-    owner = "raxod502";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-yd9yhQOs0+RB8RKaXnV/kClDm8cO97RkC8yw5b8IKRo=";
-  };
-
-  buildInputs = [
-    emacs
-  ];
-
-  meta = with lib; {
-    homepage = "https://github.com/raxod502/apheleia";
-    description = "Asynchronous buffer reformat";
-    longDescription = ''
-      Run code formatter on buffer contents without moving point, using RCS
-      patches and dynamic programming.
-    '';
-    license = licenses.mit;
-    maintainers = with maintainers; [ AndersonTorres leungbk ];
-    inherit (emacs.meta) platforms;
-  };
-}
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages.nix
@ -162,8 +162,6 @@

  # Packages made the classical callPackage way

-  apheleia = callPackage ./apheleia { };
-
  ebuild-mode = callPackage ./ebuild-mode { };

  evil-markdown = callPackage ./evil-markdown { };
--- a/pkgs/applications/editors/emacs/site-start.el
+++ b/pkgs/applications/editors/emacs/site-start.el
@ -5,22 +5,14 @@ The list is ordered from more-specific (the user profile) to the
 least specific (the system profile)"
  (reverse (split-string (or (getenv "NIX_PROFILES") ""))))

-;;; Extend `load-path' to search for elisp files in subdirectories of
-;;; all folders in `NIX_PROFILES'. Also search for one level of
-;;; subdirectories in these directories to handle multi-file libraries
-;;; like `mu4e'.'
-(require 'seq)
-(let* ((subdirectory-sites (lambda (site-lisp)
-                             (when (file-exists-p site-lisp)
-                               (seq-filter (lambda (f) (file-directory-p (file-truename f)))
-                                           ;; Returns all files in `site-lisp', excluding `.' and `..'
-                                           (directory-files site-lisp 'full "^\\([^.]\\|\\.[^.]\\|\\.\\..\\)")))))
-       (paths (apply #'append
-                     (mapcar (lambda (profile-dir)
-                               (let ((site-lisp (concat profile-dir "/share/emacs/site-lisp/")))
-                                 (cons site-lisp (funcall subdirectory-sites site-lisp))))
-                             (nix--profile-paths)))))
-  (setq load-path (append paths load-path)))
+;;; Extend `load-path' to search for elisp files in subdirectories of all folders in `NIX_PROFILES'.
+;;; Non-Nix distros have similar logic in /usr/share/emacs/site-lisp/subdirs.el.
+;;; See https://www.gnu.org/software/emacs/manual/html_node/elisp/Library-Search.html
+(dolist (profile (nix--profile-paths))
+  (let ((default-directory (expand-file-name "share/emacs/site-lisp/" profile)))
+    (when (file-exists-p default-directory)
+      (setq load-path (cons default-directory load-path))
+      (normal-top-level-add-subdirs-to-load-path))))

 ;;; Remove wrapper site-lisp from EMACSLOADPATH so it's not propagated
 ;;; to any other Emacsen that might be started as subprocesses.
--- a/pkgs/applications/editors/jupyter-kernels/octave/default.nix
+++ b/pkgs/applications/editors/jupyter-kernels/octave/default.nix
@ -22,7 +22,7 @@ rec {
  launcher = runCommand "octave-kernel-launcher" {
    inherit octave;
    python = python3.withPackages (ps: [ ps.traitlets ps.jupyter_core ps.ipykernel ps.metakernel kernel ]);
-    buildInputs = [ makeWrapper ];
+    nativeBuildInputs = [ makeWrapper ];
  } ''
    mkdir -p $out/bin

--- a/pkgs/applications/editors/kibi/default.nix
+++ b/pkgs/applications/editors/kibi/default.nix
@ -1,6 +1,7 @@
 { lib
 , fetchFromGitHub
 , rustPlatform
+, makeWrapper
 }:

 rustPlatform.buildRustPackage rec {
@ -16,6 +17,13 @@ rustPlatform.buildRustPackage rec {
    sha256 = "sha256-ox1qKWxJlUIFzEqeyzG2kqZix3AHnOKFrlpf6O5QM+k=";
  };

+  nativeBuildInputs = [ makeWrapper ];
+
+  postInstall = ''
+    install -Dm644 syntax.d/* -t $out/share/kibi/syntax.d
+    wrapProgram $out/bin/kibi --prefix XDG_DATA_DIRS : "$out/share"
+  '';
+
  meta = with lib; {
    description = "A text editor in ≤1024 lines of code, written in Rust";
    homepage = "https://github.com/ilai-deutel/kibi";
--- a/pkgs/applications/editors/neovim/tests/default.nix
+++ b/pkgs/applications/editors/neovim/tests/default.nix
@ -1,3 +1,4 @@
+# run tests by building `neovim.tests`
 { vimUtils, vim_configurable, writeText, neovim, vimPlugins
 , lib, fetchFromGitHub, neovimUtils, wrapNeovimUnstable
 , neovim-unwrapped
@ -66,6 +67,15 @@ let
    sha256 = "1ykcvyx82nhdq167kbnpgwkgjib8ii7c92y3427v986n2s5lsskc";
  };

+  # this plugin checks that it's ftplugin/vim.tex is loaded before $VIMRUNTIME/ftplugin/vim.tex
+  # the answer is store in `plugin_was_loaded_too_late` in the cwd
+  texFtplugin = pkgs.runCommandLocal "tex-ftplugin" {} ''
+    mkdir -p $out/ftplugin
+    echo 'call system("echo ". exists("b:did_ftplugin") . " > plugin_was_loaded_too_late")' > $out/ftplugin/tex.vim
+    echo ':q!' >> $out/ftplugin/tex.vim
+    echo '\documentclass{article}' > $out/main.tex
+  '';
+
  # neovim-drv must be a wrapped neovim
  runTest = neovim-drv: buildCommand:
    runCommandLocal "test-${neovim-drv.name}" ({
@ -128,6 +138,25 @@ rec {
    ${nvim_with_plug}/bin/nvim -i NONE -c 'color base16-tomorrow-night'  +quit! -e
  '';

+  nvim_with_ftplugin = neovim.override {
+    extraName = "-with-ftplugin";
+    configure.packages.plugins = with pkgs.vimPlugins; {
+      start = [
+        texFtplugin
+      ];
+    };
+  };
+
+  # regression test that ftplugin files from plugins are loaded before the ftplugin
+  # files from $VIMRUNTIME
+  run_nvim_with_ftplugin = runTest nvim_with_ftplugin ''
+    export HOME=$TMPDIR
+    ${nvim_with_ftplugin}/bin/nvim ${texFtplugin}/main.tex
+    result="$(cat plugin_was_loaded_too_late)"
+    echo $result
+    [ "$result" = 0 ]
+  '';
+

  # check that the vim-doc hook correctly generates the tag
  # we know for a fact packer has a doc folder
--- a/pkgs/applications/editors/neovim/utils.nix
+++ b/pkgs/applications/editors/neovim/utils.nix
@ -106,6 +106,7 @@ let
          flags = [
            "--cmd" (lib.intersperse "|" hostProviderViml)
            "--cmd" "set packpath^=${vimUtils.packDir packDirArgs}"
+            "--cmd" "set rtp^=${vimUtils.packDir packDirArgs}"
            ];
        in
        [
--- a/pkgs/applications/editors/pinegrow/default.nix
+++ b/pkgs/applications/editors/pinegrow/default.nix
@ -16,11 +16,11 @@ stdenv.mkDerivation rec {
  pname = "pinegrow";
  # deactivate auto update, because an old 6.21 version is getting mixed up
  # see e.g. https://github.com/NixOS/nixpkgs/pull/184460
-  version = "6.6"; # nixpkgs-update: no auto update
+  version = "6.8"; # nixpkgs-update: no auto update

  src = fetchurl {
    url = "https://download.pinegrow.com/PinegrowLinux64.${version}.zip";
-    sha256 = "sha256-a3SwUNcMXl42+Gy3wjcx/KvVprgFAO0D0lFPohPV3Tk=";
+    sha256 = "sha256-gqRmu0VR8Aj57UwYYLKICd4FnYZMhM6pTTSGIY5MLMk=";
  };

  nativeBuildInputs = [
@ -58,16 +58,16 @@ stdenv.mkDerivation rec {
    # folder and symlinked.
    unzip -q $src -d $out/opt/pinegrow
    substituteInPlace $out/opt/pinegrow/Pinegrow.desktop \
-      --replace 'Exec=sh -c "$(dirname %k)/PinegrowLibrary"' 'Exec=sh -c "$out/bin/Pinegrow"'
-    mv $out/opt/pinegrow/Pinegrow.desktop $out/share/applications/Pinegrow.desktop
-    ln -s $out/opt/pinegrow/PinegrowLibrary $out/bin/Pinegrow
+      --replace 'Exec=sh -c "$(dirname %k)/PinegrowLibrary"' 'Exec=sh -c "$out/bin/pinegrow"'
+    mv $out/opt/pinegrow/Pinegrow.desktop $out/share/applications/pinegrow.desktop
+    ln -s $out/opt/pinegrow/PinegrowLibrary $out/bin/pinegrow

    runHook postInstall
  '';

  # GSETTINGS_SCHEMAS_PATH is not set in installPhase
  preFixup = ''
-    wrapProgram $out/bin/Pinegrow \
+    wrapProgram $out/bin/pinegrow \
      ''${makeWrapperArgs[@]} \
      ''${gappsWrapperArgs[@]}
  '';
--- a/pkgs/applications/editors/texstudio/default.nix
+++ b/pkgs/applications/editors/texstudio/default.nix
@ -3,13 +3,13 @@

 mkDerivation rec {
  pname = "texstudio";
-  version = "4.3.0";
+  version = "4.3.1";

  src = fetchFromGitHub {
    owner = "${pname}-org";
    repo = pname;
    rev = version;
-    hash = "sha256-nw6LG8U4ne5nngmE7F4yFE8mTEvaRSMfwwOxg2TnAdA=";
+    hash = "sha256-CwfnRkG8GsRQuE0+l394gMdj5ao3SUKaDnYP2dfUEew=";
  };

  nativeBuildInputs = [ qmake wrapQtAppsHook pkg-config ];
--- a/pkgs/applications/editors/vim/plugins/vim-utils.nix
+++ b/pkgs/applications/editors/vim/plugins/vim-utils.nix
@ -338,7 +338,7 @@ rec {
          if vimrcFile != null then vimrcFile
          else if vimrcConfig != null then mkVimrcFile vimrcConfig
          else throw "at least one of vimrcConfig and vimrcFile must be specified";
-        bin = runCommand "${name}-bin" { buildInputs = [ makeWrapper ]; } ''
+        bin = runCommand "${name}-bin" { nativeBuildInputs = [ makeWrapper ]; } ''
          vimrc=${lib.escapeShellArg vimrc}
          gvimrc=${if gvimrcFile != null then lib.escapeShellArg gvimrcFile else ""}

--- a/pkgs/applications/editors/vscode/extensions/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/default.nix
@ -16,6 +16,7 @@
 , racket
 , clojure-lsp
 , alejandra
+, millet
 }:

 let
@ -311,6 +312,26 @@ let
        };
      };

+      azdavis.millet = buildVscodeMarketplaceExtension {
+        mktplcRef = {
+          name = "Millet";
+          publisher = "azdavis";
+          version = "0.3.5";
+          sha256 = "sha256-lQ7EMs6nsTEgP9BESMpyoZG7QVOe7DXzfg/iZr1+DCQ=";
+        };
+        nativeBuildInputs = [ jq moreutils ];
+        postInstall = ''
+          cd "$out/$installPrefix"
+          jq '.contributes.configuration.properties."millet.server.path".default = "${millet}/bin/lang-srv"' package.json | sponge package.json
+        '';
+        meta = with lib; {
+          description = "Standard ML support for VS Code";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=azdavis.millet";
+          license = licenses.mit;
+          maintainers = with maintainers; [ smasher164 ];
+        };
+      };
+
      ms-python.vscode-pylance = buildVscodeMarketplaceExtension {
        mktplcRef = {
          name = "vscode-pylance";
@ -363,8 +384,8 @@ let
        mktplcRef = {
          name = "ocaml-formatter";
          publisher = "badochov";
-          version = "1.14.0";
-          sha256 = "sha256-Iekh3vwu8iz53rPRsuu1Fx9iA/A97iMd8cPETWavnyA=";
+          version = "2.0.5";
+          sha256 = "sha256-D04EJButnam/l4aAv1yNbHlTKMb3x1yrS47+9XjpCLI=";
        };
        meta = with lib; {
          description = "VSCode Extension Formatter for OCaml language";
@ -523,15 +544,15 @@ let
        mktplcRef = {
          name = "path-intellisense";
          publisher = "christian-kohler";
-          version = "2.8.0";
-          sha256 = "sha256-VPzy9o0DeYRkNwTGphC51vzBTNgQwqKg+t7MpGPLahM=";
+          version = "2.8.1";
+          sha256 = "sha256-lTKzMphkGgOG2XWqz3TW2G9sISBc/kG7oXqcIH8l+Mg=";
        };
        meta = with lib; {
          description = "Visual Studio Code plugin that autocompletes filenames";
          downloadPage = "https://marketplace.visualstudio.com/items?itemName=christian-kohler.path-intellisense";
          homepage = "https://github.com/ChristianKohler/PathIntellisense";
          license = licenses.mit;
-          maintainers = with maintainers; [ imgabe ];
+          maintainers = with maintainers; [ imgabe superherointj ];
        };
      };

@ -880,8 +901,8 @@ let
        mktplcRef = {
          name = "prettier-vscode";
          publisher = "esbenp";
-          version = "9.5.0";
-          sha256 = "sha256-L/jW6xAnJ8v9Qq+iyQI8usGr8BoICR+2ENAMGQ05r0A=";
+          version = "9.8.0";
+          sha256 = "sha256-+8lEuQD73w+urAv2Tw0b+q6oQ66+gLgMPe3Luln9cuY=";
        };
        meta = with lib; {
          changelog = "https://marketplace.visualstudio.com/items/esbenp.prettier-vscode/changelog";
@ -889,7 +910,7 @@ let
          downloadPage = "https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode";
          homepage = "https://github.com/prettier/prettier-vscode";
          license = licenses.mit;
-          maintainers = with maintainers; [ datafoo ];
+          maintainers = with maintainers; [ datafoo superherointj ];
        };
      };

@ -958,6 +979,23 @@ let
        };
      };

+      firefox-devtools.vscode-firefox-debug = buildVscodeMarketplaceExtension {
+        mktplcRef = {
+          name = "vscode-firefox-debug";
+          publisher = "firefox-devtools";
+          version = "2.9.8";
+          sha256 = "sha256-MCL562FPgEfhUM1KH5LMl7BblbjIkQ4UEwB67RlO5Mk=";
+        };
+        meta = with lib; {
+          changelog = "https://marketplace.visualstudio.com/items/firefox-devtools.vscode-firefox-debug/changelog";
+          description = "A Visual Studio Code extension for debugging web applications and browser extensions in Firefox";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=firefox-devtools.vscode-firefox-debug";
+          homepage = "https://github.com/firefox-devtools/vscode-firefox-debug";
+          license = licenses.mit;
+          maintainers = with maintainers; [ felschr ];
+        };
+      };
+
      foam.foam-vscode = buildVscodeMarketplaceExtension {
        mktplcRef = {
          name = "foam-vscode";
@ -1319,8 +1357,8 @@ let
        mktplcRef = {
          name = "elixir-ls";
          publisher = "JakeBecker";
-          version = "0.9.0";
-          sha256 = "sha256-KNfZOrVxK3/rClHPcIyPgE9CRtjkI7NLY0xZ9W+X6OM=";
+          version = "0.11.0";
+          sha256 = "sha256-okvwyD0m2r8ar85VtuBUNMUZGGrCfJ4DB9v7aSX5PjM=";
        };
        meta = with lib; {
          changelog = "https://marketplace.visualstudio.com/items/JakeBecker.elixir-ls/changelog";
@ -1368,8 +1406,8 @@ let
        mktplcRef = {
          name = "nix-ide";
          publisher = "jnoortheen";
-          version = "0.1.20";
-          sha256 = "16mmivdssjky11gmih7zp99d41m09r0ii43n17d4i6xwivagi9a3";
+          version = "0.1.23";
+          sha256 = "sha256-64gwwajfgniVzJqgVLK9b8PfkNG5mk1W+qewKL7Dv0Q=";
        };
        meta = with lib; {
          changelog = "https://marketplace.visualstudio.com/items/jnoortheen.nix-ide/changelog";
@ -1377,7 +1415,7 @@ let
          downloadPage = "https://marketplace.visualstudio.com/items?itemName=jnoortheen.nix-ide";
          homepage = "https://github.com/jnoortheen/vscode-nix-ide";
          license = licenses.mit;
-          maintainers = with maintainers; [ SuperSandro2000 ];
+          maintainers = with maintainers; [ superherointj SuperSandro2000 ];
        };
      };

@ -1936,13 +1974,13 @@ let
          downloadPage = "https://marketplace.visualstudio.com/items?itemName=ocamllabs.ocaml-platform";
          homepage = "https://github.com/ocamllabs/vscode-ocaml-platform";
          license = licenses.isc;
-          maintainers = with maintainers; [ ratsclub ];
+          maintainers = with maintainers; [ ratsclub superherointj ];
        };
        mktplcRef = {
          name = "ocaml-platform";
          publisher = "ocamllabs";
-          version = "1.10.4";
-          sha256 = "sha256-Qk4wD6gh/xvH6nFBonje4Stz6Y6yaIyxx1TdAXQEycM=";
+          version = "1.10.7";
+          sha256 = "sha256-BxVur+aSbFPyX+DW9tQcfJEyImkbTC6O0uOV2d76au0=";
        };
      };

@ -1990,8 +2028,8 @@ let
        mktplcRef = {
          name = "prisma";
          publisher = "Prisma";
-          version = "4.1.0";
-          sha256 = "sha256-YpdxRoeIesx4R2RIpJ8YmmHEmR3lezdN1efhhg14MzI=";
+          version = "4.2.0";
+          sha256 = "sha256-1U3JlWfIlTt0AMPsiP3vD2ZEzD2oUsYsqRRwBQeoLIA=";
        };
        meta = with lib; {
          changelog = "https://marketplace.visualstudio.com/items/Prisma.prisma/changelog";
@ -2300,11 +2338,16 @@ let
        mktplcRef = {
          name = "svelte-vscode";
          publisher = "svelte";
-          version = "105.3.0";
-          sha256 = "11plqsj3c4dv0xg2d76pxrcn382qr9wbh1lhln2x8mzv840icvwr";
+          version = "105.21.0";
+          sha256 = "12p6msv8wi773piqm1y5zik3ky652bdaw9s83ffwnlndsh87s9n5";
        };
        meta = {
+          changelog = "https://github.com/sveltejs/language-tools/releases";
+          description = "Svelte language support for VS Code";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode";
+          homepage = "https://github.com/sveltejs/language-tools#readme";
          license = lib.licenses.mit;
+          maintainers = with lib.maintainers; [ fabianhauser ];
        };
      };

@ -2464,8 +2507,8 @@ let
        mktplcRef = {
          name = "errorlens";
          publisher = "usernamehw";
-          version = "3.5.1";
-          sha256 = "17xbbr5hjrs67yazicb9qillbkp3wnaccjpnl1jlp07s0n7q4f8f";
+          version = "3.6.0";
+          sha256 = "sha256-oNzB81mPZjEwrqbeFMvTlXERXrYBpF03EH9ZXz/daOs=";
        };
        meta = with lib; {
          changelog = "https://marketplace.visualstudio.com/items/usernamehw.errorlens/changelog";
--- a/pkgs/applications/emulators/cdemu/analyzer.nix
+++ b/pkgs/applications/emulators/cdemu/analyzer.nix
@ -6,11 +6,10 @@ let pkg = import ./base.nix {
  pkgSha256 = "00906lky0z1m0bdqnjmzxgcb19dzvljhddhh42lixyr53sjp94cc";
 };
 in callPackage pkg {
-  buildInputs = [ glib gtk3 libxml2 gnuplot libmirage makeWrapper
-                  gnome.adwaita-icon-theme gdk-pixbuf librsvg intltool
+  buildInputs = [ glib gtk3 libxml2 gnuplot libmirage gnome.adwaita-icon-theme gdk-pixbuf librsvg
                  python3Packages.python python3Packages.pygobject3 python3Packages.matplotlib ];
  drvParams = {
-    nativeBuildInputs = [ gobject-introspection cmake ];
+    nativeBuildInputs = [ gobject-introspection cmake makeWrapper intltool ];
    postFixup = ''
      wrapProgram $out/bin/image-analyzer \
        --set PYTHONPATH "$PYTHONPATH" \
--- a/pkgs/applications/emulators/cdemu/base.nix
+++ b/pkgs/applications/emulators/cdemu/base.nix
@ -1,12 +1,12 @@
 { pname, version, pkgSha256 }:
-{ lib, stdenv, fetchurl, cmake, pkg-config, buildInputs, drvParams ? {} }:
+attrs@{ lib, stdenv, fetchurl, cmake, pkg-config, buildInputs, drvParams ? {}, ... }:
 stdenv.mkDerivation ( rec {
  inherit pname version buildInputs;
  src = fetchurl {
    url = "mirror://sourceforge/cdemu/${pname}-${version}.tar.xz";
    sha256 = pkgSha256;
  };
-  nativeBuildInputs = [ pkg-config cmake ];
+  nativeBuildInputs = (attrs.nativeBuildInputs or [ ]) ++ [ pkg-config cmake ];
  setSourceRoot = ''
    mkdir build
    cd build
--- a/pkgs/applications/emulators/cdemu/client.nix
+++ b/pkgs/applications/emulators/cdemu/client.nix
@ -5,8 +5,8 @@ let pkg = import ./base.nix {
  pkgSha256 = "1prrdhv0ia0axc6b73crszqzh802wlkihz6d100yvg7wbgmqabd7";
 };
 in callPackage pkg {
-  buildInputs = [ python3Packages.python python3Packages.dbus-python python3Packages.pygobject3
-                  intltool makeWrapper ];
+  nativeBuildInputs = [ makeWrapper intltool ];
+  buildInputs = [ python3Packages.python python3Packages.dbus-python python3Packages.pygobject3 ];
  drvParams = {
    postFixup = ''
      wrapProgram $out/bin/cdemu \
--- a/pkgs/applications/emulators/cdemu/daemon.nix
+++ b/pkgs/applications/emulators/cdemu/daemon.nix
@ -5,5 +5,6 @@ let pkg = import ./base.nix {
  pkgSha256 = "16g6fv1lxkdmbsy6zh5sj54dvgwvm900fd18aq609yg8jnqm644d";
 };
 in callPackage pkg {
-  buildInputs = [ glib libao libmirage intltool ];
+  nativeBuildInputs = [ intltool ];
+  buildInputs = [ glib libao libmirage ];
 }
--- a/pkgs/applications/emulators/cdemu/gui.nix
+++ b/pkgs/applications/emulators/cdemu/gui.nix
@ -8,10 +8,9 @@ let
  };
  inherit (python3Packages) python pygobject3;
 in callPackage pkg {
-  buildInputs = [ python pygobject3 gtk3 glib libnotify intltool makeWrapper
-                  gnome.adwaita-icon-theme gdk-pixbuf librsvg ];
+  buildInputs = [ python pygobject3 gtk3 glib libnotify gnome.adwaita-icon-theme gdk-pixbuf librsvg ];
  drvParams = {
-    nativeBuildInputs = [ gobject-introspection cmake ];
+    nativeBuildInputs = [ gobject-introspection cmake makeWrapper intltool ];
    postFixup = ''
      wrapProgram $out/bin/gcdemu \
        --set PYTHONPATH "$PYTHONPATH" \
--- a/pkgs/applications/emulators/cdemu/libmirage.nix
+++ b/pkgs/applications/emulators/cdemu/libmirage.nix
@ -8,11 +8,11 @@ let pkg = import ./base.nix {
  pkgSha256 = "0f8i2ha44rykkk3ac2q8zsw3y1zckw6qnf6zvkyrj3qqbzhrf3fm";
 };
 in callPackage pkg {
-  buildInputs = [ glib libsndfile zlib bzip2 xz libsamplerate intltool ];
+  buildInputs = [ glib libsndfile zlib bzip2 xz libsamplerate ];
  drvParams = {
    PKG_CONFIG_GOBJECT_INTROSPECTION_1_0_GIRDIR = "${placeholder "out"}/share/gir-1.0";
    PKG_CONFIG_GOBJECT_INTROSPECTION_1_0_TYPELIBDIR = "${placeholder "out"}/lib/girepository-1.0";
-    nativeBuildInputs = [ cmake gobject-introspection pkg-config ];
+    nativeBuildInputs = [ cmake gobject-introspection pkg-config intltool ];
    propagatedBuildInputs = [ pcre util-linux libselinux libsepol ];
  };
 }
--- a/pkgs/applications/emulators/sameboy/default.nix
+++ b/pkgs/applications/emulators/sameboy/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "sameboy";
-  version = "0.14.7";
+  version = "0.15.4";

  src = fetchFromGitHub {
    owner = "LIJI32";
    repo = "SameBoy";
    rev = "v${version}";
-    sha256 = "sha256-rvcR1mp+lJ6ZFc9WYUK9FBVcG2vD5MoX6lY+AJsMaeQ=";
+    sha256 = "sha256-YLWo6Em/NdU60Dtu4ePANSKLixozxpxVwD3dJcAOs3g=";
  };

  enableParallelBuilding = true;
--- a/pkgs/applications/file-managers/clifm/default.nix
+++ b/pkgs/applications/file-managers/clifm/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "clifm";
-  version = "1.6";
+  version = "1.7";

  src = fetchFromGitHub {
    owner = "leo-arch";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-ak2tZTNNKsHGNpxobi8oqnimhsNvoaW75zMYBeskXZU=";
+    sha256 = "sha256-7nMAaMLFLF5WuWgac9wdIvzRTTVpKRM7zB2tIlowBEE=";
  };

  buildInputs = [ libcap acl file readline ];
--- a/pkgs/applications/file-managers/nnn/default.nix
+++ b/pkgs/applications/file-managers/nnn/default.nix
@ -8,6 +8,7 @@
 , ncurses
 , readline
 , which
+, musl-fts
 # options
 , conf ? null
 , withIcons ? false
@ -33,7 +34,10 @@ stdenv.mkDerivation rec {
  preBuild = lib.optionalString (conf != null) "cp ${configFile} src/nnn.h";

  nativeBuildInputs = [ installShellFiles makeWrapper pkg-config ];
-  buildInputs = [ readline ncurses ];
+  buildInputs = [ readline ncurses ] ++ lib.optional stdenv.hostPlatform.isMusl musl-fts;
+
+  NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isMusl "-I${musl-fts}/include";
+  NIX_LDFLAGS = lib.optionalString stdenv.hostPlatform.isMusl "-lfts";

  makeFlags = [ "PREFIX=${placeholder "out"}" ]
    ++ lib.optional withIcons [ "O_ICONS=1" ]
--- a/pkgs/applications/gis/grass/default.nix
+++ b/pkgs/applications/gis/grass/default.nix
@ -15,9 +15,9 @@ stdenv.mkDerivation rec {
    sha256 = "sha256-VK9FCqIwHGmeJe5lk12lpAGcsC1aPRBiI+XjACXjDd4=";
  };

-  nativeBuildInputs = [ pkg-config ];
+  nativeBuildInputs = [ pkg-config makeWrapper ];
  buildInputs = [ flex bison zlib proj gdal libtiff libpng fftw sqlite
-  readline ffmpeg makeWrapper netcdf geos postgresql libmysqlclient blas
+  readline ffmpeg netcdf geos postgresql libmysqlclient blas
  libLAS proj-datumgrid zstd wrapGAppsHook ]
    ++ lib.optionals stdenv.isLinux [ cairo pdal wxGTK31 ]
    ++ lib.optional stdenv.isDarwin wxmac
--- a/pkgs/applications/graphics/ImageMagick/default.nix
+++ b/pkgs/applications/graphics/ImageMagick/default.nix
@ -46,13 +46,13 @@ in

 stdenv.mkDerivation rec {
  pname = "imagemagick";
-  version = "7.1.0-46";
+  version = "7.1.0-47";

  src = fetchFromGitHub {
    owner = "ImageMagick";
    repo = "ImageMagick";
    rev = version;
-    hash = "sha256-yts86tQMPgdF9Zk1vljVza21mlx1g3XcoHjvtsMoZhA=";
+    hash = "sha256-x5kC9nd38KgSpzJX3y6h2iBnte+UHrfZnbkRD/Dgqi8=";
  };

  outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
--- a/pkgs/applications/graphics/image_optim/default.nix
+++ b/pkgs/applications/graphics/image_optim/default.nix
@ -35,7 +35,7 @@ bundlerApp {

  exes = [ "image_optim" ];

-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];

  postBuild = ''
    wrapProgram $out/bin/image_optim \
--- a/pkgs/applications/graphics/timelapse-deflicker/default.nix
+++ b/pkgs/applications/graphics/timelapse-deflicker/default.nix
@ -16,8 +16,9 @@ stdenv.mkDerivation rec {
    wrapProgram $out/bin/timelapse-deflicker --set PERL5LIB $PERL5LIB
  '';

+  nativeBuildInputs = [ makeWrapper ];
  buildInputs = with perlPackages; [
-    makeWrapper perl
+    perl
    ImageMagick TermProgressBar ImageExifTool
    FileType ClassMethodMaker
  ];
--- a/Show More
+++ b/Show More