Merge master into staging-next

nixos/modules/config/update-users-groups.pl

@@ -223,10 +223,10 @@ foreach my $u (@{$spec->{users}}) {
     }
 
     # Ensure home directory incl. ownership and permissions.
-    if ($u->{createHome}) {
-        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry;
+    if ($u->{createHome} and !$is_dry) {
+        make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
         chown $u->{uid}, $u->{gid}, $u->{home};
-        chmod 0700, $u->{home};
+        chmod oct($u->{homeMode}), $u->{home};
     }
 
     if (defined $u->{passwordFile}) {

nixos/modules/config/users-groups.nix

@@ -48,7 +48,7 @@ let
     services such as SSH, or indirectly via <command>su</command> or
     <command>sudo</command>). This should only be used for e.g. bootable
     live systems. Note: this is different from setting an empty password,
-    which ca be achieved using <option>users.users.&lt;name?&gt;.password</option>.
+    which can be achieved using <option>users.users.&lt;name?&gt;.password</option>.
 
     If set to <literal>null</literal> (default) this user will not
     be able to log in using a password (i.e. via <command>login</command>
@@ -139,6 +139,12 @@ let
         description = "The user's home directory.";
       };
 
+      homeMode = mkOption {
+        type = types.strMatching "[0-7]{1,5}";
+        default = "700";
+        description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if <option>users.users.&lt;name&gt;.createHome</option> is true.";
+      };
+
       cryptHomeLuks = mkOption {
         type = with types; nullOr str;
         default = null;
@@ -319,6 +325,7 @@ let
           group = mkDefault "users";
           createHome = mkDefault true;
           home = mkDefault "/home/${config.name}";
+          homeMode = mkDefault "700";
           useDefaultShell = mkDefault true;
           isSystemUser = mkDefault false;
         })
@@ -430,7 +437,7 @@ let
     inherit (cfg) mutableUsers;
     users = mapAttrsToList (_: u:
       { inherit (u)
-          name uid group description home createHome isSystemUser
+          name uid group description home homeMode createHome isSystemUser
           password passwordFile hashedPassword
           autoSubUidGidRange subUidRanges subGidRanges
           initialPassword initialHashedPassword;

nixos/modules/services/networking/mosquitto.nix

@@ -199,6 +199,7 @@ let
     allow_anonymous = 1;
     allow_zero_length_clientid = 1;
     auto_id_prefix = 1;
+    bind_interface = 1;
     cafile = 1;
     capath = 1;
     certfile = 1;
@@ -295,7 +296,7 @@ let
   };
 
   listenerAsserts = prefix: listener:
-    assertKeysValid prefix freeformListenerKeys listener.settings
+    assertKeysValid "${prefix}.settings" freeformListenerKeys listener.settings
     ++ userAsserts prefix listener.users
     ++ imap0
       (i: v: authAsserts "${prefix}.authPlugins.${toString i}" v)
@@ -397,7 +398,7 @@ let
   };
 
   bridgeAsserts = prefix: bridge:
-    assertKeysValid prefix freeformBridgeKeys bridge.settings
+    assertKeysValid "${prefix}.settings" freeformBridgeKeys bridge.settings
     ++ [ {
       assertion = length bridge.addresses > 0;
       message = "Bridge ${prefix} needs remote broker addresses";
@@ -526,7 +527,7 @@ let
 
   globalAsserts = prefix: cfg:
     flatten [
-      (assertKeysValid prefix freeformGlobalKeys cfg.settings)
+      (assertKeysValid "${prefix}.settings" freeformGlobalKeys cfg.settings)
       (imap0 (n: l: listenerAsserts "${prefix}.listener.${toString n}" l) cfg.listeners)
       (mapAttrsToList (n: b: bridgeAsserts "${prefix}.bridge.${n}" b) cfg.bridges)
     ];
@@ -629,9 +630,10 @@ in
                ]));
         RemoveIPC = true;
         RestrictAddressFamilies = [
-          "AF_UNIX"  # for sd_notify() call
+          "AF_UNIX"
           "AF_INET"
           "AF_INET6"
+          "AF_NETLINK"
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;

nixos/modules/system/boot/systemd.nix

@@ -35,11 +35,11 @@ let
       "nss-lookup.target"
       "nss-user-lookup.target"
       "time-sync.target"
-    ] ++ (optionals cfg.package.withCryptsetup [
+    ] ++ optionals cfg.package.withCryptsetup [
       "cryptsetup.target"
       "cryptsetup-pre.target"
       "remote-cryptsetup.target"
-    ]) ++ [
+    ] ++ [
       "sigpwr.target"
       "timers.target"
       "paths.target"
@@ -133,20 +133,27 @@ let
 
       # Slices / containers.
       "slices.target"
+    ] ++ optionals cfg.package.withImportd [
+      "systemd-importd.service"
+    ] ++ optionals cfg.package.withMachined [
       "machine.slice"
       "machines.target"
-      "systemd-importd.service"
       "systemd-machined.service"
+    ] ++ [
       "systemd-nspawn@.service"
 
       # Misc.
       "systemd-sysctl.service"
+    ] ++ optionals cfg.package.withTimedated [
       "dbus-org.freedesktop.timedate1.service"
-      "dbus-org.freedesktop.locale1.service"
-      "dbus-org.freedesktop.hostname1.service"
       "systemd-timedated.service"
+    ] ++ optionals cfg.package.withLocaled [
+      "dbus-org.freedesktop.locale1.service"
       "systemd-localed.service"
+    ] ++ optionals cfg.package.withHostnamed [
+      "dbus-org.freedesktop.hostname1.service"
       "systemd-hostnamed.service"
+    ] ++ [
       "systemd-exit.service"
       "systemd-update-done.service"
     ] ++ cfg.additionalUpstreamSystemUnits;

nixos/modules/system/boot/systemd/logind.nix

@@ -81,8 +81,11 @@ in
       "systemd-logind.service"
       "autovt@.service"
       "systemd-user-sessions.service"
+    ] ++ optionals config.systemd.package.withImportd [
       "dbus-org.freedesktop.import1.service"
+    ] ++ optionals config.systemd.package.withMachined [
       "dbus-org.freedesktop.machine1.service"
+    ] ++ [
       "dbus-org.freedesktop.login1.service"
       "user@.service"
       "user-runtime-dir@.service"

nixos/tests/all-tests.nix

@@ -580,6 +580,7 @@ in
   uptermd = handleTest ./uptermd.nix {};
   usbguard = handleTest ./usbguard.nix {};
   user-activation-scripts = handleTest ./user-activation-scripts.nix {};
+  user-home-mode = handleTest ./user-home-mode.nix {};
   uwsgi = handleTest ./uwsgi.nix {};
   v2ray = handleTest ./v2ray.nix {};
   vault = handleTest ./vault.nix {};

nixos/tests/mosquitto.nix

@@ -4,6 +4,7 @@ let
   port = 1888;
   tlsPort = 1889;
   anonPort = 1890;
+  bindTestPort = 1891;
   password = "VERY_secret";
   hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
   topic = "test/foo";
@@ -125,6 +126,10 @@ in {
               };
             };
           }
+          {
+            settings.bind_interface = "eth0";
+            port = bindTestPort;
+          }
         ];
       };
     };
@@ -134,6 +139,8 @@ in {
   };
 
   testScript = ''
+    import json
+
     def mosquitto_cmd(binary, user, topic, port):
         return (
             "mosquitto_{} "
@@ -162,6 +169,27 @@ in {
     start_all()
     server.wait_for_unit("mosquitto.service")
 
+    with subtest("bind_interface"):
+        addrs = dict()
+        for iface in json.loads(server.succeed("ip -json address show")):
+            for addr in iface['addr_info']:
+                # don't want to deal with multihoming here
+                assert addr['local'] not in addrs
+                addrs[addr['local']] = (iface['ifname'], addr['family'])
+
+        # mosquitto grabs *one* random address per type for bind_interface
+        (has4, has6) = (False, False)
+        for line in server.succeed("ss -HlptnO sport = ${toString bindTestPort}").splitlines():
+            items = line.split()
+            if "mosquitto" not in items[5]: continue
+            listener = items[3].rsplit(':', maxsplit=1)[0].strip('[]')
+            assert listener in addrs
+            assert addrs[listener][0] == "eth0"
+            has4 |= addrs[listener][1] == 'inet'
+            has6 |= addrs[listener][1] == 'inet6'
+        assert has4
+        assert has6
+
     with subtest("check passwords"):
         client1.succeed(publish("-m test", "password_store"))
         client1.succeed(publish("-m test", "password_file"))

nixos/tests/user-home-mode.nix

@@ -0,0 +1,27 @@
+import ./make-test-python.nix ({ lib, ... }: {
+  name = "user-home-mode";
+  meta = with lib.maintainers; { maintainers = [ fbeffa ]; };
+
+  nodes.machine = {
+    users.users.alice = {
+      initialPassword = "pass1";
+      isNormalUser = true;
+    };
+    users.users.bob = {
+      initialPassword = "pass2";
+      isNormalUser = true;
+      homeMode = "750";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("getty@tty1.service")
+    machine.wait_until_tty_matches(1, "login: ")
+    machine.send_chars("alice\n")
+    machine.wait_until_tty_matches(1, "Password: ")
+    machine.send_chars("pass1\n")
+    machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')
+    machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')
+  '';
+})

pkgs/applications/blockchains/sparrow/default.nix

@@ -0,0 +1,232 @@
+{ stdenv
+, lib
+, makeWrapper
+, fetchurl
+, makeDesktopItem
+, copyDesktopItems
+, autoPatchelfHook
+, openjdk17
+, gtk3
+, gsettings-desktop-schemas
+, writeScript
+, bash
+, gnugrep
+, tor
+, zlib
+, openimajgrabber
+, hwi
+, imagemagick
+}:
+
+let
+  pname = "sparrow";
+  version = "1.6.4";
+
+  src = fetchurl {
+    url = "https://github.com/sparrowwallet/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
+    sha256 = "1wdibpbhv3g6qk42ddfc5vyqkkwprczy45w5wi115qg3g1rf1in7";
+  };
+
+  launcher = writeScript "sparrow" ''
+    #! ${bash}/bin/bash
+    params=(
+      --module-path @out@/lib:@jdkModules@/modules
+      --add-opens javafx.graphics/com.sun.javafx.css=org.controlsfx.controls
+      --add-opens javafx.graphics/javafx.scene=org.controlsfx.controls
+      --add-opens javafx.controls/com.sun.javafx.scene.control.behavior=org.controlsfx.controls
+      --add-opens javafx.controls/com.sun.javafx.scene.control.inputmap=org.controlsfx.controls
+      --add-opens javafx.graphics/com.sun.javafx.scene.traversal=org.controlsfx.controls
+      --add-opens javafx.base/com.sun.javafx.event=org.controlsfx.controls
+      --add-opens javafx.controls/javafx.scene.control.cell=com.sparrowwallet.sparrow
+      --add-opens org.controlsfx.controls/impl.org.controlsfx.skin=com.sparrowwallet.sparrow
+      --add-opens org.controlsfx.controls/impl.org.controlsfx.skin=javafx.fxml
+      --add-opens javafx.graphics/com.sun.javafx.tk=centerdevice.nsmenufx
+      --add-opens javafx.graphics/com.sun.javafx.tk.quantum=centerdevice.nsmenufx
+      --add-opens javafx.graphics/com.sun.glass.ui=centerdevice.nsmenufx
+      --add-opens javafx.controls/com.sun.javafx.scene.control=centerdevice.nsmenufx
+      --add-opens javafx.graphics/com.sun.javafx.menu=centerdevice.nsmenufx
+      --add-opens javafx.graphics/com.sun.glass.ui=com.sparrowwallet.sparrow
+      --add-opens javafx.graphics/com.sun.javafx.application=com.sparrowwallet.sparrow
+      --add-opens java.base/java.net=com.sparrowwallet.sparrow
+      --add-opens java.base/java.io=com.google.gson
+      --add-reads com.sparrowwallet.merged.module=java.desktop
+      --add-reads com.sparrowwallet.merged.module=java.sql
+      --add-reads com.sparrowwallet.merged.module=com.sparrowwallet.sparrow
+      --add-reads com.sparrowwallet.merged.module=logback.classic
+      --add-reads com.sparrowwallet.merged.module=com.fasterxml.jackson.databind
+      --add-reads com.sparrowwallet.merged.module=com.fasterxml.jackson.annotation
+      --add-reads com.sparrowwallet.merged.module=com.fasterxml.jackson.core
+      --add-reads com.sparrowwallet.merged.module=co.nstant.in.cbor
+      -m com.sparrowwallet.sparrow
+    )
+
+    XDG_DATA_DIRS=${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}:${gtk3}/share/gsettings-schemas/${gtk3.name}:$XDG_DATA_DIRS ${openjdk17}/bin/java ''${params[@]} $@
+  '';
+
+  torWrapper = writeScript "tor-wrapper" ''
+    #! ${bash}/bin/bash
+
+    exec ${tor}/bin/tor "$@"
+  '';
+
+  jdk-modules = stdenv.mkDerivation {
+    name = "jdk-modules";
+    nativeBuildInputs = [ openjdk17 ];
+    dontUnpack = true;
+
+    buildPhase = ''
+      # Extract the JDK's JIMAGE and generate a list of modules.
+      mkdir modules
+      pushd modules
+      jimage extract ${openjdk17}/lib/openjdk/lib/modules
+      ls | xargs -d " " -- echo > ../manifest.txt
+      popd
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp manifest.txt $out/
+      cp -r modules/ $out/
+    '';
+  };
+
+  sparrow-modules = stdenv.mkDerivation {
+    pname = "sparrow-modules";
+    inherit version src;
+    nativeBuildInputs = [ makeWrapper gnugrep openjdk17 autoPatchelfHook stdenv.cc.cc.lib zlib ];
+
+    buildPhase = ''
+      # Extract Sparrow's JIMAGE and generate a list of them.
+      mkdir modules
+      pushd modules
+      jimage extract ../lib/runtime/lib/modules
+
+      # Delete JDK modules
+      cat ${jdk-modules}/manifest.txt | xargs -I {} -- rm -fR {}
+
+      # Delete unneeded native libs.
+
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/freebsd-x86-64
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/freebsd-x86
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-aarch64
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-arm
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-armel
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-mips64el
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-ppc
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-ppc64le
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-s390x
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/linux-x86
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/openbsd-x86-64
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/openbsd-x86
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/sunos-sparc
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/sunos-sparcv9
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/sunos-x86-64
+      rm -fR com.sparrowwallet.merged.module/com/sun/jna/sunos-x86
+      rm -fR com.github.sarxos.webcam.capture/com/github/sarxos/webcam/ds/buildin/lib/linux_armel
+      rm -fR com.github.sarxos.webcam.capture/com/github/sarxos/webcam/ds/buildin/lib/linux_armhf
+      rm -fR com.github.sarxos.webcam.capture/com/github/sarxos/webcam/ds/buildin/lib/linux_x86
+      rm com.github.sarxos.webcam.capture/com/github/sarxos/webcam/ds/buildin/lib/linux_x64/OpenIMAJGrabber.so
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/linux_arm32_armel
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/linux_armel
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/linux_armhf
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/linux_x86
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/sunos_x64
+      rm -fR com.nativelibs4java.bridj/org/bridj/lib/sunos_x86
+      rm -fR com.sparrowwallet.merged.module/linux-aarch64
+      rm -fR com.sparrowwallet.merged.module/linux-arm
+      rm -fR com.sparrowwallet.merged.module/linux-x86
+      rm com.sparrowwallet.sparrow/native/linux/x64/hwi
+
+      ls | xargs -d " " -- echo > ../manifest.txt
+      find . | grep "\.so$" | xargs -- chmod ugo+x
+      popd
+
+      # Replace the embedded Tor binary (which is in a Tar archive)
+      # with one from Nixpkgs.
+      cp ${torWrapper} ./tor
+      tar -cJf tor.tar.xz tor
+      cp tor.tar.xz modules/netlayer.jpms/native/linux/x64/tor.tar.xz
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp manifest.txt $out/
+      cp -r modules/ $out/
+      ln -s ${openimajgrabber}/lib/OpenIMAJGrabber.so $out/modules/com.github.sarxos.webcam.capture/com/github/sarxos/webcam/ds/buildin/lib/linux_x64/OpenIMAJGrabber.so
+      ln -s ${hwi}/bin/hwi $out/modules/com.sparrowwallet.sparrow/native/linux/x64/hwi
+    '';
+  };
+
+  # To use the udev rules for connected hardware wallets,
+  # add "pkgs.sparrow" to "services.udev.packages" and add user accounts to the user group "plugdev".
+  udev-rules = stdenv.mkDerivation {
+    name = "sparrow-udev";
+
+    src = let version = "2.0.2"; in
+      fetchurl {
+        url = "https://github.com/bitcoin-core/HWI/releases/download/${version}/hwi-${version}.tar.gz";
+        sha256 = "sha256-di1fRsMbwpHcBFNTCVivfxpwhUoUKLA3YTnJxKq/jHM=";
+      };
+
+    installPhase = ''
+      mkdir -p $out/etc/udev/rules.d
+      cp -a hwilib/udev/* $out/etc/udev/rules.d
+      rm $out/etc/udev/rules.d/README.md
+    '';
+  };
+in
+stdenv.mkDerivation rec {
+  inherit pname version src;
+  nativeBuildInputs = [ makeWrapper copyDesktopItems ];
+
+  desktopItems = [
+    (makeDesktopItem {
+      name = "Sparrow";
+      exec = pname;
+      icon = pname;
+      desktopName = "Sparrow Bitcoin Wallet";
+      genericName = "Bitcoin Wallet";
+      categories = [ "Finance" ];
+    })
+  ];
+
+  sparrow-icons = stdenv.mkDerivation {
+    inherit version src;
+    pname = "sparrow-icons";
+    nativeBuildInputs = [ imagemagick ];
+
+    installPhase = ''
+      for n in 16 24 32 48 64 96 128 256; do
+        size=$n"x"$n
+        mkdir -p $out/hicolor/$size/apps
+        convert lib/Sparrow.png -resize $size $out/hicolor/$size/apps/sparrow.png
+        done;
+    '';
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin $out
+    ln -s ${sparrow-modules}/modules $out/lib
+    install -D -m 777 ${launcher} $out/bin/sparrow
+    substituteAllInPlace $out/bin/sparrow
+    substituteInPlace $out/bin/sparrow --subst-var-by jdkModules ${jdk-modules}
+
+    mkdir -p $out/share/icons
+    ln -s ${sparrow-icons}/hicolor $out/share/icons
+
+    mkdir -p $out/etc/udev
+    ln -s ${udev-rules}/etc/udev/rules.d $out/etc/udev/rules.d
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A modern desktop Bitcoin wallet application supporting most hardware wallets and built on common standards such as PSBT, with an emphasis on transparency and usability.";
+    homepage = "https://sparrowwallet.com";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ emmanuelrosa _1000101 ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/applications/blockchains/sparrow/openimajgrabber.nix

@@ -0,0 +1,40 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, libv4l
+}:
+stdenv.mkDerivation rec {
+  pname = "openimajgrabber";
+  version = "1.3.10";
+
+  src = fetchFromGitHub {
+    owner = "openimaj";
+    repo = "openimaj";
+    rev = "openimaj-${version}";
+    sha256 = "sha256-Y8707ovE7f6Fk3cJ+PtwvzNpopgH5vlF55m2Xm4hjYM=";
+  };
+
+  buildInputs = [ libv4l ];
+
+  # These build instructions come from build.sh
+  buildPhase = ''
+    pushd hardware/core-video-capture/src-native/linux
+    g++ -fPIC -g -c OpenIMAJGrabber.cpp
+    g++ -fPIC -g -c capture.cpp
+    g++ -shared -Wl,-soname,OpenIMAJGrabber.so -o OpenIMAJGrabber.so OpenIMAJGrabber.o capture.o -lv4l2 -lrt -lv4lconvert
+    popd
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib
+    cp hardware/core-video-capture/src-native/linux/OpenIMAJGrabber.so $out/lib
+  '';
+
+  meta = with lib; {
+    description = "A collection of libraries and tools for multimedia (images, text, video, audio, etc.) content analysis and content generation. This package only builds the OpenIMAJGrabber for Linux.";
+    homepage = "http://www.openimaj.org";
+    license = licenses.bsd0;
+    maintainers = with maintainers; [ emmanuelrosa _1000101 ];
+    platforms = platforms.linux;
+  };
+}

pkgs/applications/graphics/scantailor/advanced.nix

@@ -4,21 +4,21 @@
 
 mkDerivation rec {
   pname = "scantailor-advanced";
-  version = "1.0.16";
+  version = "1.0.18";
 
   src = fetchFromGitHub {
-    owner = "4lex4";
+    owner = "vigri";
     repo = "scantailor-advanced";
     rev = "v${version}";
-    sha256 = "0lc9lzbpiy5hgimyhl4s4q67pb9gacpy985gl6iy8pl79zxhmcyp";
+    sha256 = "sha256-4/QSjgHvRgIduS/AXbT7osRTdOdgR7On3CbjRnGbwHU=";
   };
 
   nativeBuildInputs = [ cmake qttools ];
   buildInputs = [ libjpeg libpng libtiff boost qtbase ];
 
   meta = with lib; {
-    homepage = "https://github.com/4lex4/scantailor-advanced";
-    description = "Interactive post-processing tool for scanned pages";
+    homepage = "https://github.com/vigri/scantailor-advanced";
+    description = "Interactive post-processing tool for scanned pages (vigri's fork)";
     license = licenses.gpl3Plus;
     maintainers = with maintainers; [ jfrankenau ];
     platforms = with platforms; gnu ++ linux ++ darwin;

pkgs/development/libraries/gecode/default.nix

@@ -1,4 +1,15 @@
-{ lib, stdenv, fetchFromGitHub, bison, flex, perl, gmp, mpfr, enableGist ? true, qtbase }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, bison
+, flex
+, perl
+, gmp
+, mpfr
+, qtbase
+, enableGist ? true
+}:
 
 stdenv.mkDerivation rec {
   pname = "gecode";
@@ -11,6 +22,15 @@ stdenv.mkDerivation rec {
     sha256 = "0b1cq0c810j1xr2x9y9996p894571sdxng5h74py17c6nr8c6dmk";
   };
 
+  patches = [
+    # https://github.com/Gecode/gecode/pull/74
+    (fetchpatch {
+      name = "fix-const-weights-clang.patch";
+      url = "https://github.com/Gecode/gecode/commit/c810c96b1ce5d3692e93439f76c4fa7d3daf9fbb.patch";
+      sha256 = "0270msm22q5g5sqbdh8kmrihlxnnxqrxszk9a49hdxd72736p4fc";
+    })
+  ];
+
   enableParallelBuilding = true;
   dontWrapQtApps = true;
   nativeBuildInputs = [ bison flex ];

pkgs/development/python-modules/lektor/default.nix

@@ -62,7 +62,6 @@ buildPythonPackage rec {
   checkInputs = [
     pytest-click
     pytest-mock
-    pytest-pylint
     pytestCheckHook
   ];
 

pkgs/development/python-modules/pamqp/default.nix

@@ -1,28 +1,46 @@
 { lib
 , buildPythonPackage
-, fetchPypi
-, mock
-, nose
-, pep8
-, pylint
-, mccabe
+, pythonOlder
+, fetchFromGitHub
+, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   version = "3.1.0";
   pname = "pamqp";
 
-  src = fetchPypi {
-    inherit pname version;
-    sha256 = "e4f0886d72c6166637a5513626148bf5a7e818073a558980e9aaed8b4ccf30da";
+  disabled = pythonOlder "3.7";
+
+  format = "setuptools";
+
+  src = fetchFromGitHub {
+    owner = "gmr";
+    repo = "pamqp";
+    rev = version;
+    hash = "sha256-qiYfQsyYvG6pyRFDt3pyYKNNWNP88maj+VAeGD68OmY=";
   };
 
-  buildInputs = [ mock nose pep8 pylint mccabe ];
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "pamqp.base"
+    "pamqp.body"
+    "pamqp.commands"
+    "pamqp.common"
+    "pamqp.decode"
+    "pamqp.encode"
+    "pamqp.exceptions"
+    "pamqp.frame"
+    "pamqp.header"
+    "pamqp.heartbeat"
+  ];
 
   meta = with lib; {
     description = "RabbitMQ Focused AMQP low-level library";
-    homepage = "https://pypi.python.org/pypi/pamqp";
+    homepage = "https://github.com/gmr/pamqp";
     license = licenses.bsd3;
+    maintainers = with maintainers; [ dotlambda ];
   };
-
 }

pkgs/development/python-modules/pulumi-aws/default.nix

@@ -0,0 +1,44 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, pulumi
+, parver
+, semver
+, isPy27
+}:
+
+buildPythonPackage rec {
+  pname = "pulumi-aws";
+  # version is independant of pulumi's.
+  version = "5.3.0";
+  disabled = isPy27;
+
+  src = fetchFromGitHub {
+    owner = "pulumi";
+    repo = "pulumi-aws";
+    rev = "v${version}";
+    sha256 = "sha256-LrWiNYJeQQvXJDOxklRO86VSiaadvkOepQVPhh2BBkk=";
+  };
+
+  propagatedBuildInputs = [
+    pulumi
+    parver
+    semver
+  ];
+
+  postPatch = ''
+    cd sdk/python
+  '';
+
+  # checks require cloud resources
+  doCheck = false;
+  pythonImportsCheck = ["pulumi_aws"];
+
+  meta = with lib; {
+    description = "Pulumi python amazon web services provider";
+    homepage = "https://github.com/pulumi/pulumi-aws";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ costrouc ];
+  };
+}

pkgs/development/python-modules/pulumi/default.nix

@@ -0,0 +1,89 @@
+{ lib
+, buildPythonPackage
+, fetchpatch
+, fetchFromGitHub
+, protobuf
+, dill
+, grpcio
+, pulumi-bin
+, isPy27
+, semver
+, pyyaml
+, six
+
+
+# for tests
+, tox
+, go
+, pulumictl
+, bash
+, pylint
+, pytest
+, pytest-timeout
+, coverage
+, black
+, wheel
+, pytest-asyncio
+
+, mypy
+}:
+let
+  data = import ./data.nix {};
+in
+buildPythonPackage rec {
+  pname = "pulumi";
+  version = pulumi-bin.version;
+  disabled = isPy27;
+
+  src = fetchFromGitHub {
+    owner = "pulumi";
+    repo = "pulumi";
+    rev = "v${pulumi-bin.version}";
+    sha256 = "sha256-vqEZEHTpJV65a3leWwYhyi3dzAsN67BXOvk5hnTPeuI=";
+  };
+
+  propagatedBuildInputs = [
+    semver
+    protobuf
+    dill
+    grpcio
+    pyyaml
+    six
+  ];
+
+  checkInputs = [
+    pulumi-bin
+    pulumictl
+    mypy
+    bash
+    go
+    tox
+    pytest
+    pytest-timeout
+    coverage
+    pytest-asyncio
+    wheel
+    black
+  ];
+
+  pythonImportsCheck = ["pulumi"];
+
+  postPatch = ''
+    cp README.md sdk/python/lib
+    patchShebangs .
+    cd sdk/python/lib
+
+    substituteInPlace setup.py \
+      --replace "{VERSION}" "${version}"
+  '';
+
+  # disabled because tests try to fetch go packages from the net
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Modern Infrastructure as Code. Any cloud, any language";
+    homepage = "https://github.com/pulumi/pulumi";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ teto ];
+  };
+}

pkgs/development/python-modules/pytile/default.nix

@@ -4,7 +4,6 @@
 , buildPythonPackage
 , fetchFromGitHub
 , poetry-core
-, pylint
 , pytest-aiohttp
 , pytest-asyncio
 , pytestCheckHook
@@ -31,7 +30,6 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [
     aiohttp
-    pylint
   ];
 
   checkInputs = [

pkgs/os-specific/linux/systemd/default.nix

@@ -688,7 +688,7 @@ stdenv.mkDerivation {
     # runtime; otherwise we can't and we need to reboot.
     interfaceVersion = 2;
 
-    inherit withCryptsetup util-linux kmod kbd;
+    inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withTimedated util-linux kmod kbd;
 
     tests = {
       inherit (nixosTests) switchTest;

pkgs/servers/home-assistant/default.nix

@@ -282,9 +282,6 @@ in python.pkgs.buildPythonApplication rec {
     respx
     stdlib-list
     tqdm
-    # required by tests/pylint
-    astroid
-    pylint
     # required by tests/auth/mfa_modules
     pyotp
   ] ++ lib.concatMap (component: getPackages component python.pkgs) [
@@ -308,6 +305,8 @@ in python.pkgs.buildPythonApplication rec {
   ];
 
   disabledTestPaths = [
+    # we don't care about code quality
+    "tests/pylint"
     # don't bulk test all components
     "tests/components"
     # pyotp since v2.4.0 complains about the short mock keys, hass pins v2.3.0

pkgs/tools/admin/pulumi/update-pulumi-shell.nix

@@ -0,0 +1,8 @@
+{ nixpkgs ? import ../../../.. { } }:
+with nixpkgs;
+mkShell {
+  packages = [
+    pkgs.gh
+  ];
+}
+

pkgs/tools/admin/pulumi/update.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p gh
+#!nix-shell update-pulumi-shell.nix -i bash
 # shellcheck shell=bash
 # Bash 3 compatible for Darwin
 

pkgs/tools/filesystems/yandex-disk/default.nix

@@ -4,21 +4,26 @@ let
   p = if stdenv.is64bit then {
       arch = "x86_64";
       gcclib = "${stdenv.cc.cc.lib}/lib64";
-      sha256 = "e4f579963199f05476657f0066beaa32d1261aef2203382f3919e1ed4bc4594e";
+      sha256 = "sha256-HH/pLZmDr6m/B3e6MHafDGnNWR83oR2y1ijVMR/LOF0=";
+      webarchive = "20220519080155";
     }
     else {
       arch = "i386";
       gcclib = "${stdenv.cc.cc.lib}/lib";
-      sha256 = "69113bf33ba0c57a363305b76361f2866c3b8394b173eed0f49db1f50bfe0373";
+      sha256 = "sha256-28dmdnJf+qh9r3F0quwlYXB/UqcOzcHzuzFq8vt2bf0=";
+      webarchive = "20220519080430";
     };
 in
 stdenv.mkDerivation rec {
 
   pname = "yandex-disk";
-  version = "0.1.6.1074";
+  version = "0.1.6.1080";
 
   src = fetchurl {
-    url = "https://repo.yandex.ru/yandex-disk/rpm/stable/${p.arch}/${pname}-${version}-1.fedora.${p.arch}.rpm";
+    urls = [
+      "https://repo.yandex.ru/yandex-disk/rpm/stable/${p.arch}/${pname}-${version}-1.fedora.${p.arch}.rpm"
+      "https://web.archive.org/web/${p.webarchive}/https://repo.yandex.ru/yandex-disk/rpm/stable/${p.arch}/${pname}-${version}-1.fedora.${p.arch}.rpm"
+    ];
     sha256 = p.sha256;
   };
 

pkgs/tools/networking/isync/default.nix

@@ -29,5 +29,6 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2Plus;
     platforms = platforms.unix;
     maintainers = with maintainers; [ primeos lheckemann ];
+    mainProgram = "mbsync";
   };
 }

pkgs/top-level/all-packages.nix

@@ -10424,6 +10424,10 @@ with pkgs;
 
   sozu = callPackage ../servers/sozu { };
 
+  sparrow = callPackage ../applications/blockchains/sparrow {
+    openimajgrabber = callPackage ../applications/blockchains/sparrow/openimajgrabber.nix {};
+  };
+
   sparsehash = callPackage ../development/libraries/sparsehash { };
 
   spectre-meltdown-checker = callPackage ../tools/security/spectre-meltdown-checker { };
@@ -29363,7 +29367,7 @@ with pkgs;
 
   scantailor = callPackage ../applications/graphics/scantailor { };
 
-  scantailor-advanced = libsForQt514.callPackage ../applications/graphics/scantailor/advanced.nix { };
+  scantailor-advanced = libsForQt515.callPackage ../applications/graphics/scantailor/advanced.nix { };
 
   sc-im = callPackage ../applications/misc/sc-im { };
 

pkgs/top-level/python-packages.nix

@@ -1105,6 +1105,10 @@ in {
 
   babelgladeextractor = callPackage ../development/python-modules/babelgladeextractor { };
 
+  pulumi = callPackage ../development/python-modules/pulumi { };
+
+  pulumi-aws = callPackage ../development/python-modules/pulumi-aws { };
+
   backcall = callPackage ../development/python-modules/backcall { };
 
   backoff = callPackage ../development/python-modules/backoff { };