Project import generated by Copybara.

GitOrigin-RevId: 6ef4f522d63f22b40004319778761040d3197390

third_party/nixpkgs/doc/functions/library/attrsets.xml

@@ -772,7 +772,7 @@ nameValuePair "some" 6
    <title>Modifying each value of an attribute set</title>
 <programlisting><![CDATA[
 lib.attrsets.mapAttrs
-  (name: value: name + "-" value)
+  (name: value: name + "-" + value)
   { x = "foo"; y = "bar"; }
 => { x = "x-foo"; y = "y-bar"; }
 ]]></programlisting>

third_party/nixpkgs/maintainers/maintainer-list.nix

@@ -390,6 +390,12 @@
     githubId = 1318982;
     name = "Anders Claesson";
   };
+  akho = {
+    name = "Alexander Khodyrev";
+    email = "a@akho.name";
+    github = "akho";
+    githubId = 104951;
+  };
   akru = {
     email = "mail@akru.me";
     github = "akru";
@@ -2283,6 +2289,12 @@
       fingerprint = "1C4E F4FE 7F8E D8B7 1E88 CCDF BAB1 D15F B7B4 D4CE";
     }];
   };
+  d-xo = {
+    email = "hi@d-xo.org";
+    github = "d-xo";
+    githubId = 6689924;
+    name = "David Terry";
+  };
   dadada = {
     name = "dadada";
     email = "dadada@dadada.li";
@@ -3237,6 +3249,12 @@
       fingerprint = "2D37 1AD2 7E2B BC77 97E1  B759 6C79 278F 3FCD CC02";
     }];
   };
+  ereslibre = {
+    email = "ereslibre@ereslibre.es";
+    github = "ereslibre";
+    githubId = 8706;
+    name = "Rafael Fernández López";
+  };
   ericbmerritt = {
     email = "eric@afiniate.com";
     github = "ericbmerritt";
@@ -8562,6 +8580,12 @@
     github = "polygon";
     githubId = 51489;
   };
+  polykernel = {
+    email = "81340136+polykernel@users.noreply.github.com";
+    github = "polykernel";
+    githubId = 81340136;
+    name = "polykernel";
+  };
   polyrod = {
     email = "dc1mdp@gmail.com";
     github = "polyrod";
@@ -11698,12 +11722,6 @@
     githubId = 1962985;
     name = "Vincenzo Mantova";
   };
-  xwvvvvwx = {
-    email = "davidterry@posteo.de";
-    github = "xwvvvvwx";
-    githubId = 6689924;
-    name = "David Terry";
-  };
   xzfc = {
     email = "xzfcpw@gmail.com";
     github = "xzfc";

third_party/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.section.md

@@ -5,7 +5,7 @@ when developing or debugging a test:
 
 ```ShellSession
 $ nix-build nixos/tests/login.nix -A driverInteractive
-$ ./result/bin/nixos-test-driver
+$ ./result/bin/nixos-test-driver --interactive
 starting VDE switch for network 1
 >
 ```
@@ -24,20 +24,11 @@ back into the test driver command line upon its completion. This allows
 you to inspect the state of the VMs after the test (e.g. to debug the
 test script).
 
-To just start and experiment with the VMs, run:
-
-```ShellSession
-$ nix-build nixos/tests/login.nix -A driverInteractive
-$ ./result/bin/nixos-run-vms
-```
-
-The script `nixos-run-vms` starts the virtual machines defined by test.
-
 You can re-use the VM states coming from a previous run by setting the
 `--keep-vm-state` flag.
 
 ```ShellSession
-$ ./result/bin/nixos-run-vms --keep-vm-state
+$ ./result/bin/nixos-test-driver --interactive --keep-vm-state
 ```
 
 The machine state is stored in the `$TMPDIR/vm-state-machinename`

third_party/nixpkgs/nixos/doc/manual/from_md/development/running-nixos-tests-interactively.section.xml

@@ -6,7 +6,7 @@
   </para>
   <programlisting>
 $ nix-build nixos/tests/login.nix -A driverInteractive
-$ ./result/bin/nixos-test-driver
+$ ./result/bin/nixos-test-driver --interactive
 starting VDE switch for network 1
 &gt;
 </programlisting>
@@ -25,23 +25,12 @@ starting VDE switch for network 1
     completion. This allows you to inspect the state of the VMs after
     the test (e.g. to debug the test script).
   </para>
-  <para>
-    To just start and experiment with the VMs, run:
-  </para>
-  <programlisting>
-$ nix-build nixos/tests/login.nix -A driverInteractive
-$ ./result/bin/nixos-run-vms
-</programlisting>
-  <para>
-    The script <literal>nixos-run-vms</literal> starts the virtual
-    machines defined by test.
-  </para>
   <para>
     You can re-use the VM states coming from a previous run by setting
     the <literal>--keep-vm-state</literal> flag.
   </para>
   <programlisting>
-$ ./result/bin/nixos-run-vms --keep-vm-state
+$ ./result/bin/nixos-test-driver --interactive --keep-vm-state
 </programlisting>
   <para>
     The machine state is stored in the

third_party/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

@@ -646,6 +646,32 @@
           to use wildcards in the <literal>source</literal> argument.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>openrazer</literal> and
+          <literal>openrazer-daemon</literal> packages as well as the
+          <literal>hardware.openrazer</literal> module now require users
+          to be members of the <literal>openrazer</literal> group
+          instead of <literal>plugdev</literal>. With this change, users
+          no longer need be granted the entire set of
+          <literal>plugdev</literal> group permissions, which can
+          include permissions other than those required by
+          <literal>openrazer</literal>. This is desirable from a
+          security point of view. The setting
+          <link xlink:href="options.html#opt-services.hardware.openrazer.users"><literal>harware.openrazer.users</literal></link>
+          can be used to add users to the <literal>openrazer</literal>
+          group.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>yambar</literal> package has been split into
+          <literal>yambar</literal> and
+          <literal>yambar-wayland</literal>, corresponding to the xorg
+          and wayland backend respectively. Please switch to
+          <literal>yambar-wayland</literal> if you are on wayland.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-21.11-notable-changes">
@@ -815,6 +841,15 @@
           version of zfs.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          Nginx will use the value of
+          <literal>sslTrustedCertificate</literal> if provided for a
+          virtual host, even if <literal>enableACME</literal> is set.
+          This is useful for providers not using the same certificate to
+          sign OCSP responses and server certificates.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>

third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md

@@ -164,6 +164,10 @@ pt-services.clipcat.enable).
 
 - `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.
 
+- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This is desirable from a security point of view. The setting [`harware.openrazer.users`](options.html#opt-services.hardware.openrazer.users) can be used to add users to the `openrazer` group.
+
+- The `yambar` package has been split into `yambar` and `yambar-wayland`, corresponding to the xorg and wayland backend respectively. Please switch to `yambar-wayland` if you are on wayland.
+
 ## Other Notable Changes {#sec-release-21.11-notable-changes}
 
 - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
@@ -209,3 +213,5 @@ pt-services.clipcat.enable).
 - The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up.
 
 - Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs.
+
+- Nginx will use the value of `sslTrustedCertificate` if provided for a virtual host, even if `enableACME` is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

third_party/nixpkgs/nixos/lib/test-driver/test-driver.py

@@ -24,7 +24,6 @@ import sys
 import telnetlib
 import tempfile
 import time
-import traceback
 import unicodedata
 
 CHAR_TO_KEY = {
@@ -930,29 +929,16 @@ def join_all() -> None:
             machine.wait_for_shutdown()
 
 
-def test_script() -> None:
+def run_tests(interactive: bool = False) -> None:
-    exec(os.environ["testScript"])
-
-
-def run_tests() -> None:
     global machines
-    tests = os.environ.get("tests", None)
+    if interactive:
-    if tests is not None:
+        ptpython.repl.embed(globals(), locals())
-        with log.nested("running the VM test script"):
-            try:
-                exec(tests, globals())
-            except Exception as e:
-                eprint("error: ")
-                traceback.print_exc()
-                sys.exit(1)
     else:
-        ptpython.repl.embed(locals(), globals())
+        test_script()
-
+        # TODO: Collect coverage data
-    # TODO: Collect coverage data
+        for machine in machines:
-
+            if machine.is_up():
-    for machine in machines:
+                machine.execute("sync")
-        if machine.is_up():
-            machine.execute("sync")
 
 
 def serial_stdout_on() -> None:
@@ -965,6 +951,31 @@ def serial_stdout_off() -> None:
     log._print_serial_logs = False
 
 
+class EnvDefault(argparse.Action):
+    """An argpars Action that takes values from the specified
+    environment variable as the flags default value.
+    """
+
+    def __init__(self, envvar, required=False, default=None, nargs=None, **kwargs):  # type: ignore
+        if not default and envvar:
+            if envvar in os.environ:
+                if nargs is not None and (nargs.isdigit() or nargs in ["*", "+"]):
+                    default = os.environ[envvar].split()
+                else:
+                    default = os.environ[envvar]
+                kwargs["help"] = (
+                    kwargs["help"] + f" (default from environment: {default})"
+                )
+        if required and default:
+            required = False
+        super(EnvDefault, self).__init__(
+            default=default, required=required, nargs=nargs, **kwargs
+        )
+
+    def __call__(self, parser, namespace, values, option_string=None):  # type: ignore
+        setattr(namespace, self.dest, values)
+
+
 @contextmanager
 def subtest(name: str) -> Iterator[None]:
     with log.nested(name):
@@ -986,18 +997,52 @@ if __name__ == "__main__":
         help="re-use a VM state coming from a previous run",
         action="store_true",
     )
-    (cli_args, vm_scripts) = arg_parser.parse_known_args()
+    arg_parser.add_argument(
+        "-I",
+        "--interactive",
+        help="drop into a python repl and run the tests interactively",
+        action="store_true",
+    )
+    arg_parser.add_argument(
+        "--start-scripts",
+        metavar="START-SCRIPT",
+        action=EnvDefault,
+        envvar="startScripts",
+        nargs="*",
+        help="start scripts for participating virtual machines",
+    )
+    arg_parser.add_argument(
+        "--vlans",
+        metavar="VLAN",
+        action=EnvDefault,
+        envvar="vlans",
+        nargs="*",
+        help="vlans to span by the driver",
+    )
+    arg_parser.add_argument(
+        "testscript",
+        action=EnvDefault,
+        envvar="testScript",
+        help="the test script to run",
+        type=pathlib.Path,
+    )
+
+    args = arg_parser.parse_args()
+    global test_script
+
+    def test_script() -> None:
+        with log.nested("running the VM test script"):
+            exec(pathlib.Path(args.testscript).read_text(), globals())
 
     log = Logger()
 
-    vlan_nrs = list(dict.fromkeys(os.environ.get("VLANS", "").split()))
+    vde_sockets = [create_vlan(v) for v in args.vlans]
-    vde_sockets = [create_vlan(v) for v in vlan_nrs]
     for nr, vde_socket, _, _ in vde_sockets:
         os.environ["QEMU_VDE_SOCKET_{}".format(nr)] = vde_socket
 
     machines = [
-        create_machine({"startCommand": s, "keepVmState": cli_args.keep_vm_state})
+        create_machine({"startCommand": s, "keepVmState": args.keep_vm_state})
-        for s in vm_scripts
+        for s in args.start_scripts
     ]
     machine_eval = [
         "{0} = machines[{1}]".format(m.name, idx) for idx, m in enumerate(machines)
@@ -1017,6 +1062,6 @@ if __name__ == "__main__":
         log.close()
 
     tic = time.time()
-    run_tests()
+    run_tests(args.interactive)
     toc = time.time()
     print("test script finished in {:.2f}s".format(toc - tic))

third_party/nixpkgs/nixos/lib/testing-python.nix

@@ -83,7 +83,10 @@ rec {
         ''
           mkdir -p $out
 
-          LOGFILE=/dev/null tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver
+          # effectively mute the XMLLogger
+          export LOGFILE=/dev/null
+
+          ${driver}/bin/nixos-test-driver
         '';
 
       passthru = driver.passthru // {
@@ -166,7 +169,10 @@ rec {
       ''
         mkdir -p $out/bin
 
+        vmStartScripts=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
         echo -n "$testScript" > $out/test-script
+        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-test-driver
+
         ${lib.optionalString (!skipLint) ''
           PYFLAKES_BUILTINS="$(
             echo -n ${lib.escapeShellArg (lib.concatStringsSep "," nodeHostNames)},
@@ -174,17 +180,12 @@ rec {
           )" ${python3Packages.pyflakes}/bin/pyflakes $out/test-script
         ''}
 
-        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
+        # set defaults through environment
-        vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
+        # see: ./test-driver/test-driver.py argparse implementation
         wrapProgram $out/bin/nixos-test-driver \
-          --add-flags "''${vms[*]}" \
+          --set startScripts "''${vmStartScripts[*]}" \
-          --run "export testScript=\"\$(${coreutils}/bin/cat $out/test-script)\"" \
+          --set testScript "$out/test-script" \
-          --set VLANS '${toString vlans}'
+          --set vlans '${toString vlans}'
-        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
-        wrapProgram $out/bin/nixos-run-vms \
-          --add-flags "''${vms[*]}" \
-          --set tests 'start_all(); join_all();' \
-          --set VLANS '${toString vlans}'
       '');
 
   # Make a full-blown test

third_party/nixpkgs/nixos/modules/hardware/openrazer.nix

@@ -49,7 +49,9 @@ in
 {
   options = {
     hardware.openrazer = {
-      enable = mkEnableOption "OpenRazer drivers and userspace daemon";
+      enable = mkEnableOption ''
+        OpenRazer drivers and userspace daemon.
+      '';
 
       verboseLogging = mkOption {
         type = types.bool;
@@ -92,6 +94,15 @@ in
           generate a heatmap.
         '';
       };
+
+      users = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = ''
+          Usernames to be added to the "openrazer" group, so that they
+          can start and interact with the OpenRazer userspace daemon.
+        '';
+      };
     };
   };
 
@@ -106,10 +117,12 @@ in
     services.udev.packages = [ kernelPackages.openrazer ];
     services.dbus.packages = [ dbusServiceFile ];
 
-    # A user must be a member of the plugdev group in order to start
+    # A user must be a member of the openrazer group in order to start
-    # the openrazer-daemon. Therefore we make sure that the plugdev
+    # the openrazer-daemon. Therefore we make sure that the group
-    # group exists.
+    # exists.
-    users.groups.plugdev = {};
+    users.groups.openrazer = {
+      members = cfg.users;
+    };
 
     systemd.user.services.openrazer-daemon = {
       description = "Daemon to manage razer devices in userspace";

third_party/nixpkgs/nixos/modules/hardware/video/nvidia.nix

@@ -179,28 +179,41 @@ in
           You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
         '';
       }
+
       {
         assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
         message = ''
           When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
         '';
       }
+
       {
         assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
         message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
       }
+
       {
         assertion = !(syncCfg.enable && offloadCfg.enable);
         message = "Only one NVIDIA PRIME solution may be used at a time.";
       }
+
       {
         assertion = !(syncCfg.enable && cfg.powerManagement.finegrained);
         message = "Sync precludes powering down the NVIDIA GPU.";
       }
+
       {
         assertion = cfg.powerManagement.enable -> offloadCfg.enable;
         message = "Fine-grained power management requires offload to be enabled.";
       }
+
+      {
+        assertion = cfg.powerManagement.enable -> (
+          builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
+          builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
+        );
+        message = "Required files for driver based power management don't exist.";
+      }
     ];
 
     # If Optimus/PRIME is enabled, we:

third_party/nixpkgs/nixos/modules/programs/ssh.nix

@@ -14,7 +14,7 @@ let
     ''
       #! ${pkgs.runtimeShell} -e
       export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
-      exec ${askPassword}
+      exec ${askPassword} "$@"
     '';
 
   knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);

third_party/nixpkgs/nixos/modules/programs/udevil.nix

@@ -10,8 +10,5 @@ in {
 
   config = mkIf cfg.enable {
     security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";
-
-    systemd.packages = [ pkgs.udevil ];
-    systemd.services."devmon@".wantedBy = [ "multi-user.target" ];
   };
 }

third_party/nixpkgs/nixos/modules/security/acme.nix

@@ -21,15 +21,51 @@ let
   # The Group can vary depending on what the user has specified in
   # security.acme.certs.<cert>.group on some of the services.
   commonServiceConfig = {
-      Type = "oneshot";
+    Type = "oneshot";
-      User = "acme";
+    User = "acme";
-      Group = mkDefault "acme";
+    Group = mkDefault "acme";
-      UMask = 0022;
+    UMask = 0022;
-      StateDirectoryMode = 750;
+    StateDirectoryMode = 750;
-      ProtectSystem = "full";
+    ProtectSystem = "strict";
-      PrivateTmp = true;
+    ReadWritePaths = [
+      "/var/lib/acme"
+    ];
+    PrivateTmp = true;
 
-      WorkingDirectory = "/tmp";
+    WorkingDirectory = "/tmp";
+
+    CapabilityBoundingSet = [ "" ];
+    DevicePolicy = "closed";
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectControlGroups = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ProcSubset = "pid";
+    RemoveIPC = true;
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      # 1. allow a reasonable set of syscalls
+      "@system-service"
+      # 2. and deny unreasonable ones
+      "~@privileged @resources"
+      # 3. then allow the required subset within denied groups
+      "@chown"
+    ];
   };
 
   # In order to avoid race conditions creating the CA for selfsigned certs,

third_party/nixpkgs/nixos/modules/security/polkit.nix

@@ -96,8 +96,10 @@ in
     users.users.polkituser = {
       description = "PolKit daemon";
       uid = config.ids.uids.polkituser;
+      group = "polkituser";
     };
 
+    users.groups.polkituser = {};
   };
 
 }

third_party/nixpkgs/nixos/modules/services/databases/victoriametrics.nix

@@ -53,6 +53,14 @@ let cfg = config.services.victoriametrics; in
               -retentionPeriod ${toString cfg.retentionPeriod} \
               ${lib.escapeShellArgs cfg.extraOptions}
         '';
+        # victoriametrics 1.59 with ~7GB of data seems to eventually panic when merging files and then
+        # begins restart-looping forever. Set LimitNOFILE= to a large number to work around this issue.
+        #
+        # panic: FATAL: unrecoverable error when merging small parts in the partition "/var/lib/victoriametrics/data/small/2021_08":
+        # cannot open source part for merging: cannot open values file in stream mode:
+        # cannot open file "/var/lib/victoriametrics/data/small/2021_08/[...]/values.bin":
+        # open /var/lib/victoriametrics/data/small/2021_08/[...]/values.bin: too many open files
+        LimitNOFILE = 1048576;
       };
       wantedBy = [ "multi-user.target" ];
 

third_party/nixpkgs/nixos/modules/services/desktops/pipewire/bluez-hardware.conf.json

@@ -27,6 +27,12 @@
         "msbc-alt1-rtl"
       ]
     },
+    {
+      "name": "BAA 100",
+      "no-features": [
+        "hw-volume"
+      ]
+    },
     {
       "name": "JBL Endurance RUN BT",
       "no-features": [
@@ -190,6 +196,35 @@
         "msbc-alt1"
       ]
     },
+    {
+      "sysname": "Linux",
+      "release": "~^5\\.12\\.(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17)($|[^0-9])"
+    },
+    {
+      "sysname": "Linux",
+      "release": "~^5\\.12\\.",
+      "no-features": [
+        "msbc-alt1"
+      ]
+    },
+    {
+      "sysname": "Linux",
+      "release": "~^5\\.13\\.(1|2)($|[^0-9])"
+    },
+    {
+      "sysname": "Linux",
+      "release": "~^5\\.13\\.",
+      "no-features": [
+        "msbc-alt1"
+      ]
+    },
+    {
+      "sysname": "Linux",
+      "release": "~^5\\.14\\.",
+      "no-features": [
+        "msbc-alt1"
+      ]
+    },
     {
       "no-features": []
     }

third_party/nixpkgs/nixos/modules/services/desktops/pipewire/jack.conf.json

@@ -24,5 +24,15 @@
       "name": "libpipewire-module-metadata"
     }
   ],
-  "jack.properties": {}
+  "jack.properties": {},
+  "jack.rules": [
+    {
+      "matches": [
+        {}
+      ],
+      "actions": {
+        "update-props": {}
+      }
+    }
+  ]
 }

third_party/nixpkgs/nixos/modules/services/desktops/pipewire/media-session.conf.json

@@ -59,6 +59,7 @@
     "with-pulseaudio": [
       "with-audio",
       "bluez5",
+      "bluez5-autoswitch",
       "logind",
       "restore-stream",
       "streams-follow-default"

third_party/nixpkgs/nixos/modules/services/mail/nullmailer.nix

@@ -220,7 +220,7 @@ with lib;
       after = [ "network.target" ];
 
       preStart = ''
-        mkdir -p /var/spool/nullmailer/{queue,tmp}
+        mkdir -p /var/spool/nullmailer/{queue,tmp,failed}
         rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
       '';
 

third_party/nixpkgs/nixos/modules/services/misc/gitea.nix

@@ -522,6 +522,9 @@ in
           (umask 027; gitea_setup)
         ''}
 
+        # run migrations/init the database
+        ${gitea}/bin/gitea migrate
+
         # update all hooks' binary paths
         ${gitea}/bin/gitea admin regenerate hooks
 

third_party/nixpkgs/nixos/modules/services/misc/nitter.nix

@@ -312,6 +312,31 @@ in
           AmbientCapabilities = lib.mkIf (cfg.server.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
           Restart = "on-failure";
           RestartSec = "5s";
+          # Hardening
+          CapabilityBoundingSet = if (cfg.server.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          PrivateDevices = true;
+          # A private user cannot have process capabilities on the host's user
+          # namespace and thus CAP_NET_BIND_SERVICE has no effect.
+          PrivateUsers = (cfg.server.port >= 1024);
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+          UMask = "0077";
         };
     };
 

third_party/nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix

@@ -9,6 +9,7 @@ with lib;
     default = false;
     description = ''
       This option enables Mullvad VPN daemon.
+      This sets <option>networking.firewall.checkReversePath</option> to "loose", which might be undesirable for security.
     '';
   };
 
@@ -18,6 +19,9 @@ with lib;
     # mullvad-daemon writes to /etc/iproute2/rt_tables
     networking.iproute2.enable = true;
 
+    # See https://github.com/NixOS/nixpkgs/issues/113589
+    networking.firewall.checkReversePath = "loose";
+
     systemd.services.mullvad-daemon = {
       description = "Mullvad VPN daemon";
       wantedBy = [ "multi-user.target" ];
@@ -42,5 +46,5 @@ with lib;
     };
   };
 
-  meta.maintainers = [ maintainers.xfix ];
+  meta.maintainers = with maintainers; [ ymarkus ];
 }

third_party/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix

@@ -81,17 +81,26 @@ in
         '';
       };
 
-      initstepslew = mkOption {
+      initstepslew = {
-        type = types.attrsOf (types.either types.bool types.int);
+        enabled = mkOption {
-        default = {
+          type = types.bool;
-          enabled = true;
+          default = true;
-          threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s)
+          description = ''
+            Allow chronyd to make a rapid measurement of the system clock error
+            at boot time, and to correct the system clock by stepping before
+            normal operation begins.
+          '';
+        };
+
+        threshold = mkOption {
+          type = types.either types.float types.int;
+          default = 1000; # by default, same threshold as 'ntpd -g' (1000s)
+          description = ''
+            The threshold of system clock error (in seconds) above which the
+            clock will be stepped. If the correction required is less than the
+            threshold, a slew is used instead.
+          '';
         };
-        description = ''
-          Allow chronyd to make a rapid measurement of the system clock error at
-          boot time, and to correct the system clock by stepping before normal
-          operation begins.
-        '';
       };
 
       directory = mkOption {

third_party/nixpkgs/nixos/modules/services/networking/tinc.nix

@@ -427,9 +427,12 @@ in
       nameValuePair ("tinc.${network}") ({
         description = "Tinc daemon user for ${network}";
         isSystemUser = true;
+        group = "tinc.${network}";
       })
     );
-
+    users.groups = flip mapAttrs' cfg.networks (network: _:
+      nameValuePair "tinc.${network}" {}
+    );
   };
 
   meta.maintainers = with maintainers; [ minijackson ];

third_party/nixpkgs/nixos/modules/services/networking/unifi.nix

@@ -173,6 +173,41 @@ in
         User = "unifi";
         UMask = "0077";
         WorkingDirectory = "${stateDir}";
+
+        # Hardening
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        # ProtectClock= adds DeviceAllow=char-rtc r
+        DeviceAllow = "";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [ "@system-service" ];
+
+        # Required for ProtectSystem=strict
+        BindPaths = [ stateDir ];
+
+        # Needs network access
+        PrivateNetwork = false;
+        # Cannot be true due to OpenJDK
+        MemoryDenyWriteExecute = false;
       };
     };
 

third_party/nixpkgs/nixos/modules/services/networking/wakeonlan.nix

@@ -31,6 +31,20 @@ in
 
     services.wakeonlan.interfaces = mkOption {
       default = [ ];
+      type = types.listOf (types.submodule { options = {
+        interface = mkOption {
+          type = types.str;
+          description = "Interface to enable for Wake-On-Lan.";
+        };
+        method = mkOption {
+          type = types.enum [ "magicpacket" "password"];
+          description = "Wake-On-Lan method for this interface.";
+        };
+        password = mkOption {
+          type = types.strMatching "[a-fA-F0-9]{2}:([a-fA-F0-9]{2}:){4}[a-fA-F0-9]{2}";
+          description = "The password has the shape of six bytes in hexadecimal separated by a colon each.";
+        };
+      };});
       example = [
         {
           interface = "eth0";

third_party/nixpkgs/nixos/modules/services/web-apps/miniflux.nix

@@ -98,6 +98,29 @@ in
         EnvironmentFile = if cfg.adminCredentialsFile == null
         then defaultCredentials
         else cfg.adminCredentialsFile;
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        UMask = "0077";
       };
 
       environment = cfg.config;

third_party/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix

@@ -22,7 +22,9 @@ let
     } // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) {
       sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
       sslCertificateKey = "${certs.${certName}.directory}/key.pem";
-      sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
+      sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null
+                              then vhostConfig.sslTrustedCertificate
+                              else "${certs.${certName}.directory}/chain.pem";
     })
   ) cfg.virtualHosts;
   enableIPv6 = config.networking.enableIPv6;

third_party/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix

@@ -145,7 +145,7 @@ with lib;
     sslTrustedCertificate = mkOption {
       type = types.nullOr types.path;
       default = null;
-      example = "/var/root.cert";
+      example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
       description = "Path to root SSL certificate for stapling and client certificates.";
     };
 

third_party/nixpkgs/nixos/modules/system/boot/systemd.nix

@@ -1128,6 +1128,7 @@ in
 
     users.groups.systemd-journal.gid = config.ids.gids.systemd-journal;
     users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
+    users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
     users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
 
     # Generate timer units for all services that have a ‘startAt’ value.

third_party/nixpkgs/nixos/modules/system/etc/etc.nix

@@ -8,10 +8,7 @@ let
 
   etc' = filter (f: f.enable) (attrValues config.environment.etc);
 
-  etc = pkgs.runCommand "etc" {
+  etc = pkgs.runCommandLocal "etc" {
-    preferLocalBuild = true;
-    allowSubstitutes = false;
-
     # This is needed for the systemd module
     passthru.targets = map (x: x.target) etc';
   } /* sh */ ''

third_party/nixpkgs/nixos/modules/virtualisation/containerd.nix

@@ -86,6 +86,7 @@ in
 
         StateDirectory = "containerd";
         RuntimeDirectory = "containerd";
+        RuntimeDirectoryPreserve = "yes";
       };
       unitConfig = {
         StartLimitBurst = "16";

third_party/nixpkgs/nixos/tests/acme.nix

@@ -105,9 +105,9 @@ in import ./make-test-python.nix ({ lib, ... }: {
         security.acme.certs."a.example.test".keyType = "ec384";
         security.acme.certs."a.example.test".postRun = ''
           set -euo pipefail
-          touch test
+          touch /home/test
-          chown root:root test
+          chown root:root /home/test
-          echo testing > test
+          echo testing > /home/test
         '';
       };
 
@@ -383,7 +383,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
           switch_to(webserver, "cert-change")
           webserver.wait_for_unit("acme-finished-a.example.test.target")
           check_connection_key_bits(client, "a.example.test", "384")
-          webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
+          webserver.succeed("grep testing /home/test")
           # Clean to remove the testing file (and anything else messy we did)
           webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
 

third_party/nixpkgs/nixos/tests/bazarr.nix

@@ -7,7 +7,7 @@ let
 in
 {
   name = "bazarr";
-  meta.maintainers = with maintainers; [ xwvvvvwx ];
+  meta.maintainers = with maintainers; [ d-xo ];
 
   nodes.machine =
     { pkgs, ... }:

third_party/nixpkgs/nixos/tests/nitter.nix

@@ -6,11 +6,13 @@ import ./make-test-python.nix ({ pkgs, ... }:
 
   nodes.machine = {
     services.nitter.enable = true;
+    # Test CAP_NET_BIND_SERVICE
+    services.nitter.server.port = 80;
   };
 
   testScript = ''
     machine.wait_for_unit("nitter.service")
-    machine.wait_for_open_port("8080")
+    machine.wait_for_open_port("80")
-    machine.succeed("curl --fail http://localhost:8080/")
+    machine.succeed("curl --fail http://localhost:80/")
   '';
 })

third_party/nixpkgs/nixos/tests/wireguard/wg-quick.nix

@@ -8,7 +8,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:
   {
     name = "wg-quick";
     meta = with pkgs.lib.maintainers; {
-      maintainers = [ xwvvvvwx ];
+      maintainers = [ d-xo ];
     };
 
     nodes = {

third_party/nixpkgs/nixos/tests/xmpp/prosody.nix

@@ -1,6 +1,6 @@
 let
   cert = pkgs: pkgs.runCommandNoCC "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
-    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=example.com/CN=uploads.example.com/CN=conference.example.com'
+    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=example.com/CN=uploads.example.com/CN=conference.example.com' -days 36500
     mkdir -p $out
     cp key.pem cert.pem $out
   '';

third_party/nixpkgs/pkgs/applications/audio/bambootracker/default.nix

@@ -2,7 +2,6 @@
 , stdenv
 , lib
 , fetchFromGitHub
-, fetchpatch
 , qmake
 , pkg-config
 , qttools
@@ -13,25 +12,16 @@
 
 mkDerivation rec {
   pname = "bambootracker";
-  version = "0.4.6";
+  version = "0.5.0";
 
   src = fetchFromGitHub {
-    owner = "rerrahkr";
+    owner = "BambooTracker";
     repo = "BambooTracker";
     rev = "v${version}";
-    sha256 = "0iddqfw951dw9xpl4w7310sl4z544507ppb12i8g4fzvlxfw2ifc";
+    fetchSubmodules = true;
+    sha256 = "1mpbvhsmrn0wdmxfp3n5dwv4474qlhy47r3vwc2jwdslq6vgl1fa";
   };
 
-  # TODO Remove when updating past 0.4.6
-  # Fixes build failure on darwin
-  patches = [
-    (fetchpatch {
-      name = "bambootracker-Add_braces_in_initialization_of_std-array.patch";
-      url = "https://github.com/rerrahkr/BambooTracker/commit/0fc96c60c7ae6c2504ee696bb7dec979ac19717d.patch";
-      sha256 = "1z28af46mqrgnyrr4i8883gp3wablkk8rijnj0jvpq01s4m2sfjn";
-    })
-  ];
-
   nativeBuildInputs = [ qmake qttools pkg-config ];
 
   buildInputs = [ qtbase rtaudio rtmidi ];
@@ -40,18 +30,20 @@ mkDerivation rec {
 
   postConfigure = "make qmake_all";
 
-  # installs app bundle on darwin, re-extract the binary
+  # 1. installs app bundle on darwin, move to app bundle dir & link binary to bin
-  # wrapQtAppsHook fails to wrap mach-o binaries, manually call wrapper (https://github.com/NixOS/nixpkgs/issues/102044)
+  # 2. wrapQtAppsHook fails to wrap mach-o binaries automatically, manually call wrapper
+  #    (see https://github.com/NixOS/nixpkgs/issues/102044)
   postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
-    mv $out/bin/BambooTracker{.app/Contents/MacOS/BambooTracker,}
+    mkdir -p $out/Applications
-    rm -r $out/bin/BambooTracker.app
+    mv $out/{bin,Applications}/BambooTracker.app
-    wrapQtApp $out/bin/BambooTracker
+    wrapQtApp $out/Applications/BambooTracker.app/Contents/MacOS/BambooTracker
+    ln -s $out/{Applications/BambooTracker.app/Contents/MacOS,bin}/BambooTracker
   '';
 
   meta = with lib; {
     description = "A tracker for YM2608 (OPNA) which was used in NEC PC-8801/9801 series computers";
-    homepage = "https://rerrahkr.github.io/BambooTracker";
+    homepage = "https://bambootracker.github.io/BambooTracker/";
-    license = licenses.gpl2Only;
+    license = licenses.gpl2Plus;
     platforms = platforms.all;
     maintainers = with maintainers; [ OPNA2608 ];
   };

third_party/nixpkgs/pkgs/applications/audio/boops/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "boops";
-  version = "1.6.0";
+  version = "1.6.4";
 
   src = fetchFromGitHub {
     owner = "sjaehn";
     repo = "BOops";
     rev = version;
-    sha256 = "sha256-7eNvt8PxIZCp83Y5XX5fBolBon4j+HPtu8wrgG8Miok=";
+    sha256 = "sha256-rljUb0fj231MQh+7jTpjAsZm1QkNzfdSpcI1cS5fs/c=";
   };
 
   nativeBuildInputs = [ pkg-config ];

third_party/nixpkgs/pkgs/applications/audio/cozy-audiobooks/default.nix

@@ -8,11 +8,13 @@
 , gtk3
 , gst_all_1
 , gobject-introspection
+, libhandy
 , python3Packages
 , file
 , cairo
 , gettext
 , gnome
+, pantheon
 }:
 
 python3Packages.buildPythonApplication rec {
@@ -20,7 +22,7 @@ python3Packages.buildPythonApplication rec {
   format = "other"; # no setup.py
 
   pname = "cozy";
-  version = "0.7.2";
+  version = "1.0.3";
 
   # Temporary fix
   # See https://github.com/NixOS/nixpkgs/issues/57029
@@ -31,7 +33,7 @@ python3Packages.buildPythonApplication rec {
     owner = "geigi";
     repo = pname;
     rev = version;
-    sha256 = "0fmbddi4ga0bppwg3rm3yjmf7jgqc6zfslmavnr1pglbzkjhy9fs";
+    sha256 = "0m0xiqpb87pwr3fhy0a4qxg67yjhwchcxj3x2anyy0li4inryxag";
   };
 
   nativeBuildInputs = [
@@ -47,6 +49,8 @@ python3Packages.buildPythonApplication rec {
     cairo
     gettext
     gnome.adwaita-icon-theme
+    libhandy
+    pantheon.granite
   ] ++ (with gst_all_1; [
     gstreamer
     gst-plugins-good
@@ -70,8 +74,7 @@ python3Packages.buildPythonApplication rec {
   ];
 
   postPatch = ''
-    chmod +x meson/post_install.py
+    patchShebangs meson/*.py
-    patchShebangs meson/post_install.py
   '';
 
   postInstall = ''

third_party/nixpkgs/pkgs/applications/audio/helvum/default.nix

@@ -13,17 +13,17 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "helvum";
-  version = "0.2.1";
+  version = "0.3.0";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "ryuukyu";
     repo = pname;
     rev = version;
-    sha256 = "sha256-ZnpdGXK8N8c/s4qC2NXcn0Pdqrqr47iOWvVwXD9pn1A=";
+    sha256 = "sha256-AlHCK4pWaoNjR0eflxHBsuVaaily/RvCbgJv/ByQZK4=";
   };
 
-  cargoSha256 = "sha256-2v2L20rUWftXdhhuE3wiRrDIuSg6VFxfpWYMRaMUyTU=";
+  cargoSha256 = "sha256-mAhh12rGvQjs2xtm+OrtVv0fgG6qni/QM/oRYoFR7U8=";
 
   nativeBuildInputs = [ clang copyDesktopItems pkg-config ];
   buildInputs = [ glib gtk4 pipewire ];

third_party/nixpkgs/pkgs/applications/blockchains/lndconnect/default.nix

@@ -18,7 +18,7 @@ buildGoPackage rec {
     description = "Generate QRCode to connect apps to lnd Resources";
     license = licenses.mit;
     homepage = "https://github.com/LN-Zap/lndconnect";
-    maintainers = [ maintainers.xwvvvvwx ];
+    maintainers = [ maintainers.d-xo ];
     platforms = platforms.linux;
   };
 }

third_party/nixpkgs/pkgs/applications/blockchains/turbo-geth/default.nix

@@ -25,6 +25,6 @@ buildGoModule rec {
     homepage = "https://github.com/ledgerwatch/turbo-geth/";
     description = "Ethereum node and geth fork focused on scalability and modularity";
     license = with licenses; [ lgpl3Plus gpl3Plus ];
-    maintainers = with maintainers; [ xwvvvvwx ];
+    maintainers = with maintainers; [ d-xo ];
   };
 }

third_party/nixpkgs/pkgs/applications/editors/kdevelop5/kdevelop.nix

@@ -10,11 +10,11 @@
 
 mkDerivation rec {
   pname = "kdevelop";
-  version = "5.6.1";
+  version = "5.6.2";
 
   src = fetchurl {
     url = "mirror://kde/stable/${pname}/${version}/src/${pname}-${version}.tar.xz";
-    sha256 = "02ip5r67hjfpywkm3mz86n6wbqcr7996ifzfd2fyzsvm4998hi4y";
+    sha256 = "sha256-D4a8P+U/dhwePj91RFd6DEFDO+i/8xDPLnKfdvQ2O/Y=";
   };
 
   nativeBuildInputs = [

third_party/nixpkgs/pkgs/applications/editors/micro/default.nix

@@ -2,20 +2,20 @@
 
 buildGoModule rec {
   pname = "micro";
-  version = "2.0.9";
+  version = "2.0.10";
 
   src = fetchFromGitHub {
     owner = "zyedidia";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-8QtucdamxVwHuuhQhVQuvTNbqY5p97LKSB23617p4ow=";
+    sha256 = "sha256-hVFmViwGXuYVAKaCkzK/LHjCi8AtLu0tsPpT61glxys=";
   };
 
   nativeBuildInputs = [ installShellFiles ];
 
   subPackages = [ "cmd/micro" ];
 
-  vendorSha256 = "sha256-bkD125ePdKcVgmNilOMZgUK6A8KWxaBOGKs8AvvIboI=";
+  vendorSha256 = "sha256-YcAKl4keizkbgQLAZGiCG3CGpNTNad8EvOJEXLX2s0s=";
 
   buildFlagsArray = [ "-ldflags=-s -w -X github.com/zyedidia/micro/v2/internal/util.Version=${version} -X github.com/zyedidia/micro/v2/internal/util.CommitHash=${src.rev}" ];
 

third_party/nixpkgs/pkgs/applications/gis/qgis/unwrapped.nix

@@ -24,7 +24,7 @@ let
     six
   ];
 in mkDerivation rec {
-  version = "3.16.7";
+  version = "3.16.9";
   pname = "qgis";
   name = "${pname}-unwrapped-${version}";
 
@@ -32,7 +32,7 @@ in mkDerivation rec {
     owner = "qgis";
     repo = "QGIS";
     rev = "final-${lib.replaceStrings [ "." ] [ "_" ] version}";
-    sha256 = "0yvb2w83dplh0my72xljglq9a4a7qkfliwslav26lw4yqxr8mr0p";
+    sha256 = "sha256-Y9WVgKEMOSMaXxfC9EQ8yqBYEj4XNL7YdMp8vjV55d0=";
   };
 
   passthru = {

third_party/nixpkgs/pkgs/applications/graphics/akira/default.nix

@@ -24,13 +24,13 @@
 
 stdenv.mkDerivation rec {
   pname = "akira";
-  version = "0.0.14";
+  version = "0.0.15";
 
   src = fetchFromGitHub {
     owner = "akiraux";
     repo = "Akira";
     rev = "v${version}";
-    sha256 = "1zbb2bsc6v2rwrbigbkgrzfjmlj96s3ri73zbdcyqg4p08v1w4l6";
+    sha256 = "sha256-2GhpxajymLVAl2P6vZ0+nuZK3ZRRktFswWkj7TP8eHI=";
   };
 
   nativeBuildInputs = [

third_party/nixpkgs/pkgs/applications/graphics/imv/default.nix

@@ -56,13 +56,13 @@ assert builtins.all
 
 stdenv.mkDerivation rec {
   pname = "imv";
-  version = "4.2.0";
+  version = "4.3.0";
 
   src = fetchFromGitHub {
     owner = "eXeC64";
     repo = "imv";
     rev = "v${version}";
-    sha256 = "07pcpppmfvvj0czfvp1cyq03ha0jdj4whl13lzvw37q3vpxs5qqh";
+    sha256 = "sha256-HP9W9US9e3YAXwCqiHV8NVqrO20SfQKcW3a6+r1XrIs=";
   };
 
   mesonFlags = [

third_party/nixpkgs/pkgs/applications/misc/audio/wavrsocvt/default.nix

@@ -8,8 +8,6 @@ stdenv.mkDerivation {
     sha256 = "15qlvdfwbiclljj7075ycm78yzqahzrgl4ky8pymix5179acm05h";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
-
   unpackPhase = ''
     tar -zxf $src
     '';

third_party/nixpkgs/pkgs/applications/misc/ausweisapp2/default.nix

@@ -3,13 +3,13 @@
 
 mkDerivation rec {
   pname = "AusweisApp2";
-  version = "1.22.0";
+  version = "1.22.2";
 
   src = fetchFromGitHub {
     owner = "Governikus";
     repo = "AusweisApp2";
     rev = version;
-    sha256 = "00isb8xcbm419nvxx2ri0n8x5d403733h2whjqjcd3hmpx3x4q1h";
+    sha256 = "sha256-Oci1y6//45Gep4IS6Ym+v9MPCP5mOswAiWPkXqd+zR0=";
   };
 
   nativeBuildInputs = [ cmake pkg-config ];

third_party/nixpkgs/pkgs/applications/misc/avrdudess/default.nix

@@ -10,7 +10,8 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ unzip ];
 
-  phases = [ "buildPhase" ];
+  dontUnpack = true;
+  dontInstall = true;
 
   buildPhase = ''
     mkdir -p "$out/avrdudess"

third_party/nixpkgs/pkgs/applications/misc/azuredatastudio/default.nix

@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
     at-spi2-atk
   ];
 
-  phases = "unpackPhase fixupPhase";
+  dontInstall = true;
 
   # change this to azuredatastudio-insiders for insiders releases
   edition = "azuredatastudio";

third_party/nixpkgs/pkgs/applications/misc/cherrytree/default.nix

@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cherrytree";
-  version = "0.99.39";
+  version = "0.99.40";
 
   src = fetchFromGitHub {
     owner = "giuspen";
     repo = "cherrytree";
     rev = version;
-    sha256 = "sha256-QSRYtnZxLAaq42PvPd5+LxSzq/Hd/Cz5bquBTiGWnAE=";
+    sha256 = "sha256-K1rf8/7kEpfLOPYJGh5U2eTnr5XCDhuc+seoUAKW7aE=";
   };
 
   nativeBuildInputs = [

third_party/nixpkgs/pkgs/applications/misc/elogind/default.nix

@@ -29,13 +29,13 @@ with lib;
 
 stdenv.mkDerivation rec {
   pname = "elogind";
-  version = "243.7";
+  version = "246.10";
 
   src = fetchFromGitHub {
     owner = "elogind";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0cihdf7blhncm2359qxli24j9l3dkn15gjys5vpjwny80zlym5ma";
+    sha256 = "sha256-+Nv6FL9Yjmfxs24+2mUTP//wbjzGUq4ftgJLfuEqBJg=";
   };
 
   nativeBuildInputs = [

third_party/nixpkgs/pkgs/applications/misc/emem/default.nix

@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "18x3s3jrph8k3pc75jgwkfqazygpsx93zjxx68zms58my17cybh1";
   };
 
-  phases = [ "buildPhase" "installPhase" ];
+  dontUnpack = true;
 
   buildPhase = ''
     mkdir -p $out/bin $out/share/java

third_party/nixpkgs/pkgs/applications/misc/fnott/default.nix

@@ -0,0 +1,58 @@
+{ stdenv
+, lib
+, fetchFromGitea
+, pkg-config
+, meson
+, ninja
+, scdoc
+, wayland-protocols
+, tllist
+, fontconfig
+, freetype
+, pixman
+, libpng
+, wayland
+, wlroots
+, dbus
+, fcft
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fnott";
+  version = "1.1.0";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "dnkl";
+    repo = "fnott";
+    rev = version;
+    sha256 = "sha256-gzU5AqjCIZlhLbnj/xuSGJ69ZhLv9zQxlM0Nn+MIX/U=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    scdoc
+    wayland-protocols
+    tllist
+  ];
+  buildInputs = [
+    fontconfig
+    freetype
+    pixman
+    libpng
+    wayland
+    wlroots
+    dbus
+    fcft
+  ];
+
+  meta = with lib; {
+    homepage = "https://codeberg.org/dnkl/fnott";
+    description = "Keyboard driven and lightweight Wayland notification daemon for wlroots-based compositors.";
+    license = licenses.mit;
+    maintainers = with maintainers; [ polykernel ];
+    platforms = platforms.linux;
+  };
+}

third_party/nixpkgs/pkgs/applications/misc/fuzzel/default.nix

@@ -1,22 +1,75 @@
-{ stdenv, lib, fetchzip, pkg-config, meson, ninja, wayland, pixman, cairo, librsvg, wayland-protocols, wlroots, libxkbcommon, scdoc, git, tllist, fcft}:
+{ stdenv
+, lib
+, fetchFromGitea
+, pkg-config
+, meson
+, ninja
+, wayland-scanner
+, wayland
+, pixman
+, wayland-protocols
+, libxkbcommon
+, scdoc
+, tllist
+, fcft
+, enableCairo ? true
+, enablePNG ? true
+, enableSVG ? true
+# Optional dependencies
+, cairo
+, librsvg
+, libpng
+}:
+
+let
+  # Courtesy of sternenseemann and FRidh, commit c9a7fdfcfb420be8e0179214d0d91a34f5974c54
+  mesonFeatureFlag = opt: b: "-D${opt}=${if b then "enabled" else "disabled"}";
+in
 
 stdenv.mkDerivation rec {
   pname = "fuzzel";
   version = "1.6.1";
 
-  src = fetchzip {
+  src = fetchFromGitea {
-    url = "https://codeberg.org/dnkl/fuzzel/archive/${version}.tar.gz";
+    domain = "codeberg.org";
+    owner = "dnkl";
+    repo = "fuzzel";
+    rev = version;
     sha256 = "sha256-JW5sAlTprSRIdFbmSaUreGtNccERgQMGEW+WCSscYQk=";
   };
 
-  nativeBuildInputs = [ pkg-config meson ninja scdoc git ];
+  nativeBuildInputs = [
-  buildInputs = [ wayland pixman cairo librsvg wayland-protocols  wlroots libxkbcommon tllist fcft ];
+    pkg-config
+    wayland-scanner
+    meson
+    ninja
+    scdoc
+  ];
+
+  buildInputs = [
+    wayland
+    pixman
+    wayland-protocols
+    libxkbcommon
+    tllist
+    fcft
+  ] ++ lib.optional enableCairo cairo
+    ++ lib.optional enablePNG libpng
+    ++ lib.optional enableSVG librsvg;
+
+  mesonBuildType = "release";
+
+  mesonFlags = [
+    (mesonFeatureFlag "enable-cairo" enableCairo)
+    (mesonFeatureFlag "enable-png" enablePNG)
+    (mesonFeatureFlag "enable-svg" enableSVG)
+  ];
 
   meta = with lib; {
     description = "Wayland-native application launcher, similar to rofi’s drun mode";
     homepage = "https://codeberg.org/dnkl/fuzzel";
     license = licenses.mit;
-    maintainers = with maintainers; [ fionera ];
+    maintainers = with maintainers; [ fionera polykernel ];
     platforms = with platforms; linux;
     changelog = "https://codeberg.org/dnkl/fuzzel/releases/tag/${version}";
   };

third_party/nixpkgs/pkgs/applications/misc/ganttproject-bin/default.nix

@@ -15,8 +15,6 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ makeWrapper ];
   buildInputs = [ jre ];
 
-  phases = [ "unpackPhase" "installPhase" "fixupPhase" ];
-
   installPhase = let
 
     desktopItem = makeDesktopItem {

third_party/nixpkgs/pkgs/applications/misc/gollum/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ makeWrapper ];
 
-  phases = [ "installPhase" ];
+  dontUnpack = true;
 
   installPhase = let
     env = bundlerEnv {

third_party/nixpkgs/pkgs/applications/misc/hello-unfree/default.nix

@@ -4,7 +4,7 @@ stdenv.mkDerivation {
   pname = "example-unfree-package";
   version = "1.0";
 
-  phases = [ "installPhase" "fixupPhase" ];
+  dontUnpack = true;
 
   installPhase = ''
     mkdir -p $out/bin

third_party/nixpkgs/pkgs/applications/misc/joplin-desktop/default.nix

@@ -55,7 +55,8 @@ let
       install -Dm444 ${appimageContents}/@joplinapp-desktop.desktop -t $out/share/applications
       install -Dm444 ${appimageContents}/@joplinapp-desktop.png -t $out/share/pixmaps
       substituteInPlace $out/share/applications/@joplinapp-desktop.desktop \
-        --replace 'Exec=AppRun' 'Exec=${pname}'
+        --replace 'Exec=AppRun' 'Exec=${pname}' \
+        --replace 'Icon=joplin' "Icon=$out/share/pixmaps/@joplinapp-desktop.png"
     '';
   };
 

third_party/nixpkgs/pkgs/applications/misc/keepass/default.nix

@@ -3,11 +3,11 @@
 
 with builtins; buildDotnetPackage rec {
   baseName = "keepass";
-  version = "2.46";
+  version = "2.48.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/keepass/KeePass-${version}-Source.zip";
-    sha256 = "0zyclydgyg8nhwxrzw7x4f82975cqdmp12py33k6sballx6jhgiy";
+    sha256 = "sha256-HkAgKPvf8TUgUlgsGWVgjuYJaRPGi8obOFQEtmzDtLE=";
   };
 
   sourceRoot = ".";

third_party/nixpkgs/pkgs/applications/misc/latte-dock/default.nix

@@ -3,11 +3,11 @@
 
 mkDerivation rec {
   pname = "latte-dock";
-  version = "0.9.12";
+  version = "0.10.0";
 
   src = fetchurl {
     url = "https://download.kde.org/stable/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-srivjGnrEizLvph7AP/02dOsnMyTnL3a6f0xm8oGML4=";
+    sha256 = "04kq86qmrjbzidrkknj000pv1b5z0r7nfidhy2zv67ks8fdi4zln";
     name = "${pname}-${version}.tar.xz";
   };
 

third_party/nixpkgs/pkgs/applications/misc/opentx/default.nix

@@ -6,13 +6,16 @@
 
 mkDerivation rec {
   pname = "opentx";
-  version = "2.3.13";
+  version = "2.3.14";
 
   src = fetchFromGitHub {
     owner = "opentx";
     repo = "opentx";
-    rev = "release/${version}";
+    # 2.3.14 release tag points to the commit before the one that updates the
-    sha256 = "sha256-Bi/Cz2T2NdtnJZHav8qvo+gErPsR8Ym7K3KcD5APt6Y=";
+    # version number.
+    # rev = "release/${version}";
+    rev = "1e09791a1e2fe2a0ca9835019d634a4c6a4fa3bf";
+    sha256 = "0mhzp1j6nmqvkjxg8lv8xa637m1lavdsak30mdlq0g25dhwg6k92";
   };
 
   nativeBuildInputs = [ cmake gcc-arm-embedded python3Packages.pillow ];
@@ -41,7 +44,7 @@ mkDerivation rec {
       running radio simulators.
     '';
     homepage = "https://www.open-tx.org/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
     maintainers = with maintainers; [ elitak lopsided98 ];
   };

third_party/nixpkgs/pkgs/applications/misc/rtv/default.nix

@@ -1,46 +0,0 @@
-{ lib, fetchFromGitHub, python3Packages }:
-
-with python3Packages;
-buildPythonApplication rec {
-  version = "1.27.0";
-  pname = "rtv";
-
-  src = fetchFromGitHub {
-    owner = "michael-lazar";
-    repo = "rtv";
-    rev = "v${version}";
-    sha256 = "1hw7xy2kjxq7y3wcibcz4l7zj8icvigialqr17l362xry0y17y5j";
-  };
-
-  # Tests try to access network
-  doCheck = false;
-
-  checkPhase = ''
-    py.test
-  '';
-
-  checkInputs = [
-    coverage
-    coveralls
-    docopt
-    mock
-    pylint
-    pytest
-    vcrpy
-  ];
-
-  propagatedBuildInputs = [
-    beautifulsoup4
-    decorator
-    kitchen
-    requests
-    six
-  ];
-
-  meta = with lib; {
-    homepage = "https://github.com/michael-lazar/rtv";
-    description = "Browse Reddit from your Terminal";
-    license = licenses.mit;
-    maintainers = with maintainers; [ matthiasbeyer wedens ];
-  };
-}

third_party/nixpkgs/pkgs/applications/misc/smos/default.nix

@@ -4,7 +4,7 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "smos-${version}";
+  pname = "smos";
   version = "0.1.0";
 
   src = fetchurl {
@@ -12,7 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "sha256:07yavk7xl92yjwwjdig90yq421n8ldv4fjfw7izd4hfpzw849a12";
   };
 
-  phases = [ "unpackPhase" ];
+  dontInstall = true;
+
   unpackCmd = "${unzip}/bin/unzip -d $out $curSrc";
   sourceRoot = ".";
 

third_party/nixpkgs/pkgs/applications/misc/tut/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "tut";
-  version = "0.0.20";
+  version = "0.0.26";
 
   src = fetchFromGitHub {
     owner = "RasmusLindroth";
     repo = pname;
     rev = version;
-    sha256 = "03jiv5m807z96796fbpi6ny22am3sq4jfni37fxbld05sxdzwcnd";
+    sha256 = "1d4n55p9hl4c8i2yz3gq3r7kma7j32pr976dhd7xdwhxadvn3aal";
   };
 
-  vendorSha256 = "1in5b7ixnm5iizkzziqclvgaq87ccdh507amkgfhfy5sxsgbfb1g";
+  vendorSha256 = "1zmwfgl1mayqcqk93368l94d6yah1qb0x11vf9b2x7zbzxzfshg9";
 
   meta = with lib; {
     description = "A TUI for Mastodon with vim inspired keys";

third_party/nixpkgs/pkgs/applications/misc/usql/default.nix

@@ -7,16 +7,16 @@
 
 buildGoModule rec {
   pname = "usql";
-  version = "0.9.1";
+  version = "0.9.2";
 
   src = fetchFromGitHub {
     owner = "xo";
     repo = "usql";
     rev = "v${version}";
-    sha256 = "sha256-fcKn4kHIRvMdgGFKDNQg49YxLc0Y5j/8VwKoDLiXbEU=";
+    sha256 = "sha256-vLGoPttl7f4qCVM8e0F0llIODuNqJ7GxXqbUgokv7Qw=";
   };
 
-  vendorSha256 = "sha256-uAV8NLnqXjIDILfnbbkVr2BOIucQ8vX89KI5yIkVtus=";
+  vendorSha256 = "sha256-sGECp1L6WzIPGbQbBoV1IrTgyy4/c95OLAmj9D0FjXs=";
 
   buildInputs = [ unixODBC icu ];
 

third_party/nixpkgs/pkgs/applications/misc/wbg/default.nix

@@ -1,50 +1,64 @@
 { stdenv
 , lib
-, fetchgit
+, fetchFromGitea
+, pkg-config
 , meson
 , ninja
-, pkg-config
-, git
-, scdoc
-, cairo
-, fcft
-, libpng
-, librsvg
-, libxkbcommon
 , pixman
 , tllist
 , wayland
+, wayland-scanner
 , wayland-protocols
-, wlroots
+, enablePNG ? true
+, enableJPEG ? true
+# Optional dependencies
+, libpng
+, libjpeg
 }:
 
+let
+  # Courtesy of sternenseemann and FRidh, commit c9a7fdfcfb420be8e0179214d0d91a34f5974c54
+  mesonFeatureFlag = opt: b: "-D${opt}=${if b then "enabled" else "disabled"}";
+in
+
 stdenv.mkDerivation rec {
   pname = "wbg";
-  version = "unstable-2020-08-01";
+  version = "1.0.2";
 
-  src = fetchgit {
+  src = fetchFromGitea {
-    url = "https://codeberg.org/dnkl/wbg";
+    domain = "codeberg.org";
-    rev = "1b05bd80d0f40e3ba1e977002d0653f532649269";
+    owner = "dnkl";
-    sha256 = "0i1j7aqvj0vl2ww5cvffqci1kjqjn0sw6sp2j0ljblaif6qk9asc";
+    repo = "wbg";
+    rev = version;
+    sha256 = "sha256-PKEOWRcSAB4Uv5TfameQIEZh6s6xCGdyoZ13etL1TKA=";
   };
 
-  nativeBuildInputs = [ pkg-config meson ninja scdoc git ];
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    wayland-scanner
+  ];
+
   buildInputs = [
-    cairo
-    fcft
-    libpng
-    librsvg
-    libxkbcommon
     pixman
     tllist
     wayland
     wayland-protocols
-    wlroots
+  ] ++ lib.optional enablePNG libpng
+    ++ lib.optional enableJPEG libjpeg;
+
+  mesonBuildType = "release";
+
+  mesonFlags = [
+    (mesonFeatureFlag "png" enablePNG)
+    (mesonFeatureFlag "jpeg" enableJPEG)
   ];
 
   meta = with lib; {
     description = "Wallpaper application for Wayland compositors";
     homepage = "https://codeberg.org/dnkl/wbg";
+    changelog = "https://codeberg.org/dnkl/wbg/releases/tag/${version}";
     license = licenses.isc;
     maintainers = with maintainers; [ AndersonTorres ];
     platforms = with platforms; linux;

third_party/nixpkgs/pkgs/applications/misc/writefreely/default.nix

@@ -17,12 +17,12 @@ buildGoModule rec {
 
   preBuild = ''
     make assets
-    export buildFlagsArray=(
-      "-ldflags=-s -w -X github.com/writeas/writefreely.softwareVer=${version}"
-      "-tags='sqlite'"
-    )
   '';
 
+  ldflags = [ "-s" "-w" "-X github.com/writeas/writefreely.softwareVer=${version}" ];
+
+  tags = [ "sqlite" ];
+
   subPackages = [ "cmd/writefreely" ];
 
   meta = with lib; {

third_party/nixpkgs/pkgs/applications/misc/yambar/default.nix

@@ -1,6 +1,6 @@
 { stdenv
 , lib
-, fetchgit
+, fetchFromGitea
 , pkg-config
 , meson
 , ninja
@@ -9,50 +9,75 @@
 , fcft
 , json_c
 , libmpdclient
-, libxcb
 , libyaml
 , pixman
 , tllist
 , udev
 , wayland
+, wayland-scanner
 , wayland-protocols
+, waylandSupport ? false
+# Xorg backend
+, libxcb
 , xcbutil
 , xcbutilcursor
 , xcbutilerrors
 , xcbutilwm
 }:
 
+let
+  # Courtesy of sternenseemann and FRidh, commit c9a7fdfcfb420be8e0179214d0d91a34f5974c54
+  mesonFeatureFlag = opt: b: "-D${opt}=${if b then "enabled" else "disabled"}";
+in
+
 stdenv.mkDerivation rec {
   pname = "yambar";
   version = "1.6.2";
 
-  src = fetchgit {
+  src = fetchFromGitea {
-    url = "https://codeberg.org/dnkl/yambar.git";
+    domain = "codeberg.org";
+    owner = "dnkl";
+    repo = "yambar";
     rev = version;
-    sha256 = "sha256-oUNkaWrYIcsK2u+aeRg6DHmH4M1VZ0leNSM0lV9Yy1Y=";
+    sha256 = "sha256-GPKR2BYl3ebxxXbVfH/oZLs7639EYwWU4ZsilJn0Ss8=";
   };
 
-  nativeBuildInputs = [ pkg-config meson ninja scdoc ];
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    scdoc
+    wayland-scanner
+  ];
+
   buildInputs = [
     alsa-lib
     fcft
     json_c
     libmpdclient
-    libxcb
     libyaml
     pixman
     tllist
     udev
     wayland
     wayland-protocols
+  ] ++ lib.optionals (!waylandSupport) [
     xcbutil
     xcbutilcursor
     xcbutilerrors
     xcbutilwm
   ];
 
+  mesonBuildType = "release";
+
+  mesonFlags = [
+    (mesonFeatureFlag "backend-x11" (!waylandSupport))
+    (mesonFeatureFlag "backend-wayland" waylandSupport)
+  ];
+
   meta = with lib; {
     homepage = "https://codeberg.org/dnkl/yambar";
+    changelog = "https://codeberg.org/dnkl/yambar/releases/tag/${version}";
     description = "Modular status panel for X11 and Wayland";
     longDescription = ''
       yambar is a lightweight and configurable status panel (bar, for short) for

third_party/nixpkgs/pkgs/applications/misc/zola/default.nix

@@ -2,17 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "zola";
-  version = "unstable-2021-07-14";
+  version = "0.14.0";
 
   src = fetchFromGitHub {
     owner = "getzola";
     repo = pname;
-    # unstable because the latest release fails to build
+    rev = "v${version}";
-    rev = "312ffcb04c06c5f157b9fd2b944b858703238592";
+    sha256 = "1mvin6pfqhsfhaifivbdi6qcn0dsa98w83m1n51q807gh4l1k2yj";
-    sha256 = "0i5zqs1gwxhvsynb540c3azfi4357igr4i5p0bi3h7ras2asas8w";
   };
 
-  cargoSha256 = "0g5z0s837cfwzral2zz0avp0xywyaa3l1adxg520qrnga7z0kbh8";
+  cargoSha256 = "02bk399c7x15a5rkaz7ik65yihkfbjn1q46gx7l8hycqq7xb0xmg";
 
   nativeBuildInputs = [ cmake pkg-config installShellFiles];
   buildInputs = [ openssl oniguruma ]
@@ -30,6 +29,7 @@ rustPlatform.buildRustPackage rec {
   meta = with lib; {
     description = "A fast static site generator with everything built-in";
     homepage = "https://www.getzola.org/";
+    changelog = "https://github.com/getzola/zola/raw/v${version}/CHANGELOG.md";
     license = licenses.mit;
     maintainers = with maintainers; [ dandellion dywedir _0x4A6F ];
     # set because of unstable-* version

third_party/nixpkgs/pkgs/applications/networking/browsers/firefox-bin/default.nix

@@ -201,7 +201,6 @@ stdenv.mkDerivation {
       url = "http://www.mozilla.org/en-US/foundation/trademarks/policy/";
     };
     platforms = builtins.attrNames mozillaPlatforms;
-    timeout = 86400; # 24 hours (increased from the Hydra default of 10h, c.f. #129115)
     maintainers = with maintainers; [ taku0 lovesegfault ];
   };
 }

third_party/nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix

@@ -21,6 +21,7 @@ rec {
       badPlatforms = lib.platforms.darwin;
       broken = stdenv.buildPlatform.is32bit; # since Firefox 60, build on 32-bit platforms fails with "out of memory".
                                              # not in `badPlatforms` because cross-compilation on 64-bit machine might work.
+      maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
       license = lib.licenses.mpl20;
     };
     tests = [ nixosTests.firefox ];

third_party/nixpkgs/pkgs/applications/networking/browsers/firefox/wrapper.nix

@@ -2,7 +2,7 @@
 , replace, fetchurl, zip, unzip, jq, xdg-utils, writeText
 
 ## various stuff that can be plugged in
-, ffmpeg, xorg, alsa-lib, libpulseaudio, libcanberra-gtk3, libglvnd, libnotify
+, ffmpeg, xorg, alsa-lib, libpulseaudio, libcanberra-gtk3, libglvnd, libnotify, opensc
 , gnome/*.gnome-shell*/
 , browserpass, chrome-gnome-shell, uget-integrator, plasma5Packages, bukubrow, pipewire
 , tridactyl-native
@@ -49,6 +49,8 @@ let
       gssSupport = browser.gssSupport or false;
       alsaSupport = browser.alsaSupport or false;
       pipewireSupport = browser.pipewireSupport or false;
+      # PCSC-Lite daemon (services.pcscd) also must be enabled for firefox to access smartcards
+      smartcardSupport = cfg.smartcardSupport or false;
 
       nativeMessagingHosts =
         ([ ]
@@ -70,6 +72,7 @@ let
             (with xorg; [ stdenv.cc libX11 libXxf86dga libXxf86vm libXext libXt alsa-lib zlib ])
             ++ lib.optional (config.pulseaudio or true) libpulseaudio
             ++ lib.optional alsaSupport alsa-lib
+            ++ lib.optional smartcardSupport opensc
             ++ pkcs11Modules;
       gtk_modules = [ libcanberra-gtk3 ];
 
@@ -120,6 +123,10 @@ let
                 ret ++ [ "${e.outPath}/${e.extid}.xpi" ]
                 ) [] extensions;
             };
+          } // lib.optionalAttrs smartcardSupport {
+            SecurityDevices = {
+              "OpenSC PKCS#11 Module" = "onepin-opensc-pkcs11.so";
+            };
           }
         // extraPolicies;
       };

third_party/nixpkgs/pkgs/applications/networking/browsers/lagrange/default.nix

@@ -4,6 +4,8 @@
 , nix-update-script
 , cmake
 , pkg-config
+, fribidi
+, harfbuzz
 , libunistring
 , mpg123
 , openssl
@@ -15,27 +17,36 @@
 
 stdenv.mkDerivation rec {
   pname = "lagrange";
-  version = "1.5.2";
+  version = "1.6.2";
 
   src = fetchFromGitHub {
     owner = "skyjake";
     repo = "lagrange";
     rev = "v${version}";
-    sha256 = "sha256-NjiTjY2YuxUs/Wny7aDqHGw/2ML1fenjHrl089rLXFI=";
+    sha256 = "sha256-YTWVBQt0X12UDFJv/rPBqlIBC4iXSvpdYi/HIl+BPxc=";
     fetchSubmodules = true;
   };
 
+  postPatch = ''
+    rm -r lib/fribidi lib/harfbuzz
+  '';
+
   nativeBuildInputs = [ cmake pkg-config ];
 
-  buildInputs = [ libunistring mpg123 openssl pcre SDL2 zlib ]
+  buildInputs = [ fribidi harfbuzz libunistring mpg123 openssl pcre SDL2 zlib ]
     ++ lib.optional stdenv.isDarwin AppKit;
 
   hardeningDisable = lib.optional (!stdenv.cc.isClang) "format";
 
-  installPhase = if stdenv.isDarwin then ''
+  cmakeFlags = [
+    "-DENABLE_HARFBUZZ_MINIMAL:BOOL=OFF"
+    "-DENABLE_FRIBIDI_BUILD:BOOL=OFF"
+  ];
+
+  installPhase = lib.optionalString stdenv.isDarwin ''
     mkdir -p $out/Applications
     mv Lagrange.app $out/Applications
-  '' else null;
+  '';
 
   passthru = {
     updateScript = nix-update-script {

third_party/nixpkgs/pkgs/applications/networking/browsers/lynx/default.nix

@@ -1,11 +1,16 @@
-{ lib, stdenv, buildPackages
+{ lib
-, fetchurl, pkg-config, ncurses, gzip
+, stdenv
-, sslSupport ? true, openssl ? null
+, buildPackages
+, fetchurl
+, pkg-config
+, ncurses
+, gzip
+, sslSupport ? true
+, openssl
 , nukeReferences
+, fetchpatch
 }:
 
-assert sslSupport -> openssl != null;
-
 stdenv.mkDerivation rec {
   pname = "lynx";
   version = "2.8.9rel.1";
@@ -22,6 +27,14 @@ stdenv.mkDerivation rec {
 
   hardeningEnable = [ "pie" ];
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-38165.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/lynx/CVE-2021-38165.patch?id=3400945dbbb8a87065360963e4caa0e17d3dcc61";
+      sha256 = "1aykb9y2g2vdpbbpvjlm4r40x7py2yv6jbywwcqcxrlciqcw4x57";
+    })
+  ];
+
   configureFlags = [
     "--enable-default-colors"
     "--enable-widec"
@@ -32,7 +45,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ nukeReferences ]
     ++ lib.optional sslSupport pkg-config;
 
-  buildInputs = [ ncurses gzip ] ++ lib.optional sslSupport openssl.dev;
+  buildInputs = [ ncurses gzip ]
+    ++ lib.optional sslSupport openssl;
 
   # cfg_defs.h captures lots of references to build-only dependencies, derived
   # from config.cache.
@@ -44,6 +58,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "A text-mode web browser";
     homepage = "https://lynx.invisible-island.net/";
+    maintainers = with maintainers; [ ];
     license = licenses.gpl2Plus;
     platforms = platforms.unix;
   };

third_party/nixpkgs/pkgs/applications/networking/cloudflared/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "cloudflared";
-  version = "2021.7.4";
+  version = "2021.8.1";
 
   src = fetchFromGitHub {
     owner  = "cloudflare";
     repo   = "cloudflared";
     rev    = version;
-    sha256 = "sha256-3HK7QLUhU6MUayRYec4LP2BfbwEsvtjtCf++o1cQsQw=";
+    sha256 = "sha256-92Uq7hSqfsiES6dSCw4cotfLJ8TLRRO6QPkwQ8iv124=";
   };
 
   vendorSha256 = null;

third_party/nixpkgs/pkgs/applications/networking/cluster/fluxcd/default.nix

@@ -1,7 +1,7 @@
 { lib, buildGoModule, fetchFromGitHub, fetchzip, installShellFiles }:
 
 let
-  version = "0.16.1";
+  version = "0.16.2";
 
   manifests = fetchzip {
     url = "https://github.com/fluxcd/flux2/releases/download/v${version}/manifests.tar.gz";
@@ -19,10 +19,10 @@ buildGoModule rec {
     owner = "fluxcd";
     repo = "flux2";
     rev = "v${version}";
-    sha256 = "sha256-OjbyDg+3dSJco162NubK12pbmwib6uGlJQxVaJOzSig=";
+    sha256 = "sha256-hP2HQI9Oc7IlzVS5r7yqGAgSgqECOSZVe2B3vO2sgKA=";
   };
 
-  vendorSha256 = "sha256-GPbuHv/Xi9sWWZ6SIlW8cm5bY1gTO41vygx2C8dEt0k=";
+  vendorSha256 = "sha256-6ABnX0GV3HmhpUpPWS0bigubRqpXGoikEeQ/LqO6Ybs=";
 
   nativeBuildInputs = [ installShellFiles ];
 

third_party/nixpkgs/pkgs/applications/networking/cluster/helm/chart-testing/default.nix

@@ -0,0 +1,40 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "chart-testing";
+  version = "3.4.0";
+
+  src = fetchFromGitHub {
+    owner = "helm";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-c7Rjk2YZaQXyFwrDVwYgOCnq/F2ooIUVETXVn5FVlZE=";
+  };
+
+  vendorSha256 = "sha256-1Py66ljDjJC38biJ25D8KnWEi3nXAVt9QSgyH1KkwHM=";
+
+  postPatch = ''
+    substituteInPlace pkg/config/config.go \
+      --replace "\"/etc/ct\"," "\"$out/etc/ct\","
+  '';
+
+  ldflags = [
+    "-w"
+    "-s"
+    "-X github.com/helm/chart-testing/v3/ct/cmd.Version=${version}"
+    "-X github.com/helm/chart-testing/v3/ct/cmd.GitCommit=${src.rev}"
+    "-X github.com/helm/chart-testing/v3/ct/cmd.BuildDate=19700101-00:00:00"
+  ];
+
+  postInstall = ''
+    install -Dm644 -t $out/etc/ct etc/chart_schema.yaml
+    install -Dm644 -t $out/etc/ct etc/lintconf.yaml
+  '';
+
+  meta = with lib; {
+    description = "A tool for testing Helm charts";
+    homepage = "https://github.com/helm/chart-testing";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ atkinschang ];
+  };
+}

third_party/nixpkgs/pkgs/applications/networking/cluster/k9s/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "k9s";
-  version = "0.24.14";
+  version = "0.24.15";
 
   src = fetchFromGitHub {
     owner  = "derailed";
     repo   = "k9s";
     rev    = "v${version}";
-    sha256 = "sha256-Kw3TT8IeJT0y2vSd38/y7BRq7PxMH2tiXV4/lOn5INA=";
+    sha256 = "sha256-ws5JC2/WkgwxKwYtP9xtFELRhztzL6tNSvopyeC6H0Q=";
   };
 
   buildFlagsArray = ''
@@ -18,7 +18,7 @@ buildGoModule rec {
       -X github.com/derailed/k9s/cmd.commit=${src.rev}
   '';
 
-  vendorSha256 = "sha256-JBWQxRaMvIbUiOD7sJiZH1SHNCdysgh5FeSmYf+FdG4=";
+  vendorSha256 = "sha256-T9khJeg5XPhVyUiu4gEEHZR6RgJF4P8LYFycqJglms8=";
 
   doCheck = false;
 

third_party/nixpkgs/pkgs/applications/networking/cluster/kpt/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "kpt";
-  version = "0.38.0";
+  version = "0.38.1";
 
   src = fetchFromGitHub {
     owner = "GoogleContainerTools";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-MBZa4LdpCZnVVbjzkYpPi9/CYGqVLeYy2N/AS1PSYBE=";
+    sha256 = "sha256-gJAdxg/evsQ+mKsNx/migDMK5lCZ2qSrksbsGDr4fmU=";
   };
 
-  vendorSha256 = "sha256-P0cN8aw62nPD1OlUAw1E36YxptxtPqqruZfDDG4Ag2w=";
+  vendorSha256 = "sha256-GvkT51JudEdPz6zbqyf5qY6P2AbsaSMbirnxXmza5aI=";
 
   subPackages = [ "." ];
 

third_party/nixpkgs/pkgs/applications/networking/cluster/kubebuilder/default.nix

@@ -1,7 +1,6 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
-, installShellFiles
 , makeWrapper
 , git
 , go
@@ -15,11 +14,11 @@ buildGoModule rec {
     owner = "kubernetes-sigs";
     repo = "kubebuilder";
     rev = "v${version}";
-    sha256 = "1726j2b5jyvllvnk60g6px3g2jyyphd9pc4vgid45mis9b60sh8a";
+    sha256 = "0bl5ff2cplal6hg75800crhyviamk1ws85sq60h4zg21hzf21y68";
   };
   vendorSha256 = "0zxyd950ksjswja64rfri5v2yaalfg6qmq8215ildgrcavl9974n";
 
-  subPackages = ["cmd" "pkg/..."];
+  subPackages = ["cmd"];
 
   preBuild = ''
     export buildFlagsArray+=("-ldflags=-X main.kubeBuilderVersion=v${version} \

third_party/nixpkgs/pkgs/applications/networking/cluster/node-problem-detector/default.nix

@@ -28,11 +28,9 @@ buildGoModule rec {
 
   buildInputs = lib.optionals stdenv.isLinux [ systemd ];
 
-  buildFlags = "-mod vendor" +
+  tags = lib.optionals stdenv.isLinux [ "journald" ];
-    lib.optionalString stdenv.isLinux " -tags journald";
 
-  buildFlagsArray = [
+  ldflags = [
-    "-ldflags="
     "-X k8s.io/${pname}/pkg/version.version=v${version}"
   ];
 

third_party/nixpkgs/pkgs/applications/networking/cluster/terragrunt/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "terragrunt";
-  version = "0.31.1";
+  version = "0.31.3";
 
   src = fetchFromGitHub {
     owner = "gruntwork-io";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-vc3DGYb3vp55LRguhg3nG5zH7w1lTFEI2bx7kNffvas=";
+    sha256 = "sha256-I7S7B+mQxLdMWiLAkUIW39kXGU9k647OOhHysYotkfU=";
   };
 
-  vendorSha256 = "sha256-lBhLaYn8adgfCXQJBsIVuwnA0vY8+tgeqE+C669AV+A=";
+  vendorSha256 = "sha256-CVWg2SvRO//xye05G3svGeqgaTKdRcoERrR7Tp0JZUo=";
 
   doCheck = false;
 

third_party/nixpkgs/pkgs/applications/networking/gftp/default.nix

@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoconf
+, automake
+, gettext
+, gtk
+, intltool
+, libtool
+, ncurses
+, openssl
+, pkg-config
+, readline
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gftp";
+  version = "2.7.0b";
+
+  src = fetchFromGitHub {
+    owner = "masneyb";
+    repo = pname;
+    rev = version;
+    hash = "sha256-cIB3SneYKavgdI8eTtM1qsOrBJJ0c7/3CEvNPishNog=";
+  };
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    gettext
+    intltool
+    libtool
+    pkg-config
+  ];
+  buildInputs = [
+    gtk
+    ncurses
+    openssl
+    readline
+  ];
+
+  hardeningDisable = [ "format" ];
+
+  preConfigure = ''
+    ./autogen.sh
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/masneyb/gftp";
+    description = "GTK-based multithreaded FTP client for *nix-based machines";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = platforms.unix;
+  };
+}
+# TODO: report the hardeningDisable to upstream

third_party/nixpkgs/pkgs/applications/networking/instant-messengers/gajim/default.nix

@@ -15,6 +15,7 @@
 , enableSpelling ? true, gspell
 , enableUPnP ? true, gupnp-igd
 , enableOmemoPluginDependencies ? true
+, enableAppIndicator ? true, libappindicator-gtk3
 , extraPythonPackages ? ps: []
 }:
 
@@ -33,7 +34,8 @@ python3.pkgs.buildPythonApplication rec {
   ] ++ lib.optionals enableJingle [ farstream gstreamer gst-plugins-base gst-libav gst-plugins-good libnice ]
     ++ lib.optional enableSecrets libsecret
     ++ lib.optional enableSpelling gspell
-    ++ lib.optional enableUPnP gupnp-igd;
+    ++ lib.optional enableUPnP gupnp-igd
+    ++ lib.optional enableAppIndicator libappindicator-gtk3;
 
   nativeBuildInputs = [
     gettext wrapGAppsHook

third_party/nixpkgs/pkgs/applications/networking/insync/v3.nix

@@ -22,11 +22,11 @@
 
 stdenv.mkDerivation rec {
   pname = "insync";
-  version = "3.2.4.40856";
+  version = "3.3.5.40925";
 
   src = fetchurl {
     url = "http://s.insynchq.com/builds/${pname}_${version}-focal_amd64.deb";
-    sha256 = "1bvqbbrfn5784nmb2qaflm1rzczqhvghhb6y5zaxrapyhygxbcis";
+    sha256 = "sha256-lYlG/8d7teX98F5eDxm4EdBfFs7Sz3Td4kKLC6KZqnQ=";
   };
 
   postPatch = ''

third_party/nixpkgs/pkgs/applications/networking/irc/tiny/default.nix

@@ -1,7 +1,6 @@
 { stdenv
 , lib
 , rustPlatform
-, fetchpatch
 , fetchFromGitHub
 , pkg-config
 , dbus
@@ -11,23 +10,20 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "tiny";
-  version = "0.8.0";
+  version = "0.9.0";
 
   src = fetchFromGitHub {
     owner = "osa1";
     repo = pname;
     rev = "v${version}";
-    sha256 = "07a50shv6k4fwl2gmv4j0maxaqqkjpwwmqkxkqs0gvx38lc5f7m7";
+    sha256 = "gKyHR3FZHDybaP38rqB8/gvr8T+mDO4QQxoTtWS+TlE=";
   };
 
-  cargoSha256 = "0npkcprcqy2pn7k64jzwg41vk9id6yzw211xw203h80cc5444igr";
+  cargoSha256 = "0ChfW8vaqC2kCp4lpS0HOvhuihPw9G5TOmgwKzVDfws=";
 
+  # Fix Cargo.lock version. Remove with the next release.
   cargoPatches = [
-    # Fix Cargo.lock version. Remove with the next release.
+    ./fix-Cargo.lock.patch
-    (fetchpatch {
-      url = "https://github.com/osa1/tiny/commit/b1caf48a6399dad8875de1d965d1ad445e49585d.patch";
-      sha256 = "1zkjhx94nwmd69cfwwwzg51ipcwq01wyvgsmn0vq7iaa2h0d286i";
-    })
   ];
 
   nativeBuildInputs = lib.optional stdenv.isLinux pkg-config;
@@ -38,6 +34,6 @@ rustPlatform.buildRustPackage rec {
     homepage = "https://github.com/osa1/tiny";
     changelog = "https://github.com/osa1/tiny/blob/v${version}/CHANGELOG.md";
     license = licenses.mit;
-    maintainers = with maintainers; [ Br1ght0ne ];
+    maintainers = with maintainers; [ Br1ght0ne vyp ];
   };
 }

third_party/nixpkgs/pkgs/applications/networking/irc/tiny/fix-Cargo.lock.patch

@@ -0,0 +1,13 @@
+diff --git a/Cargo.lock b/Cargo.lock
+index 3a184dc..0e58cb1 100644
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -1023,7 +1023,7 @@ dependencies = [
+ 
+ [[package]]
+ name = "tiny"
+-version = "0.8.0"
++version = "0.9.0"
+ dependencies = [
+  "clap",
+  "dirs 3.0.1",

third_party/nixpkgs/pkgs/applications/networking/juju/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "juju";
-  version = "2.9.9";
+  version = "2.9.10";
 
   src = fetchFromGitHub {
     owner = "juju";
     repo = "juju";
     rev = "juju-${version}";
-    sha256 = "sha256-36/fatztop2eB1z9DfnseQXw0Di3Wss72IfgdnKpsNU=";
+    sha256 = "sha256-2gCJ6aN6uN0KtOVddLDry4pLhScSh4JHmdsFws59phk=";
   };
 
-  vendorSha256 = "sha256-MH9lZNc9KevovZJCN2nClmqJbRSwYoQ4Jb0CXqBBUd0=";
+  vendorSha256 = "sha256-vFO3Rv+7CLIkl1qS4zp177GmerewfgmyjxEbzdt/RsE=";
 
   # Disable tests because it attempts to use a mongodb instance
   doCheck = false;

third_party/nixpkgs/pkgs/applications/networking/mailreaders/evolution/evolution-ews/default.nix

@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   pname = "evolution-ews";
-  version = "3.40.1";
+  version = "3.40.3";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "1kgxdacqqcq8yfkij6vyqlk5r4yqvw7gh7mxqii670hrn1mb2s50";
+    sha256 = "ZAIE5rpPOyZT3VSPYOR143bP8Na7Kv0NQRhQ+p2oxJY=";
   };
 
   nativeBuildInputs = [ cmake gettext intltool pkg-config ];

third_party/nixpkgs/pkgs/applications/networking/p2p/frostwire/frostwire-bin.nix

@@ -1,14 +1,12 @@
 { lib, stdenv, fetchurl, jre, makeWrapper }:
 
-with lib;
-
 stdenv.mkDerivation rec {
-  version = "6.8.9";
+  version = "6.9.4";
   pname = "frostwire";
 
   src = fetchurl {
     url = "https://dl.frostwire.com/frostwire/${version}/frostwire-${version}.amd64.tar.gz";
-    sha256 = "0f5vyliwncryj6hj5xx0dycxycxddsn28n6zixjrn56jajijyl6q";
+    sha256 = "sha256-sWvQDUJGytKA9/UbC7fOk6WhDtTqdhyRmW9GvHFMZh4=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

third_party/nixpkgs/pkgs/applications/networking/pcloud/default.nix

@@ -26,13 +26,13 @@
 
 let
   pname = "pcloud";
-  version = "1.9.3";
+  version = "1.9.5";
-  code = "XZh0QTXZIYkI66plpzLAJ4G2mwDvJFvKvEzy";
+  code = "XZy4VwXZjkvoMGM3x6kCTkIGLFYVKjqKbefX";
 
   # Archive link's code thanks to: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=pcloud-drive
   src = fetchzip {
     url = "https://api.pcloud.com/getpubzip?code=${code}&filename=${pname}-${version}.zip";
-    hash = "sha256-NFbSYZRysRIg6q0aaDocpK7xJbiCWc1S0McXKlCRGjU=";
+    hash = "sha256-GuO4wsSRT6WMlqYs2X+5oA7CykHb/NmhZ7UGA1FA6y4=";
   };
 
   appimageContents = appimageTools.extractType2 {

third_party/nixpkgs/pkgs/applications/networking/sync/rclone/default.nix

@@ -23,8 +23,9 @@ buildGoModule rec {
   buildInputs = lib.optional enableCmount (if stdenv.isDarwin then macfuse-stubs else fuse);
   nativeBuildInputs = [ installShellFiles makeWrapper ];
 
-  buildFlagsArray = lib.optionals enableCmount [ "-tags=cmount" ]
+  tags = lib.optionals enableCmount [ "cmount" ];
-    ++ [ "-ldflags=-s -w -X github.com/rclone/rclone/fs.Version=${version}" ];
+
+  ldflags = [ "-s" "-w" "-X github.com/rclone/rclone/fs.Version=${version}" ];
 
   postInstall =
     let

third_party/nixpkgs/pkgs/applications/office/atlassian-cli/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "atlassian-cli";
-  version = "9.5.0";
+  version = "9.6.0";
 
   src = fetchzip {
     url  = "https://bobswift.atlassian.net/wiki/download/attachments/16285777/${pname}-${version}-distribution.zip";
-    sha256  = "sha256-EAoydA2lg4K1gTgzn9patNw7pcCdU/OPfaEG1OfEJ18=";
+    sha256  = "sha256-55ydhprVC9NdDMUrKbpSAEQBb9zRYgwOc7k8aP4R89A=";
   };
 
   tools = [

third_party/nixpkgs/pkgs/applications/office/flexibee/default.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, makeWrapper, jre }:
 
 let
-  version = "2020.2.6";
+  version = "2021.2.1";
   majorVersion = builtins.substring 0 6 version;
 in
 
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "http://download.flexibee.eu/download/${majorVersion}/${version}/${pname}-${version}.tar.gz";
-    sha256 = "0vscz24sabk9xafywnx41rqhq6300ddsw1x95ibc7ghsgbkq80ja";
+    sha256 = "sha256-WorRyfjWucV8UhAjvuW+22CRzPcz5tjXF7Has4wrLMI=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

third_party/nixpkgs/pkgs/applications/office/grisbi/default.nix

@@ -12,11 +12,11 @@
 
 stdenv.mkDerivation rec {
   pname = "grisbi";
-  version = "2.0.1";
+  version = "2.0.2";
 
   src = fetchurl {
     url = "mirror://sourceforge/grisbi/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-hFLiVHyEekCP9btO75e5ni70ZcLhjbBGCBjF2gERIqs=";
+    sha256 = "sha256-bCO82EWAf/kiMDdojA5goWeWiKWZNOGYixmIJQwovGM=";
   };
 
   nativeBuildInputs = [ pkg-config wrapGAppsHook ];

third_party/nixpkgs/pkgs/applications/office/pympress/default.nix

@@ -1,21 +1,34 @@
 { lib
+, stdenv
+, fetchpatch
 , python3Packages
 , wrapGAppsHook
 , gtk3
 , gobject-introspection
 , libcanberra-gtk3
 , poppler_gi
+, withGstreamer ? stdenv.isLinux
+, withVLC ? stdenv.isLinux
  }:
 
 python3Packages.buildPythonApplication rec {
   pname = "pympress";
-  version = "1.5.1";
+  version = "1.6.3";
 
   src = python3Packages.fetchPypi {
     inherit pname version;
-    sha256 = "173d9scf2z29qg279jf33zcl7sgc3wp662fgpm943bn9667q18wf";
+    sha256 = "sha256-f+OjE0x/3yfJYHCLB+on7TT7MJ2vNu87SHRi67qFDCM=";
   };
 
+  patches = [
+    # Should not be needed once v1.6.4 is released
+    (fetchpatch {
+      name = "fix-setuptools-version-parsing.patch";
+      url = "https://github.com/Cimbali/pympress/commit/474514d71396ac065e210fd846e07ed1139602d0.diff";
+      sha256 = "sha256-eiw54sjMrXrNrhtkAXxiSTatzoA0NDA03L+HpTDax58=";
+    })
+  ];
+
   nativeBuildInputs = [
     wrapGAppsHook
   ];
@@ -23,16 +36,15 @@ python3Packages.buildPythonApplication rec {
   buildInputs = [
     gtk3
     gobject-introspection
-    libcanberra-gtk3
     poppler_gi
-  ];
+  ] ++ lib.optional withGstreamer libcanberra-gtk3;
 
   propagatedBuildInputs = with python3Packages; [
     pycairo
     pygobject3
-    python-vlc
+    setuptools
     watchdog
-  ];
+  ] ++ lib.optional withVLC python-vlc;
 
   doCheck = false; # there are no tests
 

third_party/nixpkgs/pkgs/applications/radio/fldigi/default.nix

@@ -18,11 +18,11 @@
 
 stdenv.mkDerivation rec {
   pname = "fldigi";
-  version = "4.1.19";
+  version = "4.1.20";
 
   src = fetchurl {
     url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "0zvfkmvxi31ccbpxvimkcrqrkf3wzr1pgja2ny04srrakl8ff5c7";
+    sha256 = "0f64pqijl3jlfmv00hkdxvn1wy5yy3zl33p6vf3fn1b91w590c2h";
   };
 
   nativeBuildInputs = [ pkg-config ];