Merge master into staging-next

nixos/modules/config/krb5/default.nix

@@ -84,7 +84,7 @@ in {
         type = types.package;
         default = pkgs.krb5Full;
         defaultText = "pkgs.krb5Full";
-        example = literalExample "pkgs.heimdalFull";
+        example = literalExample "pkgs.heimdal";
         description = ''
           The Kerberos implementation that will be present in
           <literal>environment.systemPackages</literal> after enabling this

nixos/modules/programs/atop.nix

@@ -141,8 +141,15 @@ in
             // mkService cfg.atopgpu.enable "atopgpu" [ atop ];
           timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ];
         };
-      security.wrappers =
-        lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; };
+
+      security.wrappers = lib.mkIf cfg.setuidWrapper.enable {
+        atop =
+          { setuid = true;
+            owner = "root";
+            group = "root";
+            source = "${atop}/bin/atop";
+          };
+      };
     }
   );
 }

nixos/modules/programs/plotinus.nix

@@ -30,7 +30,7 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    environment.variables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ];
+    environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ];
     environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ];
   };
 }

nixos/modules/services/cluster/kubernetes/default.nix

@@ -5,28 +5,33 @@ with lib;
 let
   cfg = config.services.kubernetes;
 
-  defaultContainerdConfigFile = pkgs.writeText "containerd.toml" ''
-    version = 2
-    root = "/var/lib/containerd"
-    state = "/run/containerd"
-    oom_score = 0
+  defaultContainerdSettings = {
+    version = 2;
+    root = "/var/lib/containerd";
+    state = "/run/containerd";
+    oom_score = 0;
 
-    [grpc]
-      address = "/run/containerd/containerd.sock"
+    grpc = {
+      address = "/run/containerd/containerd.sock";
+    };
 
-    [plugins."io.containerd.grpc.v1.cri"]
-      sandbox_image = "pause:latest"
+    plugins."io.containerd.grpc.v1.cri" = {
+      sandbox_image = "pause:latest";
 
-    [plugins."io.containerd.grpc.v1.cri".cni]
-      bin_dir = "/opt/cni/bin"
-      max_conf_num = 0
+      cni = {
+        bin_dir = "/opt/cni/bin";
+        max_conf_num = 0;
+      };
 
-    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-      runtime_type = "io.containerd.runc.v2"
+      containerd.runtimes.runc = {
+        runtime_type = "io.containerd.runc.v2";
+      };
 
-    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options]
-      SystemdCgroup = true
-  '';
+      containerd.runtimes."io.containerd.runc.v2".options = {
+        SystemdCgroup = true;
+      };
+    };
+  };
 
   mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON {
     apiVersion = "v1";
@@ -248,7 +253,7 @@ in {
     (mkIf cfg.kubelet.enable {
       virtualisation.containerd = {
         enable = mkDefault true;
-        configFile = mkDefault defaultContainerdConfigFile;
+        settings = mkDefault defaultContainerdSettings;
       };
     })
 

nixos/modules/services/networking/dnscrypt-wrapper.nix

@@ -217,6 +217,7 @@ in {
       home = "${dataDir}";
       createHome = true;
       isSystemUser = true;
+      group = "dnscrypt-wrapper";
     };
     users.groups.dnscrypt-wrapper = { };
 

nixos/modules/services/networking/flannel.nix

@@ -164,7 +164,7 @@ in {
       path = [ pkgs.iptables ];
       preStart = optionalString (cfg.storageBackend == "etcd") ''
         echo "setting network configuration"
-        until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'
+        until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'
         do
           echo "setting network configuration, retry"
           sleep 1

nixos/modules/services/search/meilisearch.nix

@@ -8,7 +8,7 @@ let
 in
 {
 
-  meta.maintainers = with maintainers; [ filalex77 ];
+  meta.maintainers = with maintainers; [ Br1ght0ne ];
 
   ###### interface
 

nixos/modules/services/system/kerberos/heimdal.nix

@@ -27,7 +27,7 @@ in
 {
   # No documentation about correct triggers, so guessing at them.
 
-  config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) {
+  config = mkIf (cfg.enable && kerberos == pkgs.heimdal) {
     systemd.services.kadmind = {
       description = "Kerberos Administration Daemon";
       wantedBy = [ "multi-user.target" ];

nixos/tests/all-tests.nix

@@ -223,7 +223,6 @@ in
   krb5 = discoverTests (import ./krb5 {});
   ksm = handleTest ./ksm.nix {};
   kubernetes = handleTestOn ["x86_64-linux"] ./kubernetes {};
-  latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; };
   latestKernel.login = handleTest ./login.nix { latestKernel = true; };
   leaps = handleTest ./leaps.nix {};
   libreddit = handleTest ./libreddit.nix {};

nixos/tests/atop.nix

@@ -105,8 +105,6 @@ let assertions = rec {
 };
 in
 {
-  name = "atop";
-
   justThePackage = makeTest {
     name = "atop-justThePackage";
     machine = {

nixos/tests/cntr.nix

@@ -9,7 +9,7 @@ let
     makeTest {
       name = "cntr-${backend}";
 
-      meta = { maintainers = with lib.maintainers; [ srk mic92 ]; };
+      meta = { maintainers = with lib.maintainers; [ sorki mic92 ]; };
 
       nodes = {
         ${backend} = { pkgs, ... }: {

nixos/tests/ec2.nix

@@ -24,6 +24,11 @@ let
           ln -s vda1 /dev/xvda1
         '';
 
+        # In a NixOS test the serial console is occupied by the "backdoor"
+        # (see testing/test-instrumentation.nix) and is incompatible with
+        # the configuration in virtualisation/amazon-image.nix.
+        systemd.services."serial-getty@ttyS0".enable = mkForce false;
+
         # Needed by nixos-rebuild due to the lack of network
         # access. Determined by trial and error.
         system.extraDependencies = with pkgs; ( [

nixos/tests/enlightenment.nix

@@ -11,8 +11,8 @@ import ./make-test-python.nix ({ pkgs, ...} :
     imports = [ ./common/user-account.nix ];
     services.xserver.enable = true;
     services.xserver.desktopManager.enlightenment.enable = true;
-    services.xserver.displayManager.lightdm = {
-      enable = true;
+    services.xserver.displayManager = {
+      lightdm.enable = true;
       autoLogin = {
         enable = true;
         user = "alice";

nixos/tests/hardened.nix

@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
+import ./make-test-python.nix ({ pkgs, ... } : {
   name = "hardened";
   meta = with pkgs.lib.maintainers; {
     maintainers = [ joachifm ];
@@ -10,8 +10,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
     { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
       users.users.sybil = { isNormalUser = true; group = "wheel"; };
       imports = [ ../modules/profiles/hardened.nix ];
-      boot.kernelPackages =
-        lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened;
       environment.memoryAllocator.provider = "graphene-hardened";
       nix.useSandbox = false;
       virtualisation.emptyDiskImages = [ 4096 ];

nixos/tests/kerberos/heimdal.nix

@@ -9,7 +9,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
     };
     krb5 = {
       enable = true;
-      kerberos = pkgs.heimdalFull;
+      kerberos = pkgs.heimdal;
       libdefaults = {
         default_realm = "FOO.BAR";
       };

nixos/tests/meilisearch.nix

@@ -10,7 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
     '';
   in {
     name = "meilisearch";
-    meta.maintainers = with lib.maintainers; [ filalex77 ];
+    meta.maintainers = with lib.maintainers; [ Br1ght0ne ];
 
     machine = { ... }: {
       environment.systemPackages = with pkgs; [ curl jq ];

nixos/tests/minio.nix

@@ -28,7 +28,10 @@ in {
     machine = { pkgs, ... }: {
       services.minio = {
         enable = true;
-        inherit accessKey secretKey;
+        rootCredentialsFile = pkgs.writeText "minio-credentials" ''
+          MINIO_ROOT_USER=${accessKey}
+          MINIO_ROOT_PASSWORD=${secretKey}
+        '';
       };
       environment.systemPackages = [ pkgs.minio-client ];
 

nixos/tests/mpv.nix

@@ -14,7 +14,7 @@ in
     {
       environment.systemPackages = [
         pkgs.curl
-        (pkgs.mpv-with-scripts.override {
+        (pkgs.wrapMpv pkgs.mpv-unwrapped {
           scripts = [ pkgs.mpvScripts.simple-mpv-webui ];
         })
       ];

nixos/tests/mysql/mariadb-galera-mariabackup.nix

@@ -4,6 +4,16 @@ let
   mysqlenv-common      = pkgs.buildEnv { name = "mysql-path-env-common";      pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; };
   mysqlenv-mariabackup = pkgs.buildEnv { name = "mysql-path-env-mariabackup"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ gzip iproute2 netcat procps pv socat ]; };
 
+  # Common user configuration
+  users = { ... }:
+  {
+    users.users.testuser = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+    users.groups.testusers = { };
+  };
+
 in {
   name = "mariadb-galera-mariabackup";
   meta = with pkgs.lib.maintainers; {
@@ -17,6 +27,7 @@ in {
     galera_01 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -31,7 +42,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };
@@ -75,6 +85,7 @@ in {
     galera_02 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -89,7 +100,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };
@@ -122,6 +132,7 @@ in {
     galera_03 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -136,7 +147,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };

nixos/tests/mysql/mariadb-galera-rsync.nix

@@ -4,6 +4,16 @@ let
   mysqlenv-common      = pkgs.buildEnv { name = "mysql-path-env-common";      pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; };
   mysqlenv-rsync       = pkgs.buildEnv { name = "mysql-path-env-rsync";       pathsToLink = [ "/bin" ]; paths = with pkgs; [ lsof procps rsync stunnel ]; };
 
+  # Common user configuration
+  users = { ... }:
+  {
+    users.users.testuser = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+    users.groups.testusers = { };
+  };
+
 in {
   name = "mariadb-galera-rsync";
   meta = with pkgs.lib.maintainers; {
@@ -17,6 +27,7 @@ in {
     galera_04 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -31,7 +42,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };
@@ -70,6 +80,7 @@ in {
     galera_05 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -84,7 +95,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };
@@ -116,6 +126,7 @@ in {
     galera_06 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -130,7 +141,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };

nixos/tests/mysql/mysql.nix

@@ -1,4 +1,26 @@
-import ./../make-test-python.nix ({ pkgs, ...} : {
+import ./../make-test-python.nix ({ pkgs, ...}:
+
+
+let
+  # Setup common users
+  users = { ... }:
+  {
+    users.groups.testusers = { };
+
+    users.users.testuser = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+
+    users.users.testuser2 = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+  };
+
+in
+
+{
   name = "mysql";
   meta = with pkgs.lib.maintainers; {
     maintainers = [ eelco shlevy ];
@@ -9,8 +31,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
       { pkgs, ... }:
 
       {
-        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { isSystemUser = true; };
+        imports = [ users ];
+
         services.mysql.enable = true;
         services.mysql.initialDatabases = [
           { name = "testdb3"; schema = ./testdb.sql; }
@@ -40,12 +62,12 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
       { pkgs, ... }:
 
       {
+        imports = [ users ];
+
         # prevent oom:
         # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled
         virtualisation.memorySize = 1024;
 
-        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { isSystemUser = true; };
         services.mysql.enable = true;
         services.mysql.initialDatabases = [
           { name = "testdb3"; schema = ./testdb.sql; }
@@ -75,8 +97,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
       { pkgs, ... }:
 
       {
-        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { isSystemUser = true; };
+        imports = [ users ];
+
         services.mysql.enable = true;
         services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
           ALTER USER root@localhost IDENTIFIED WITH unix_socket;

nixos/tests/postfixadmin.nix

@@ -1,6 +1,6 @@
 import ./make-test-python.nix ({ pkgs, ...} : {
   name = "postfixadmin";
-  meta = with pkgs.stdenv.lib.maintainers; {
+  meta = with pkgs.lib.maintainers; {
     maintainers = [ globin ];
   };
 

nixos/tests/prometheus-exporters.nix

@@ -555,7 +555,11 @@ let
             WorkingDirectory = "/var/spool/mail";
           };
         };
-        users.users.mailexporter.isSystemUser = true;
+        users.users.mailexporter = {
+          isSystemUser = true;
+          group = "mailexporter";
+        };
+        users.groups.mailexporter = {};
       };
       exporterTest = ''
         wait_for_unit("postfix.service")

nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix

@@ -42,6 +42,8 @@ import ./make-test-python.nix ({pkgs, ...}: {
       # DO NOT COPY THIS TO PRODUCTION AS IS. Think about it at least twice.
       # Everyone on the "isp" machine will be able to add routes to the kernel.
       security.wrappers.add-dhcpd-lease = {
+        owner = "root";
+        group = "root";
         source = pkgs.writeShellScript "add-dhcpd-lease" ''
           exec ${pkgs.iproute2}/bin/ip -6 route replace "$1" via "$2"
         '';

nixos/tests/tigervnc.nix

@@ -6,7 +6,7 @@
 with import ../lib/testing-python.nix { inherit system pkgs; };
 makeTest {
   name = "tigervnc";
-  meta = with pkgs.stdenv.lib.maintainers; {
+  meta = with pkgs.lib.maintainers; {
     maintainers = [ lheckemann ];
   };
 

nixos/tests/wasabibackend.nix

@@ -14,7 +14,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
           port = 18332;
         };
       };
-      services.bitcoind = {
+      services.bitcoind."testnet" = {
         enable = true;
         testnet = true;
         rpc.users = {

pkgs/applications/blockchains/electrs/default.nix

@@ -2,24 +2,30 @@
 , rustPlatform
 , fetchFromGitHub
 , llvmPackages
+, rocksdb
 }:
 
 rustPlatform.buildRustPackage rec {
   pname = "electrs";
-  version = "0.8.11";
+  version = "0.8.12";
 
   src = fetchFromGitHub {
     owner = "romanz";
     repo = pname;
     rev = "v${version}";
-    sha256 = "024sdyvrx7s4inldamq4c8lv0iijjyd18j1mm9x6xf2clmvicaa6";
+    sha256 = "0kd5zki9f1pnwscnvd921dw0lc45nfkwk23l33nzdjn005lmsw7v";
   };
 
+  cargoSha256 = "1l8dwjwj21crxampzj5c0k98xnisgy3d9c3dkgf5vaybrcp04k85";
+
   # needed for librocksdb-sys
   nativeBuildInputs = [ llvmPackages.clang ];
   LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
 
-  cargoSha256 = "0yl50ryxidbs9wkabz919mgbmsgsqjp1bjw792l1lkgncq8z9r5b";
+  # link rocksdb dynamically
+  ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
+  ROCKSDB_LIB_DIR = "${rocksdb}/lib";
+  cargoBuildFlags = "--no-default-features";
 
   meta = with lib; {
     description = "An efficient re-implementation of Electrum Server in Rust";

pkgs/applications/blockchains/ledger-live-desktop/default.nix

@@ -2,12 +2,12 @@
 
 let
   pname = "ledger-live-desktop";
-  version = "2.32.2";
+  version = "2.33.1";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "https://github.com/LedgerHQ/${pname}/releases/download/v${version}/${pname}-${version}-linux-x86_64.AppImage";
-    sha256 = "14agkl6xf0f9s5qldla6p6kzl8zlx61q5m8qy63lq215hrzh9d50";
+    sha256 = "1k1h37fbpsib9h8867m2dsfacdjs78gdm61gvrin5gpw1zj10syz";
   };
 
   appimageContents = appimageTools.extractType2 {

pkgs/applications/misc/wike/default.nix

@@ -14,13 +14,13 @@ let
   ]);
 in stdenv.mkDerivation rec {
   pname = "wike";
-  version = "1.5.6";
+  version = "1.5.7";
 
   src = fetchFromGitHub {
     owner = "hugolabe";
     repo = "Wike";
     rev = version;
-    sha256 = "1qnxzxqjj0sn522k15plskwa7nlhhbcipfc3w17fbq3k2zhpr1yy";
+    sha256 = "sha256-SB+ApuSovqQCaZYPhH+duf+c07JDSSCRz8hTVhEa4gY=";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/browsers/vieb/default.nix

@@ -2,13 +2,13 @@
 
 mkYarnPackage rec {
   pname = "vieb";
-  version = "6.0.0";
+  version = "6.1.0";
 
   src = fetchFromGitHub {
     owner = "Jelmerro";
     repo = pname;
     rev = version;
-    sha256 = "sha256-3mX6z/CRUQdyQxYK50yqCZIrhPgitsyus4oLkbPqNvM=";
+    sha256 = "sha256-MJJeHnwfXouBygRT/wFWFMRHxQVf/3k2c7vp/tkD5co=";
   };
 
   packageJSON = ./package.json;

pkgs/applications/networking/cluster/k3s/default.nix

@@ -45,10 +45,16 @@ with lib;
 let
   k3sVersion = "1.21.4+k3s1";     # k3s git tag
   k3sCommit = "3e250fdbab72d88f7e6aae57446023a0567ffc97"; # k3s git commit at the above version
+  k3sRepoSha256 = "1w7drvk0bmlmqrxh1y6dxjy7dk6bdrl72pkd25lc1ir6wbzb05h9";
 
   traefikChartVersion = "9.18.2"; # taken from ./scripts/download at TRAEFIK_VERSION
+  traefikChartSha256 = "sha256-9d7p0ngyMN27u4OPgz7yI14Zj9y36t9o/HMX5wyDpUI=";
+
   k3sRootVersion = "0.9.1";       # taken from ./scripts/download at ROOT_VERSION
+  k3sRootSha256 = "sha256-qI84KYJKY/T6pqWZW9lOTq5NzZiu//v1zrMzUCiRTGQ=";
+
   k3sCNIVersion = "0.8.6-k3s1";   # taken from ./scripts/version.sh at VERSION_CNIPLUGINS
+  k3sCNISha256 = "sha256-uAy17eRRAXPCcnh481KxFMvFQecnnBs24jn5YnVNfY4=";
 
   baseMeta = {
     description = "A lightweight Kubernetes distribution";
@@ -61,7 +67,7 @@ let
   # bundled into the k3s binary
   traefikChart = fetchurl {
     url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
-    sha256 = "sha256-9d7p0ngyMN27u4OPgz7yI14Zj9y36t9o/HMX5wyDpUI=";
+    sha256 = traefikChartSha256;
   };
   # so, k3s is a complicated thing to package
   # This derivation attempts to avoid including any random binaries from the
@@ -75,7 +81,7 @@ let
   k3sRoot = fetchzip {
     # Note: marked as apache 2.0 license
     url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
-    sha256 = "sha256-qI84KYJKY/T6pqWZW9lOTq5NzZiu//v1zrMzUCiRTGQ=";
+    sha256 = k3sRootSha256;
     stripRoot = false;
   };
   k3sPlugins = buildGoPackage rec {
@@ -89,7 +95,7 @@ let
       owner = "rancher";
       repo = "plugins";
       rev = "v${version}";
-      sha256 = "sha256-uAy17eRRAXPCcnh481KxFMvFQecnnBs24jn5YnVNfY4=";
+      sha256 = k3sCNISha256;
     };
 
     meta = baseMeta // {
@@ -101,7 +107,7 @@ let
   k3sRepo = fetchgit {
     url = "https://github.com/k3s-io/k3s";
     rev = "v${k3sVersion}";
-    sha256 = "1w7drvk0bmlmqrxh1y6dxjy7dk6bdrl72pkd25lc1ir6wbzb05h9";
+    sha256 = k3sRepoSha256;
   };
   # Stage 1 of the k3s build:
   # Let's talk about how k3s is structured.
@@ -280,5 +286,7 @@ stdenv.mkDerivation rec {
     $out/bin/k3s --version | grep v${k3sVersion} > /dev/null
   '';
 
+  passthru.updateScript = ./update.sh;
+
   meta = baseMeta;
 }

pkgs/applications/networking/cluster/k3s/update.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnugrep gnused jq
+
+set -eu -o pipefail
+
+WORKDIR=$(mktemp -d)
+trap "rm -rf ${WORKDIR}" EXIT
+
+cd $(dirname "${BASH_SOURCE[0]}")
+
+LATEST_TAG_RAWFILE=${WORKDIR}/latest_tag.json
+curl --silent ${GITHUB_TOKEN:+"-u \":$GITHUB_TOKEN\""} \
+    https://api.github.com/repos/k3s-io/k3s/releases/latest > ${LATEST_TAG_RAWFILE}
+
+LATEST_TAG_NAME=$(jq -r '.tag_name' ${LATEST_TAG_RAWFILE})
+
+K3S_VERSION=$(echo ${LATEST_TAG_NAME} | sed 's/^v//')
+
+LATEST_TAG_TARBALL_URL=$(jq -r '.tarball_url' ${LATEST_TAG_RAWFILE})
+
+K3S_COMMIT=$(curl --silent ${GITHUB_TOKEN:+"-u \":$GITHUB_TOKEN\""} \
+    https://api.github.com/repos/k3s-io/k3s/tags \
+    | jq -r "map(select(.name == \"${LATEST_TAG_NAME}\")) | .[0] | .commit.sha")
+
+K3S_REPO_SHA256=$(nix-prefetch-url --quiet --unpack ${LATEST_TAG_TARBALL_URL})
+
+FILE_SCRIPTS_DOWNLOAD=${WORKDIR}/scripts-download
+curl --silent https://raw.githubusercontent.com/k3s-io/k3s/${K3S_COMMIT}/scripts/download > $FILE_SCRIPTS_DOWNLOAD
+
+FILE_SCRIPTS_VERSION=${WORKDIR}/scripts-version.sh
+curl --silent https://raw.githubusercontent.com/k3s-io/k3s/${K3S_COMMIT}/scripts/version.sh > $FILE_SCRIPTS_VERSION
+
+TRAEFIK_CHART_VERSION=$(grep TRAEFIK_VERSION= $FILE_SCRIPTS_DOWNLOAD \
+    | cut -d'=' -f2 | cut -d' ' -f1)
+TRAEFIK_CHART_SHA256=$(nix-prefetch-url --quiet "https://helm.traefik.io/traefik/traefik-${TRAEFIK_CHART_VERSION}.tgz")
+
+K3S_ROOT_VERSION=$(grep ROOT_VERSION= $FILE_SCRIPTS_DOWNLOAD \
+    | cut -d'=' -f2 | cut -d' ' -f1 | sed 's/^v//')
+K3S_ROOT_SHA256=$(nix-prefetch-url --quiet --unpack \
+    "https://github.com/k3s-io/k3s-root/releases/download/v${K3S_ROOT_VERSION}/k3s-root-amd64.tar")
+
+CNIPLUGINS_VERSION=$(grep VERSION_CNIPLUGINS= $FILE_SCRIPTS_VERSION \
+    | cut -d'=' -f2 | cut -d' ' -f1 | sed -e 's/"//g' -e 's/^v//')
+CNIPLUGINS_SHA256=$(nix-prefetch-url --quiet --unpack \
+    "https://github.com/rancher/plugins/archive/refs/tags/v${CNIPLUGINS_VERSION}.tar.gz")
+
+setKV () {
+  sed -i "s/$1 = \".*\"/$1 = \"$2\"/" ./default.nix
+}
+
+setKV k3sVersion ${K3S_VERSION}
+setKV k3sCommit ${K3S_COMMIT}
+setKV k3sRepoSha256 ${K3S_REPO_SHA256}
+
+setKV traefikChartVersion ${TRAEFIK_CHART_VERSION}
+setKV traefikChartSha256 ${TRAEFIK_CHART_SHA256}
+
+setKV k3sRootVersion ${K3S_ROOT_VERSION}
+setKV k3sRootSha256 ${K3S_ROOT_SHA256}
+
+setKV k3sCNIVersion ${CNIPLUGINS_VERSION}
+setKV k3sCNISha256 ${CNIPLUGINS_SHA256}

pkgs/applications/office/super-productivity/default.nix

@@ -5,11 +5,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "super-productivity";
-  version = "7.2.1";
+  version = "7.5.1";
 
   src = fetchurl {
     url = "https://github.com/johannesjo/super-productivity/releases/download/v${version}/superProductivity-${version}.AppImage";
-    sha256 = "93eeb56fe923c48a9384cde0633e98a9d9dc5c0869fce63b9724ff74bb400049";
+    sha256 = "sha256-ezJN/t0iNk0haMLPioEQSNXU4ugVeJe44GNVGd+cOF4=";
     name = "${pname}-${version}.AppImage";
   };
 

pkgs/applications/version-management/git-and-tools/git-machete/default.nix

@@ -1,6 +1,6 @@
 { lib, buildPythonApplication, fetchPypi
 , installShellFiles, pbr
-, flake8, mock, pycodestyle, pylint, tox
+, flake8, mock, pycodestyle, pylint, stestr, tox
 , nix-update-script
 , testVersion, git-machete
 }:
@@ -16,10 +16,7 @@ buildPythonApplication rec {
 
   nativeBuildInputs = [ installShellFiles pbr ];
 
-  # TODO: Add missing check inputs (2019-11-22):
-  # - stestr
-  doCheck = false;
-  checkInputs = [ flake8 mock pycodestyle pylint tox ];
+  checkInputs = [ flake8 mock pycodestyle pylint stestr tox ];
 
   postInstall = ''
       installShellCompletion --bash --name git-machete completion/git-machete.completion.bash
@@ -43,6 +40,6 @@ buildPythonApplication rec {
     description = "Git repository organizer and rebase/merge workflow automation tool";
     license = licenses.mit;
     platforms = platforms.all;
-    maintainers = [ maintainers.blitz ];
+    maintainers = with maintainers; [ blitz ];
   };
 }

pkgs/development/libraries/symengine/default.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "symengine";
-  version = "0.7.0";
+  version = "0.8.1";
 
   src = fetchFromGitHub {
     owner = "symengine";
     repo = "symengine";
     rev = "v${version}";
-    sha256 = "sha256-aoitTT9fwTIs3ovfqQjKGgrU+kT5mj+vDHt5lg49JHU=";
+    sha256 = "sha256-HTDOSgdWo9MWmKeXOkOHAJjgvihUAkSXoYTeMz9XXLI=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/development/python-modules/cmd2/default.nix

@@ -68,6 +68,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Enhancements for standard library's cmd module";
     homepage = "https://github.com/python-cmd2/cmd2";
+    license = with licenses; [ mit ];
     maintainers = with maintainers; [ teto ];
   };
 }

pkgs/development/python-modules/maxcube-api/default.nix

@@ -0,0 +1,42 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, python
+}:
+
+buildPythonPackage rec {
+  pname = "maxcube-api";
+  version = "0.4.3";
+  format = "setuptools";
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "hackercowboy";
+    repo = "python-${pname}";
+    rev = "V${version}";
+    sha256 = "10k61gfpnqljf3p3qxr97xq7j67a9cr4ivd9v72hdni0znrbx6ym";
+  };
+
+  postPatch = ''
+    substituteInPlace setup.py --replace "license=license" "license='MIT'"
+  '';
+
+  pythonImportsCheck = [
+    "maxcube"
+    "maxcube.cube"
+  ];
+
+  checkPhase = ''
+    runHook preCheck
+    ${python.interpreter} -m unittest discover
+    runHook postCheck
+  '';
+
+  meta = with lib; {
+    description = "eQ-3/ELV MAX! Cube Python API";
+    homepage = "https://github.com/hackercowboy/python-maxcube-api";
+    license = licenses.mit;
+    maintainers = with maintainers; [ hexa ];
+  };
+}

pkgs/development/python-modules/notus-scanner/default.nix

@@ -0,0 +1,56 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, paho-mqtt
+, poetry-core
+, psutil
+, pytestCheckHook
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "notus-scanner";
+  version = "unstable-2021-09-05";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "greenbone";
+    repo = pname;
+    rev = "049f9a5e6439e4e5113e3b8f30b25ead12d42a56";
+    sha256 = "1fjxyn8wg2kf6xy3pbh7d7yn20dk529p03xpqyz7s40n9nsxhnza";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    paho-mqtt
+    psutil
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  patches = [
+    # Switch to poetry-core, https://github.com/greenbone/notus-scanner/pull/31
+    (fetchpatch {
+      name = "switch-to-poetry-core.patch";
+      url = "https://github.com/greenbone/notus-scanner/commit/b52eea317faca30d411096044f9e5ea20b58da65.patch";
+      sha256 = "0q11aslhva47kkpsnpayra7spa849j894vqv34pjqhcnlyipqw6d";
+    })
+  ];
+
+  pythonImportsCheck = [ "notus.scanner" ];
+
+  meta = with lib; {
+    description = "Helper to create results from local security checks";
+    homepage = "https://github.com/greenbone/notus-scanner";
+    license = with licenses; [ agpl3Plus ];
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/pyspnego/default.nix

@@ -2,6 +2,9 @@
 , buildPythonPackage
 , cryptography
 , fetchFromGitHub
+, gssapi
+, krb5
+, ruamel-yaml
 , pytest-mock
 , pytestCheckHook
 , pythonOlder
@@ -10,18 +13,22 @@
 
 buildPythonPackage rec {
   pname = "pyspnego";
-  version = "0.1.6";
-  disabled = pythonOlder "3.6";
+  version = "0.2.0";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "jborean93";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0pfh2x0539f0k2qi2pbjm64b2fqp64c63xxpinvg1yfaw915kgpb";
+    sha256 = "sha256-puv9aq53NbjSuN561XFou404N9pIxvvMjZMgnNx3SjM=";
   };
 
   propagatedBuildInputs = [
     cryptography
+    gssapi
+    krb5
+    ruamel-yaml
   ];
 
   checkInputs = [
@@ -30,6 +37,11 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
+  disabledTests = [
+    # struct.error: unpack requires a buffer of 1 bytes
+    "test_credssp_invalid_client_authentication"
+  ];
+
   LC_ALL = "en_US.UTF-8";
 
   pythonImportsCheck = [ "spnego" ];

pkgs/development/python-modules/symengine/default.nix

@@ -11,18 +11,19 @@
 
 buildPythonPackage rec {
   pname = "symengine";
-  version = "0.7.2";
+  version = "0.8.1";
 
   src = fetchFromGitHub {
     owner = "symengine";
     repo = "symengine.py";
     rev = "v${version}";
-    sha256 = "1xaclpvk7m6mbp70zrsvi3blz4v89pbsf7b6rpmx5903m6kxqr4m";
+    sha256 = "0yyi3w03fk19i32jmns1baq3rpmf7xfykzkivc7dmnxmjmxvq2gr";
   };
 
   postConfigure = ''
     substituteInPlace setup.py \
-      --replace "\"cmake\"" "\"${cmake}/bin/cmake\""
+      --replace "\"cmake\"" "\"${cmake}/bin/cmake\"" \
+      --replace "'cython>=0.29.24'" "'cython'"
 
     substituteInPlace cmake/FindCython.cmake \
       --replace "SET(CYTHON_BIN cython" "SET(CYTHON_BIN ${cython}/bin/cython"

pkgs/development/tools/protoc-gen-twirp_php/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "protoc-gen-twirp_php";
-  version = "0.7.1";
+  version = "0.7.5";
 
   # fetchFromGitHub currently not possible, because go.mod and go.sum are export-ignored
   src = fetchgit {
     url = "https://github.com/twirphp/twirp.git";
     rev = "v${version}";
-    sha256 = "sha256-94GN/Gq3RXXg83eUsmIcdF4VuK4syCgD0Zkc5eDiVYE=";
+    sha256 = "sha256-pHGGZaMBggBUu2CZCxWrZ592K5V93vPI2sZnFkqku2k=";
   };
 
-  vendorSha256 = "sha256-gz4JELCffuh7dyFdBex8/SFZ1/PDXuC/93m3WNHwRss=";
+  vendorSha256 = "sha256-p7t+2QgPkcTmsK+jKcPCPDCchNup9F326yKc6JbJHOE=";
 
   subPackages = [ "protoc-gen-twirp_php" ];
 

pkgs/development/tools/rust/cargo-watch/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-watch";
-  version = "8.0.0";
+  version = "8.1.0";
 
   src = fetchFromGitHub {
     owner = "passcod";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-3IgzMUCkcKUkhTb/ZNRONdvB6Ci0OBB1dcjtc65U8xE=";
+    sha256 = "sha256-Vvr/O0Xk9hmUVUFoOk/MzTlEvR0Spx5n/9lsE2HfkF8=";
   };
 
-  cargoSha256 = "sha256-Xp/pxPKs41TXO/EUY5x8Bha7NUioMabbb73///fFr6U=";
+  cargoSha256 = "sha256-kX9CE95Z2nLb6VM19bu+UkOZ/hsjHUo/JMu0Y0xont0=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ CoreServices Foundation libiconv ];
 

pkgs/os-specific/linux/kernel/linux-4.14.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.14.246";
+  version = "4.14.247";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0fpgig84shpas1jc0h4s3aw9brkcq1as84gjbk4bfhc48bpi4mlw";
+    sha256 = "1kdhlsqpmw68xnfiyx98id8wis6kkxca2d4n7w2ncax0kyzrwyz7";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.19.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.206";
+  version = "4.19.207";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1h44lvzxd0cngj71bk8qba9dz7jlqj68ir6xjwfafglb81ppgsxp";
+    sha256 = "1fb658n89xf9asnaqi0bnh64ir2f78bdqyjvfb983qad9wqsadym";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.4.nix

@@ -1,12 +1,12 @@
 { buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.4.283";
+  version = "4.4.284";
   extraMeta.branch = "4.4";
   extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1d9v4h4cbc4i371lhhwpxbmg88gna6xyi2ahfvv0clz60802y982";
+    sha256 = "00xkd2p181cfkys4nri93xy7snmn8g2481x3qz0js7g9p3kz5bqf";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.9.nix

@@ -1,12 +1,12 @@
 { buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.282";
+  version = "4.9.283";
   extraMeta.branch = "4.9";
   extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "059fin4si93ya13xy831w84q496ksxidpd3kyw38918sfy4p6wk7";
+    sha256 = "0pdh1lyhdp5c5n39wpr622kgchgf30iqk853a2rv9m3s3fry50lm";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.10.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.67";
+  version = "5.10.68";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "10lap66d84s1cfakbgfsbabgxm42060c4wcvpzxbi4r5g2m40mwc";
+    sha256 = "08cl4bg9k331apj5fjl3jx6s6l543dnbjc1cfvin951m7l787ahv";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.14.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.14.6";
+  version = "5.14.7";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1v6cicakpg0fdp74r2a4h46sj7rzpjdf4cscbr8y67kpd098r12l";
+    sha256 = "1avypasvic298823xzpzzkjbmfv9s8bjnmq92ri62qbakx23j9dg";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.4.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.147";
+  version = "5.4.148";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "07242nlxf4s73ffdir3dsi37cjmm6bw9w7kac0j7x1s1j8sh9h7n";
+    sha256 = "1cwibh0y112hip5yd0n692rv44jh4sk2g6mj5n44g754k4i366a6";
   };
 } // (args.argsOverride or {}))

pkgs/servers/home-assistant/component-packages.nix

@@ -493,7 +493,7 @@
     "marytts" = ps: with ps; [ ]; # missing inputs: speak2mary
     "mastodon" = ps: with ps; [ mastodon-py ];
     "matrix" = ps: with ps; [ matrix-client ];
-    "maxcube" = ps: with ps; [ ]; # missing inputs: maxcube-api
+    "maxcube" = ps: with ps; [ maxcube-api ];
     "mazda" = ps: with ps; [ pymazda ];
     "mcp23017" = ps: with ps; [ ]; # missing inputs: RPi.GPIO adafruit-circuitpython-mcp230xx
     "media_extractor" = ps: with ps; [ aiohttp-cors youtube-dl-light ];

pkgs/servers/home-assistant/default.nix

@@ -486,6 +486,7 @@ in with py.pkgs; buildPythonApplication rec {
     "mailbox"
     "manual"
     "manual_mqtt"
+    "maxcube"
     "mazda"
     "media_player"
     "media_source"

pkgs/servers/nosql/redis/default.nix

@@ -1,6 +1,7 @@
 { lib, stdenv, fetchurl, lua, pkg-config, nixosTests
 , withSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl, systemd
-, tlsSupport ? true, openssl
+# dependency ordering is broken at the moment when building with openssl
+, tlsSupport ? !stdenv.hostPlatform.isStatic, openssl
 }:
 
 stdenv.mkDerivation rec {

pkgs/servers/sql/dolt/default.nix

@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "dolt";
-  version = "0.27.4.2";
+  version = "0.28.4";
 
   src = fetchFromGitHub {
     owner = "liquidata-inc";
     repo = "dolt";
     rev = "v${version}";
-    sha256 = "sha256-nEIYt9yPDxPbJ/IHH8eQpVSNtC5pYiagCC5TliqX11M=";
+    sha256 = "sha256-J/4YEiSmoWhs+pnJN21CwNwpujZ1cldLmgwajBB+IRU=";
   };
 
   modRoot = "./go";
   subPackages = [ "cmd/dolt" "cmd/git-dolt" "cmd/git-dolt-smudge" ];
-  vendorSha256 = "sha256-XbKaPbPIgUxqJB8kgd3fJIESO9XvNREExdp06Th2bu0=";
+  vendorSha256 = "sha256-l3jRQ4Z7xku1nMfYfc6nJ3qF6A1maY0tRfZpHCtsujI=";
 
   doCheck = false;
 

pkgs/tools/graphics/svgbob/default.nix

@@ -2,15 +2,15 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "svgbob";
-  version = "0.5.4";
+  version = "0.6.2";
 
   src = fetchCrate {
     inherit version;
     crateName = "svgbob_cli";
-    sha256 = "0qq7hkg32bqyw3vz3ibip7yrjg5m2ch9kdnwqrzaqqy9wb8d7154";
+    sha256 = "sha256-9JASoUN/VzZS8ihepTQL2SXZitxKBMSJEv+13vzQd3w=";
   };
 
-  cargoSha256 = "0p37qkgh1xpqmkr2p88njwhifpyqfh27qcwmmhwxdqcpzmmmkjhr";
+  cargoSha256 = "sha256-pkdiow+9gsQ9rrSHwukd17r5CfsaJgYj6KA4wYKbtA0=";
 
   meta = with lib; {
     description = "Convert your ascii diagram scribbles into happy little SVG";

pkgs/tools/misc/dust/default.nix

@@ -2,13 +2,13 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "du-dust";
-  version = "0.6.2";
+  version = "0.7.5";
 
   src = fetchFromGitHub {
     owner = "bootandy";
     repo = "dust";
     rev = "v${version}";
-    sha256 = "sha256-5GhoL3by4sXhFJrNZi/UlERBa+s2oqDVVJODY0kdfxI=";
+    sha256 = "sha256-0r0cDzW18uF7DHvzkUCHHHN+2M21xdi2ffPwDGMtyw8=";
     # Remove unicode file names which leads to different checksums on HFS+
     # vs. other filesystems because of unicode normalisation.
     extraPostFetch = ''
@@ -16,7 +16,7 @@ rustPlatform.buildRustPackage rec {
     '';
   };
 
-  cargoSha256 = "sha256-cgH3jrZPGUHiBDeJ9qj80dU+Vbz+wHMOsCaGAvJY6mg=";
+  cargoSha256 = "sha256-LAow4DVqON5vrYBU8v8wzg/HcHxm1GqS9DMre3y12Jo=";
 
   doCheck = false;
 

pkgs/tools/misc/svtplay-dl/default.nix

@@ -9,13 +9,13 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "svtplay-dl";
-  version = "4.3";
+  version = "4.5";
 
   src = fetchFromGitHub {
     owner = "spaam";
     repo = "svtplay-dl";
     rev = version;
-    sha256 = "04gmiqg6mq96fw4v1v6947i216fsf0vcnjp3ya8bbii5na91y1aa";
+    sha256 = "sha256-TiJWy5WU1VsseodfgfemAsUc5/hDwSlM03ITRYTvJbg=";
   };
 
   pythonPaths = [ cryptography pyyaml requests ];

pkgs/tools/security/kubescape/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "kubescape";
-  version = "1.0.77";
+  version = "1.0.85";
 
   src = fetchFromGitHub {
     owner = "armosec";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-g2Mco4NuPVjS4/6KNhtb8864e7RiuzlrdIbM6NLJK7I=";
+    sha256 = "19r7dgr0y1k9qa4llxbgaf69j88vs9h2gx29bwbh6dq17q58sfdl";
   };
 
-  vendorSha256 = "sha256-FtglYTCLjQfDKxdnQZnpWm3QjJCiHGsPC/gW88DZu6I=";
+  vendorSha256 = "18mvv70g65pq1c7nn752j26d0vasx6cl2rqp5g1hg3cb61hjbn0n";
 
   # One test is failing, disabling for now
   doCheck = false;

pkgs/tools/system/java-service-wrapper/default.nix

@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   pname = "java-service-wrapper";
-  version = "3.5.45";
+  version = "3.5.46";
 
   src = fetchurl {
     url = "https://wrapper.tanukisoftware.com/download/${version}/wrapper_${version}_src.tar.gz";
-    sha256 = "sha256-rnlloa0DicWT1RlP2szDvBINvT5/RZ17GOarUzvX1AI=";
+    sha256 = "sha256-guHQyFSI0TidAuOr4zWaf3WRGeNW4+Or1sbWdhWuWtg=";
   };
 
   buildInputs = [ jdk ];

pkgs/tools/typesetting/sile/default.nix

@@ -38,11 +38,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "sile";
-  version = "0.11.1";
+  version = "0.12.0";
 
   src = fetchurl {
     url = "https://github.com/sile-typesetter/sile/releases/download/v${version}/${pname}-${version}.tar.xz";
-    sha256 = "06bx94zx6skhizk2bbrid82sldwgxfycvjh6zx1zy1xz8gajgrm3";
+    sha256 = "1rkdzf4khyvsn5qg455mdhnlacxlqgi9vchy369a66qp5nrs50y9";
   };
 
   configureFlags = [

pkgs/top-level/all-packages.nix

@@ -30491,6 +30491,8 @@ with pkgs;
 
   nota = haskellPackages.callPackage ../applications/science/math/nota { };
 
+  notus-scanner = with python3Packages; toPythonApplication notus-scanner;
+
   openblas = callPackage ../development/libraries/science/math/openblas { };
 
   # A version of OpenBLAS using 32-bit integers on all platforms for compatibility with

pkgs/top-level/python-packages.nix

@@ -4492,6 +4492,8 @@ in {
 
   mautrix-appservice = self.mautrix; # alias 2019-12-28
 
+  maxcube-api = callPackage ../development/python-modules/maxcube-api { };
+
   maxminddb = callPackage ../development/python-modules/maxminddb { };
 
   maya = callPackage ../development/python-modules/maya { };
@@ -5004,6 +5006,8 @@ in {
 
   nototools = callPackage ../data/fonts/noto-fonts/tools.nix { };
 
+  notus-scanner = callPackage ../development/python-modules/notus-scanner { };
+
   nplusone = callPackage ../development/python-modules/nplusone { };
 
   npyscreen = callPackage ../development/python-modules/npyscreen { };