Merge master into staging-next

maintainers/maintainer-list.nix

@@ -11007,6 +11007,12 @@
     githubId = 3300322;
     name = "Mitchell Fossen";
   };
+  mfrw = {
+    email = "falakreyaz@gmail.com";
+    github = "mfrw";
+    githubId = 4929861;
+    name = "Muhammad Falak R Wani";
+  };
   mgdelacroix = {
     email = "mgdelacroix@gmail.com";
     github = "mgdelacroix";

nixos/modules/security/wrappers/default.nix

@@ -5,8 +5,8 @@ let
 
   parentWrapperDir = dirOf wrapperDir;
 
-  securityWrapper = pkgs.callPackage ./wrapper.nix {
-    inherit parentWrapperDir;
+  securityWrapper = sourceProg : pkgs.callPackage ./wrapper.nix {
+    inherit sourceProg;
   };
 
   fileModeType =
@@ -91,8 +91,7 @@ let
     , ...
     }:
     ''
-      cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"
-      echo -n "${source}" > "$wrapperDir/${program}.real"
+      cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
 
       # Prevent races
       chmod 0000 "$wrapperDir/${program}"
@@ -119,8 +118,7 @@ let
     , ...
     }:
     ''
-      cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"
-      echo -n "${source}" > "$wrapperDir/${program}.real"
+      cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
 
       # Prevent races
       chmod 0000 "$wrapperDir/${program}"

nixos/modules/security/wrappers/wrapper.c

@@ -17,6 +17,10 @@
 #include <syscall.h>
 #include <byteswap.h>
 
+#ifndef SOURCE_PROG
+#error SOURCE_PROG should be defined via preprocessor commandline
+#endif
+
 // aborts when false, printing the failed expression
 #define ASSERT(expr) ((expr) ? (void) 0 : assert_failure(#expr))
 // aborts when returns non-zero, printing the failed expression and errno
@@ -24,10 +28,6 @@
 
 extern char **environ;
 
-// The WRAPPER_DIR macro is supplied at compile time so that it cannot
-// be changed at runtime
-static char *wrapper_dir = WRAPPER_DIR;
-
 // Wrapper debug variable name
 static char *wrapper_debug = "WRAPPER_DEBUG";
 
@@ -151,115 +151,20 @@ static int make_caps_ambient(const char *self_path) {
     return 0;
 }
 
-int readlink_malloc(const char *p, char **ret) {
-    size_t l = FILENAME_MAX+1;
-    int r;
-
-    for (;;) {
-        char *c = calloc(l, sizeof(char));
-        if (!c) {
-            return -ENOMEM;
-        }
-
-        ssize_t n = readlink(p, c, l-1);
-        if (n < 0) {
-            r = -errno;
-            free(c);
-            return r;
-        }
-
-        if ((size_t) n < l-1) {
-            c[n] = 0;
-            *ret = c;
-            return 0;
-        }
-
-        free(c);
-        l *= 2;
-    }
-}
-
 int main(int argc, char **argv) {
     ASSERT(argc >= 1);
-    char *self_path = NULL;
-    int self_path_size = readlink_malloc("/proc/self/exe", &self_path);
-    if (self_path_size < 0) {
-        fprintf(stderr, "cannot readlink /proc/self/exe: %s", strerror(-self_path_size));
-    }
-
-    unsigned int ruid, euid, suid, rgid, egid, sgid;
-    MUSTSUCCEED(getresuid(&ruid, &euid, &suid));
-    MUSTSUCCEED(getresgid(&rgid, &egid, &sgid));
-
-    // If true, then we did not benefit from setuid privilege escalation,
-    // where the original uid is still in ruid and different from euid == suid.
-    int didnt_suid = (ruid == euid) && (euid == suid);
-    // If true, then we did not benefit from setgid privilege escalation
-    int didnt_sgid = (rgid == egid) && (egid == sgid);
-
-
-    // Make sure that we are being executed from the right location,
-    // i.e., `safe_wrapper_dir'.  This is to prevent someone from creating
-    // hard link `X' from some other location, along with a false
-    // `X.real' file, to allow arbitrary programs from being executed
-    // with elevated capabilities.
-    int len = strlen(wrapper_dir);
-    if (len > 0 && '/' == wrapper_dir[len - 1])
-      --len;
-    ASSERT(!strncmp(self_path, wrapper_dir, len));
-    ASSERT('/' == wrapper_dir[0]);
-    ASSERT('/' == self_path[len]);
-
-    // If we got privileges with the fs set[ug]id bit, check that the privilege we
-    // got matches the one one we expected, ie that our effective uid/gid
-    // matches the uid/gid of `self_path`. This ensures that we were executed as
-    // `self_path', and not, say, as some other setuid program.
-    // We don't check that if we did not benefit from the set[ug]id bit, as
-    // can be the case in nosuid mounts or user namespaces.
-    struct stat st;
-    ASSERT(lstat(self_path, &st) != -1);
-
-    // if the wrapper gained privilege with suid, check that we got the uid of the file owner
-    ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == euid));
-    // if the wrapper gained privilege with sgid, check that we got the gid of the file group
-    ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == egid));
-    // same, but with suid instead of euid
-    ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == suid));
-    ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == sgid));
-
-    // And, of course, we shouldn't be writable.
-    ASSERT(!(st.st_mode & (S_IWGRP | S_IWOTH)));
-
-    // Read the path of the real (wrapped) program from <self>.real.
-    char real_fn[PATH_MAX + 10];
-    int real_fn_size = snprintf(real_fn, sizeof(real_fn), "%s.real", self_path);
-    ASSERT(real_fn_size < sizeof(real_fn));
-
-    int fd_self = open(real_fn, O_RDONLY);
-    ASSERT(fd_self != -1);
-
-    char source_prog[PATH_MAX];
-    len = read(fd_self, source_prog, PATH_MAX);
-    ASSERT(len != -1);
-    ASSERT(len < sizeof(source_prog));
-    ASSERT(len > 0);
-    source_prog[len] = 0;
-
-    close(fd_self);
 
     // Read the capabilities set on the wrapper and raise them in to
     // the ambient set so the program we're wrapping receives the
     // capabilities too!
-    if (make_caps_ambient(self_path) != 0) {
-        free(self_path);
+    if (make_caps_ambient("/proc/self/exe") != 0) {
         return 1;
     }
-    free(self_path);
 
-    execve(source_prog, argv, environ);
+    execve(SOURCE_PROG, argv, environ);
     
     fprintf(stderr, "%s: cannot run `%s': %s\n",
-        argv[0], source_prog, strerror(errno));
+        argv[0], SOURCE_PROG, strerror(errno));
 
     return 1;
 }

nixos/modules/security/wrappers/wrapper.nix

@@ -1,4 +1,4 @@
-{ stdenv, linuxHeaders, parentWrapperDir, debug ? false }:
+{ stdenv, linuxHeaders, sourceProg, debug ? false }:
 # For testing:
 # $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }'
 stdenv.mkDerivation {
@@ -7,7 +7,7 @@ stdenv.mkDerivation {
   dontUnpack = true;
   hardeningEnable = [ "pie" ];
   CFLAGS = [
-    ''-DWRAPPER_DIR="${parentWrapperDir}"''
+    ''-DSOURCE_PROG="${sourceProg}"''
   ] ++ (if debug then [
     "-Werror" "-Og" "-g"
   ] else [

nixos/modules/services/networking/tailscale.nix

@@ -6,7 +6,7 @@ let
   cfg = config.services.tailscale;
   isNetworkd = config.networking.useNetworkd;
 in {
-  meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
+  meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 mfrw ];
 
   options.services.tailscale = {
     enable = mkEnableOption (lib.mdDoc "Tailscale client daemon");

nixos/modules/services/networking/twingate.nix

@@ -17,7 +17,7 @@ in
     };
 
     networking.firewall.checkReversePath = lib.mkDefault "loose";
-    services.resolved.enable = !(config.networking.networkmanager.enable);
+    services.resolved.enable = lib.mkIf (!config.networking.networkmanager.enable) true;
 
     environment.systemPackages = [ cfg.package ]; # For the CLI.
   };

nixos/modules/services/web-servers/caddy/default.nix

@@ -24,21 +24,26 @@ let
         }
       '';
 
-  configFile =
-    let
-      Caddyfile = pkgs.writeTextDir "Caddyfile" ''
-        {
-          ${cfg.globalConfig}
-        }
-        ${cfg.extraConfig}
-      '';
+  settingsFormat = pkgs.formats.json { };
 
-      Caddyfile-formatted = pkgs.runCommand "Caddyfile-formatted" { nativeBuildInputs = [ cfg.package ]; } ''
-        mkdir -p $out
-        cp --no-preserve=mode ${Caddyfile}/Caddyfile $out/Caddyfile
-        caddy fmt --overwrite $out/Caddyfile
-      '';
-    in
+  configFile =
+    if cfg.settings != { } then
+      settingsFormat.generate "caddy.json" cfg.settings
+    else
+      let
+        Caddyfile = pkgs.writeTextDir "Caddyfile" ''
+          {
+            ${cfg.globalConfig}
+          }
+          ${cfg.extraConfig}
+        '';
+
+        Caddyfile-formatted = pkgs.runCommand "Caddyfile-formatted" { nativeBuildInputs = [ cfg.package ]; } ''
+          mkdir -p $out
+          cp --no-preserve=mode ${Caddyfile}/Caddyfile $out/Caddyfile
+          caddy fmt --overwrite $out/Caddyfile
+        '';
+      in
       "${if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then Caddyfile-formatted else Caddyfile}/Caddyfile";
 
   etcConfigFile = "caddy/caddy_config";
@@ -299,6 +304,27 @@ in
         which could delay the reload essentially indefinitely.
       '';
     };
+
+    settings = mkOption {
+      type = settingsFormat.type;
+      default = {};
+      description = lib.mdDoc ''
+        Structured configuration for Caddy to generate a Caddy JSON configuration file.
+        See <https://caddyserver.com/docs/json/> for available options.
+
+        ::: {.warning}
+        Using a [Caddyfile](https://caddyserver.com/docs/caddyfile) instead of a JSON config is highly recommended by upstream.
+        There are only very few exception to this.
+
+        Please use a Caddyfile via {option}`services.caddy.configFile`, {option}`services.caddy.virtualHosts` or
+        {option}`services.caddy.extraConfig` with {option}`services.caddy.globalConfig` instead.
+        :::
+
+        ::: {.note}
+        Takes presence over most `services.caddy.*` options, such as {option}`services.caddy.configFile` and {option}`services.caddy.virtualHosts`, if specified.
+        :::
+      '';
+    };
   };
 
   # implementation

nixos/tests/caddy.nix

@@ -34,6 +34,20 @@ import ./make-test-python.nix ({ pkgs, ... }: {
           "http://localhost:8081" = { };
         };
       };
+      specialisation.rfc42.configuration = {
+        services.caddy.settings = {
+          apps.http.servers.default = {
+            listen = [ ":80" ];
+            routes = [{
+              handle = [{
+                body = "hello world";
+                handler = "static_response";
+                status_code = 200;
+              }];
+            }];
+          };
+        };
+      };
     };
   };
 
@@ -41,6 +55,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
     let
       justReloadSystem = "${nodes.webserver.system.build.toplevel}/specialisation/config-reload";
       multipleConfigs = "${nodes.webserver.system.build.toplevel}/specialisation/multiple-configs";
+      rfc42Config = "${nodes.webserver.system.build.toplevel}/specialisation/rfc42";
     in
     ''
       url = "http://localhost/example.html"
@@ -62,5 +77,12 @@ import ./make-test-python.nix ({ pkgs, ... }: {
           )
           webserver.wait_for_open_port(8080)
           webserver.wait_for_open_port(8081)
+
+      with subtest("rfc42 settings config"):
+          webserver.succeed(
+              "${rfc42Config}/bin/switch-to-configuration test >&2"
+          )
+          webserver.wait_for_open_port(80)
+          webserver.succeed("curl http://localhost | grep hello")
     '';
 })

nixos/tests/virtualbox.nix

@@ -519,4 +519,4 @@ in mapAttrs (mkVBoxTest false vboxVMs) {
     destroy_vm_test1()
     destroy_vm_test2()
   '';
-} // (lib.optionalAttrs enableUnfree unfreeTests)
+} // (optionalAttrs enableUnfree unfreeTests)

nixos/tests/wrappers.nix

@@ -84,6 +84,17 @@ in
       test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0')
       test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0')
 
+      # Test that in nonewprivs environment the wrappers simply exec their target.
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}')
+
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}')
+      test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
+
       # We are only testing the permitted set, because it's easiest to look at with capsh.
       machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN'))
       machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN'))

pkgs/applications/audio/sublime-music/default.nix

@@ -27,6 +27,17 @@ let
           hash = "sha256-IWTo/P9JRxBQlhtcH3JMJZZrwAA8EALF4dtHajWUc4w=";
         };
       });
+
+      dataclasses-json = super.dataclasses-json.overridePythonAttrs (oldAttrs: rec {
+        version = "0.5.7";
+        src = fetchFromGitHub {
+          owner = "lidatong";
+          repo = "dataclasses-json";
+          rev = "refs/tags/v${version}";
+          hash = "sha256-0tw5Lz+c4ymO+AGpG6THbiALWGBrehC84+yWWk1eafc=";
+        };
+        nativeBuildInputs = [ python3.pkgs.setuptools ];
+      });
     };
   };
 in

pkgs/applications/file-managers/browsr/default.nix

@@ -50,6 +50,7 @@ python3.pkgs.buildPythonApplication rec {
 
   pythonRelaxDeps = [
     "art"
+    "pandas"
     "pymupdf"
     "rich-click"
     "textual"
@@ -70,6 +71,5 @@ python3.pkgs.buildPythonApplication rec {
     changelog = "https://github.com/juftin/browsr/releases/tag/${src.rev}";
     license = licenses.mit;
     maintainers = with maintainers; [ figsoda ];
-    broken = versionAtLeast python3.pkgs.pandas.version "2" || versionAtLeast python3.pkgs.pillow.version "10";
   };
 }

pkgs/applications/file-managers/llama/default.nix

@@ -1,22 +0,0 @@
-{ buildGoModule, fetchFromGitHub, lib }:
-
-buildGoModule rec {
-  pname = "llama";
-  version = "1.4.0";
-
-  src = fetchFromGitHub {
-    owner = "antonmedv";
-    repo = "llama";
-    rev = "v${version}";
-    sha256 = "sha256-mJUxi2gqTMcodznCUDb2iB6j/p7bMUhhBLtZMbvfE1c=";
-  };
-
-  vendorHash = "sha256-nngto104p/qJpWM1NlmEqcrJThXSeCfcoXCzV1CClYQ=";
-
-  meta = with lib; {
-    description = "Terminal file manager";
-    homepage = "https://github.com/antonmedv/llama";
-    license = licenses.mit;
-    maintainers = with maintainers; [ portothree ];
-  };
-}

pkgs/applications/file-managers/walk/default.nix

@@ -0,0 +1,23 @@
+{ buildGoModule, fetchFromGitHub, lib }:
+
+buildGoModule rec {
+  pname = "walk";
+  version = "1.5.2";
+
+  src = fetchFromGitHub {
+    owner = "antonmedv";
+    repo = "walk";
+    rev = "v${version}";
+    hash = "sha256-lcXNGmDCXq73gAWFKHHsIb578b1EhznYaGC0myFQym8=";
+  };
+
+  vendorHash = "sha256-EYwfoTVcgV12xF/cv9O6QgXq9Gtc9qK9EmZNjXS4kC8=";
+
+  meta = with lib; {
+    description = "Terminal file manager";
+    homepage = "https://github.com/antonmedv/walk";
+    license = licenses.mit;
+    maintainers = with maintainers; [ portothree surfaceflinger ];
+    mainProgram = "walk";
+  };
+}

pkgs/applications/misc/xmrig/default.nix

@@ -59,6 +59,9 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
+  # https://github.com/NixOS/nixpkgs/issues/245534
+  hardeningDisable = [ "fortify" ];
+
   meta = with lib; {
     description = "Monero (XMR) CPU miner";
     homepage = "https://github.com/xmrig/xmrig";

pkgs/applications/networking/instant-messengers/matrix-commander/default.nix

@@ -12,17 +12,18 @@
 , dbus-python
 , pyxdg
 , python-olm
+, emoji
 }:
 
 buildPythonApplication rec {
   pname = "matrix-commander";
-  version = "6.0.1";
+  version = "7.2.0";
 
   src = fetchFromGitHub {
     owner = "8go";
     repo = "matrix-commander";
     rev = "v${version}";
-    sha256 = "sha256-NSoMGUQjy4TQXdzZcQfO2rUQDsuSzQnoGDpqFiLQHVQ=";
+    hash = "sha256-qL6ARkAWu0FEuYK2e9Z9hMSfK4TW0kGgoIFUfJ8Dgwk=";
   };
 
   format = "pyproject";
@@ -49,6 +50,7 @@ buildPythonApplication rec {
     dbus-python
     pyxdg
     python-olm
+    emoji
   ] ++ matrix-nio.optional-dependencies.e2e;
 
   meta = with lib; {

pkgs/applications/virtualization/qemu/default.nix

@@ -37,6 +37,7 @@
 , nixosTestRunner ? false
 , doCheck ? false
 , qemu  # for passthru.tests
+, gitUpdater
 }:
 
 let
@@ -48,11 +49,11 @@ stdenv.mkDerivation rec {
     + lib.optionalString xenSupport "-xen"
     + lib.optionalString hostCpuOnly "-host-cpu-only"
     + lib.optionalString nixosTestRunner "-for-vm-tests";
-  version = "8.0.3";
+  version = "8.0.4";
 
   src = fetchurl {
     url = "https://download.qemu.org/qemu-${version}.tar.xz";
-    hash = "sha256-7PTTLL7505e/yMxQ5NHpKhswJTvzLo7nPHqNz5ojKwk=";
+    hash = "sha256-gcgX3aOK+Vi+W+8abPVbZYuy0/uHwealcd5reyxEUWw=";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ]
@@ -249,6 +250,12 @@ stdenv.mkDerivation rec {
     tests = {
       qemu-tests = qemu.override { doCheck = true; };
     };
+    updateScript = gitUpdater {
+      # No nicer place to find latest release.
+      url = "https://gitlab.com/qemu-project/qemu.git";
+      rev-prefix = "v";
+      ignoredVersions = "(alpha|beta|rc).*";
+    };
   };
 
   # Builds in ~3h with 2 cores, and ~20m with a big-parallel builder.

pkgs/data/fonts/sketchybar-app-font/default.nix

@@ -5,11 +5,11 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "sketchybar-app-font";
-  version = "1.0.13";
+  version = "1.0.14";
 
   src = fetchurl {
     url = "https://github.com/kvndrsslr/sketchybar-app-font/releases/download/v${finalAttrs.version}/sketchybar-app-font.ttf";
-    hash = "sha256-vlvSrN6yxabKnzPmqI9VNkOdR3yLa1QUieZjOOW6w3c=";
+    hash = "sha256-GPxNMlG6a7newSXorh2RULZ5XHYFmQbcB46C0RytTTU=";
   };
 
   dontUnpack = true;

pkgs/development/compilers/gnat-bootstrap/default.nix

@@ -5,17 +5,22 @@
 
 let
   throwUnsupportedSystem = throw "Unsupported system: ${stdenv.hostPlatform.system}";
-
-  versionMap = rec {
+in
+stdenv.mkDerivation(finalAttrs:
+  let versionMap =
+    let url = "https://github.com/alire-project/GNAT-FSF-builds/releases/download/gnat-${finalAttrs.version}/gnat-${stdenv.hostPlatform.system}-${finalAttrs.version}.tar.gz";
+    in {
     "11" = {
       gccVersion = "11.2.0";
       alireRevision = "4";
     } // {
       x86_64-darwin = {
+        inherit url;
         hash = "sha256-FmBgD20PPQlX/ddhJliCTb/PRmKxe9z7TFPa2/SK4GY=";
         upstreamTriplet = "x86_64-apple-darwin19.6.0";
       };
       x86_64-linux = {
+        inherit url;
         hash = "sha256-8fMBJp6igH+Md5jE4LMubDmC4GLt4A+bZG/Xcz2LAJQ=";
         upstreamTriplet = "x86_64-pc-linux-gnu";
       };
@@ -25,27 +30,26 @@ let
       alireRevision = "2";
     } // {
       x86_64-darwin = {
+        inherit url;
         hash = "sha256-zrcVFvFZMlGUtkG0p1wST6kGInRI64Icdsvkcf25yVs=";
         upstreamTriplet = "x86_64-apple-darwin19.6.0";
       };
       x86_64-linux = {
+        inherit url;
         hash = "sha256-EPDPOOjWJnJsUM7GGxj20/PXumjfLoMIEFX1EDtvWVY=";
         upstreamTriplet = "x86_64-pc-linux-gnu";
       };
     }.${stdenv.hostPlatform.system} or throwUnsupportedSystem;
   };
-
-in with versionMap.${majorVersion};
-
-stdenv.mkDerivation rec {
+  inherit (versionMap.${majorVersion}) gccVersion alireRevision upstreamTriplet;
+in {
   pname = "gnat-bootstrap";
-  inherit gccVersion alireRevision;
+  inherit (versionMap.${majorVersion}) gccVersion alireRevision;
 
-  version = "${gccVersion}-${alireRevision}";
+  version = "${gccVersion}${lib.optionalString (alireRevision!="") "-"}${alireRevision}";
 
   src = fetchzip {
-    url = "https://github.com/alire-project/GNAT-FSF-builds/releases/download/gnat-${version}/gnat-${stdenv.hostPlatform.system}-${version}.tar.gz";
-    inherit hash;
+    inherit (versionMap.${majorVersion}) url hash;
   };
 
   nativeBuildInputs = [
@@ -142,4 +146,4 @@ stdenv.mkDerivation rec {
     platforms = [ "x86_64-linux" "x86_64-darwin" ];
     sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
   };
-}
+})

pkgs/development/libraries/glfw/3.x-wayland-minecraft.nix

@@ -0,0 +1,55 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch2, cmake, extra-cmake-modules
+, libGL, wayland, wayland-protocols, libxkbcommon, libdecor
+}:
+
+stdenv.mkDerivation {
+  version = "unstable-2023-06-01";
+  pname = "glfw-wayland-minecraft";
+
+  src = fetchFromGitHub {
+    owner = "glfw";
+    repo = "GLFW";
+    rev = "3eaf1255b29fdf5c2895856c7be7d7185ef2b241";
+    sha256 = "sha256-UnwuE/3q6I4dS5syagpnqrDEVDK9XSVdyOg7KNkdUUA=";
+  };
+
+  patches = [
+    (fetchpatch2 {
+      url = "https://raw.githubusercontent.com/Admicos/minecraft-wayland/15f88a515c63a9716cfdf4090fab8e16543f4ebd/0003-Don-t-crash-on-calls-to-focus-or-icon.patch";
+      hash = "sha256-NZbKh16h+tWXXnz13QcFBFaeGXMNxZKGQb9xJEahFnE=";
+    })
+    (fetchpatch2 {
+      url = "https://raw.githubusercontent.com/Admicos/minecraft-wayland/15f88a515c63a9716cfdf4090fab8e16543f4ebd/0005-Add-warning-about-being-an-unofficial-patch.patch";
+      hash = "sha256-QMUNlnlCeFz5gIVdbM+YXPsrmiOl9cMwuVRSOvlw+T0=";
+    })
+  ];
+
+  propagatedBuildInputs = [ libGL ];
+
+  nativeBuildInputs = [ cmake extra-cmake-modules ];
+
+  buildInputs = [ wayland wayland-protocols libxkbcommon ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=ON"
+    "-DGLFW_BUILD_WAYLAND=ON"
+    "-DGLFW_BUILD_X11=OFF"
+    "-DCMAKE_C_FLAGS=-D_GLFW_EGL_LIBRARY='\"${lib.getLib libGL}/lib/libEGL.so.1\"'"
+  ];
+
+  postPatch = ''
+    substituteInPlace src/wl_init.c \
+      --replace "libxkbcommon.so.0" "${lib.getLib libxkbcommon}/lib/libxkbcommon.so.0"
+
+    substituteInPlace src/wl_init.c \
+      --replace "libdecor-0.so.0" "${lib.getLib libdecor}/lib/libdecor-0.so.0"
+  '';
+
+  meta = with lib; {
+    description = "Multi-platform library for creating OpenGL contexts and managing input, including keyboard, mouse, joystick and time - with patches to support Minecraft on Wayland";
+    homepage = "https://www.glfw.org/";
+    license = licenses.zlib;
+    maintainers = with maintainers; [ Scrumplex ];
+    platforms = platforms.linux;
+  };
+}

pkgs/development/python-modules/dataclasses-json/default.nix

@@ -1,23 +1,39 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
-, typing-inspect
-, marshmallow-enum
 , hypothesis
+, marshmallow-enum
+, poetry-core
+, poetry-dynamic-versioning
 , pytestCheckHook
+, pythonOlder
+, typing-inspect
 }:
 
 buildPythonPackage rec {
   pname = "dataclasses-json";
-  version = "0.5.9";
+  version = "0.5.14";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "lidatong";
     repo = pname;
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-2/J+d7SQvUs7nXw1n+qwy0DQCplK28eUrbP7+yQPB7g=";
+    hash = "sha256-pCvVKHh2elHaukEJNTw8MgJmoTlYjO9aVWFCQXXD13c=";
   };
 
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace 'version = "0.0.0"' 'version = "${version}"'
+  '';
+
+  nativeBuildInputs = [
+    poetry-core
+    poetry-dynamic-versioning
+  ];
+
   propagatedBuildInputs = [
     typing-inspect
     marshmallow-enum
@@ -35,11 +51,14 @@ buildPythonPackage rec {
     "tests/test_annotations.py"
   ];
 
-  pythonImportsCheck = [ "dataclasses_json" ];
+  pythonImportsCheck = [
+    "dataclasses_json"
+  ];
 
   meta = with lib; {
     description = "Simple API for encoding and decoding dataclasses to and from JSON";
     homepage = "https://github.com/lidatong/dataclasses-json";
+    changelog = "https://github.com/lidatong/dataclasses-json/releases/tag/v${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ albakham ];
   };

pkgs/development/python-modules/fiona/default.nix

@@ -5,6 +5,7 @@
 , cython
 , gdal
 , setuptools
+, wheel
 , attrs
 , certifi
 , click
@@ -31,10 +32,20 @@ buildPythonPackage rec {
     hash = "sha256-CeGdWAmWteVtL0BoBQ1sB/+1AWkmxogtK99bL5Fpdbw=";
   };
 
+  postPatch = ''
+    # Remove after https://github.com/Toblerity/Fiona/pull/1225 is released
+    sed -i '/"oldest-supported-numpy"/d' pyproject.toml
+
+    # Remove after https://github.com/Toblerity/Fiona/pull/1281 is released,
+    # after which cython also needs to be updated to cython_3
+    sed -i 's/Cython~=/Cython>=/' pyproject.toml
+  '';
+
   nativeBuildInputs = [
     cython
     gdal # for gdal-config
     setuptools
+    wheel
   ];
 
   buildInputs = [

pkgs/development/python-modules/google-cloud-kms/default.nix

@@ -13,14 +13,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-kms";
-  version = "2.18.0";
+  version = "2.19.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-GqcYccqc6yAfuN3ntTypXvMNricr0cfCmCwnU0zJBoE=";
+    hash = "sha256-ia3XCpLUXJ93AGEHdDaOidQEagUkMVAnb2UYK+ktzKc=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/json-schema-for-humans/default.nix

@@ -30,11 +30,6 @@ buildPythonPackage rec {
     hash = "sha256-9dX9+YwJdJpgU3cZkxk7+CgdRFgcVhrvU0amO8zHZhs=";
   };
 
-  postPatch = ''
-    substituteInPlace pyproject.toml \
-      --replace 'pytz = "^2021.1"' 'pytz = "*"'
-  '';
-
   nativeBuildInputs = [
     poetry-core
   ];

pkgs/development/python-modules/pypiserver/default.nix

@@ -2,6 +2,7 @@
 , buildPythonPackage
 , fetchFromGitHub
 , passlib
+, pip
 , pytestCheckHook
 , pythonOlder
 , setuptools
@@ -9,6 +10,7 @@
 , twine
 , watchdog
 , webtest
+, wheel
 }:
 
 buildPythonPackage rec {
@@ -26,11 +28,13 @@ buildPythonPackage rec {
   };
 
   nativeBuildInputs = [
+    setuptools
     setuptools-git
+    wheel
   ];
 
   propagatedBuildInputs = [
-    setuptools
+    pip
   ];
 
   passthru.optional-dependencies = {
@@ -42,12 +46,21 @@ buildPythonPackage rec {
     ];
   };
 
+  __darwinAllowLocalNetworking = true;
+
+  # Tests need these permissions in order to use the FSEvents API on macOS.
+  sandboxProfile = ''
+    (allow mach-lookup (global-name "com.apple.FSEvents"))
+  '';
+
   preCheck = ''
     export HOME=$TMPDIR
   '';
 
   nativeCheckInputs = [
+    pip
     pytestCheckHook
+    setuptools
     twine
     webtest
   ] ++ lib.flatten (builtins.attrValues passthru.optional-dependencies);
@@ -57,11 +70,6 @@ buildPythonPackage rec {
     "test_hash_algos"
     "test_pip_install_authed_succeeds"
     "test_pip_install_open_succeeds"
-    "test_pip_install_authed_fails"
-    # Tests want to tests upload
-    "upload"
-    "register"
-    "test_partial_authed_open_download"
   ];
 
   disabledTestPaths = [

pkgs/development/python-modules/rich-pixels/default.nix

@@ -6,6 +6,7 @@
 , syrupy
 , pillow
 , rich
+, pythonRelaxDepsHook
 }:
 
 buildPythonPackage rec {
@@ -22,6 +23,7 @@ buildPythonPackage rec {
 
   nativeBuildInputs = [
     poetry-core
+    pythonRelaxDepsHook
   ];
 
   nativeCheckInputs = [
@@ -37,6 +39,10 @@ buildPythonPackage rec {
     rich
   ];
 
+  pythonRelaxDeps = [
+    "pillow"
+  ];
+
   pythonImportsCheck = [ "rich_pixels" ];
 
   meta = with lib; {

pkgs/development/python-modules/xformers/default.nix

@@ -20,9 +20,14 @@
 , cmake
 , openai-triton
 , networkx
+#, apex
+, einops
+, transformers
+, timm
+#, flash-attn
 }:
 let
-  version = "0.0.20";
+  version = "0.0.21";
 in
 buildPythonPackage {
   pname = "xformers";
@@ -35,7 +40,7 @@ buildPythonPackage {
     owner = "facebookresearch";
     repo = "xformers";
     rev = "v${version}";
-    hash = "sha256-OFH4I3eTKw1bQEKHh1AvkpcoShKK5R5674AoJ/mY85I=";
+    hash = "sha256-zYziynjLtqjPPHjDbruuuG9209y0Sh+wYUFHUj+QG2Y=";
     fetchSubmodules = true;
   };
 
@@ -63,6 +68,11 @@ buildPythonPackage {
 
   pythonImportsCheck = [ "xformers" ];
 
+  dontUseCmakeConfigure = true;
+
+  # see commented out missing packages
+  doCheck = false;
+
   nativeCheckInputs = [
     pytestCheckHook
     pytest-cov
@@ -73,6 +83,11 @@ buildPythonPackage {
     cmake
     networkx
     openai-triton
+    # apex
+    einops
+    transformers
+    timm
+    # flash-attn
   ];
 
   meta = with lib; {

pkgs/development/python-modules/zeroconf/default.nix

@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "zeroconf";
-  version = "0.80.0";
+  version = "0.82.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -24,7 +24,7 @@ buildPythonPackage rec {
     owner = "jstasiak";
     repo = "python-zeroconf";
     rev = "refs/tags/${version}";
-    hash = "sha256-+NxLQGgTFHOPyOs8yoZvtZj0D42V6qma+PHgTGwPJsg=";
+    hash = "sha256-8zfhrRjW+WucwCo5M+rPOjuqfNKI6ne3bTumwDGIcbI=";
   };
 
   nativeBuildInputs = [

pkgs/development/tools/build-managers/turtle-build/default.nix

@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "turtle-build";
+  version = "0.4.6";
+
+  src = fetchFromGitHub {
+    owner = "raviqqe";
+    repo = "turtle-build";
+    rev = "v${version}";
+    hash = "sha256-7XorSt2LFWYNdvCot+I7Uh6S1mhRbD7PkWkvYdIbjKs=";
+  };
+
+  cargoHash = "sha256-TebXKOgBdf/ZFITQu5OuusytDJKEkGzRD7fLhk1uh8Y=";
+
+  meta = with lib; {
+    description = "Ninja-compatible build system for high-level programming languages written in Rust";
+    homepage = "https://github.com/raviqqe/turtle-build";
+    license = with licenses; [ asl20 mit ];
+    maintainers = with maintainers; [ figsoda ];
+    mainProgram = "turtle";
+  };
+}

pkgs/development/tools/rust/cargo-llvm-cov/default.nix

@@ -6,13 +6,13 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-llvm-cov";
-  version = "0.5.28";
+  version = "0.5.30";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-B+tyDVb/tSuxQAK8x5cEw+Y7Y5IXD+jkr0FeqiDY+g8=";
+    sha256 = "sha256-35tpMLVBLwm1aEqznUniv7J/D77CosllpgpeYsglvcs=";
   };
-  cargoSha256 = "sha256-lGaMws7Z7qIWkQlfnSnN9cqRojBuxWp81nMAlBXAWEM=";
+  cargoSha256 = "sha256-7E6Biveh+fBEtQhJW346Pakimc0tTacHcSvKSJusyFs=";
 
   # skip tests which require llvm-tools-preview
   checkFlags = [

pkgs/servers/tailscale/default.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, buildGoModule, fetchFromGitHub, makeWrapper, iptables, iproute2, procps, shadow, getent }:
 
 let
-  version = "1.46.1";
+  version = "1.48.1";
 in
 buildGoModule {
   pname = "tailscale";
@@ -11,9 +11,9 @@ buildGoModule {
     owner = "tailscale";
     repo = "tailscale";
     rev = "v${version}";
-    hash = "sha256-aweJys46MMnkSKJoLUFCzc6sWUP+Cv5+IFVVe9iEPGI=";
+    hash = "sha256-jWnke49b6inybPmiZOkxI3C8VoYe4Syi84YhvL8zxeI=";
   };
-  vendorHash = "sha256-oELDIt+mRiBGAdoEUkSAs2SM6urkHm1aAtJnev8jDYM=";
+  vendorHash = "sha256-Fr4VZcKrXnT1PZuEG110KBefjcZzRsQRBSvByELKAy4=";
 
   nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ];
 
@@ -43,6 +43,6 @@ buildGoModule {
     description = "The node agent for Tailscale, a mesh VPN built on WireGuard";
     license = licenses.bsd3;
     mainProgram = "tailscale";
-    maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 jk ];
+    maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 jk mfrw ];
   };
 }

pkgs/test/texlive/default.nix

@@ -252,8 +252,8 @@
       noArg = [ "a2ping" "bg5+latex" "bg5+pdflatex" "bg5latex" "bg5pdflatex" "cef5latex" "cef5pdflatex" "ceflatex"
         "cefpdflatex" "cefslatex" "cefspdflatex" "chkdvifont" "dvi2fax" "dvired" "dviselect" "dvitodvi" "epsffit"
         "findhyph" "gbklatex" "gbkpdflatex" "komkindex" "kpsepath" "listbib" "listings-ext" "mag" "mathspic" "mf2pt1"
-        "mk4ht" "mkt1font" "mkgrkindex" "musixflx" "pdf2ps" "pdftosrc" "pdfxup" "pedigree" "pfb2pfa" "pk2bm" "prepmx"
-        "ps2pk" "psselect" "pstops" "rubibtex" "rubikrotation" "sjislatex" "sjispdflatex" "srcredact" "t4ht"
+        "mk4ht" "mkt1font" "mkgrkindex" "musixflx" "pdf2ps" "pdfclose" "pdftosrc" "pdfxup" "pedigree" "pfb2pfa" "pk2bm"
+        "prepmx" "ps2pk" "psselect" "pstops" "rubibtex" "rubikrotation" "sjislatex" "sjispdflatex" "srcredact" "t4ht"
         "teckit_compile" "tex4ht" "texdiff" "texdirflatten" "texplate" "tie" "ttf2kotexfont" "ttfdump" "vlna" "vpl2ovp"
         "vpl2vpl" "yplan" ];
       # (3) binaries requiring a .tex file

pkgs/tools/misc/backdown/default.nix

@@ -0,0 +1,27 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "backdown";
+  version = "1.1.1";
+
+  src = fetchFromGitHub {
+    owner = "Canop";
+    repo = "backdown";
+    rev = "v${version}";
+    hash = "sha256-w9EdDSGqmHRLXwx5qFo0BngKATKtQsieMt6dPgfOrQ0=";
+  };
+
+  cargoHash = "sha256-BOwhXq/xVuk3KylL3KeIkiIG3SXVASFiYkUgKJhMzuU=";
+
+  meta = with lib; {
+    description = "A file deduplicator";
+    homepage = "https://github.com/Canop/backdown";
+    changelog = "https://github.com/Canop/backdown/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.mit;
+    maintainers = with maintainers; [ figsoda ];
+    mainProgram = "backdown";
+  };
+}

pkgs/tools/package-management/dpkg/default.nix

@@ -13,7 +13,7 @@
 , autoreconfHook
 , pkg-config
 , diffutils
-, glibc
+, glibc ? !stdenv.isDarwin
 }:
 
 stdenv.mkDerivation rec {
@@ -66,6 +66,7 @@ stdenv.mkDerivation rec {
        --replace '"rm"' \"${coreutils}/bin/rm\" \
        --replace '"cat"' \"${coreutils}/bin/cat\" \
        --replace '"diff"' \"${diffutils}/bin/diff\"
+  '' + lib.optionalString (!stdenv.isDarwin) ''
     substituteInPlace src/main/help.c \
        --replace '"ldconfig"' \"${glibc.bin}/bin/ldconfig\"
   '';

pkgs/top-level/aliases.nix

@@ -951,6 +951,7 @@ mapAliases ({
   lilyterm-git = throw "lilyterm-git has been removed from nixpkgs, because it was relying on a vte version that depended on python2"; # Added 2022-01-14
   links = throw "'links' has been renamed to/replaced by 'links2'"; # Converted to throw 2022-02-22
   linuxband = throw "linuxband has been removed from nixpkgs, as it's abandoned upstream"; # Added 2021-12-09
+  llama = walk; # Added 2023-01-23
 
   # Linux kernels
   linux-rt_5_10 = linuxKernel.kernels.linux_rt_5_10;

pkgs/top-level/all-packages.nix

@@ -2861,8 +2861,6 @@ with pkgs;
 
   ctpv = callPackage ../applications/file-managers/lf/ctpv.nix { };
 
-  llama = callPackage ../applications/file-managers/llama { };
-
   mc = callPackage ../applications/file-managers/mc {
     inherit (darwin) autoSignDarwinBinariesHook;
   };
@@ -2898,6 +2896,8 @@ with pkgs;
     inherit lib udisks2 python3;
   };
 
+  walk = callPackage ../applications/file-managers/walk { };
+
   worker = callPackage ../applications/file-managers/worker { };
 
   xfe = callPackage ../applications/file-managers/xfe {
@@ -21586,6 +21586,7 @@ with pkgs;
   glfw-wayland = glfw.override {
     waylandSupport = true;
   };
+  glfw-wayland-minecraft = callPackage ../development/libraries/glfw/3.x-wayland-minecraft.nix {};
   glfw2 = callPackage ../development/libraries/glfw/2.x.nix { };
   glfw3 = callPackage ../development/libraries/glfw/3.x.nix {
     inherit (darwin.apple_sdk.frameworks) Carbon Cocoa Kernel OpenGL;
@@ -27415,7 +27416,9 @@ with pkgs;
 
   systemd-journal2gelf = callPackage ../tools/system/systemd-journal2gelf { };
 
-  tailscale = callPackage ../servers/tailscale { };
+  tailscale = callPackage ../servers/tailscale {
+    buildGoModule = buildGo121Module;
+  };
 
   tailscale-systray = callPackage ../applications/misc/tailscale-systray { };
 
@@ -37015,6 +37018,8 @@ with pkgs;
 
   aperture = callPackage ../applications/blockchains/aperture { };
 
+  backdown = callPackage ../tools/misc/backdown { };
+
   balanceofsatoshis = callPackage ../tools/misc/balanceofsatoshis { };
 
   bitcoin  = libsForQt5.callPackage ../applications/blockchains/bitcoin {
@@ -41235,6 +41240,8 @@ with pkgs;
 
   tup = callPackage ../development/tools/build-managers/tup { };
 
+  turtle-build = callPackage ../development/tools/build-managers/turtle-build { };
+
   tusk = callPackage ../applications/office/tusk { };
 
   trufflehog = callPackage ../tools/security/trufflehog { };