Merge staging-next into staging

pkgs/applications/audio/praat/default.nix

@@ -15,6 +15,10 @@ stdenv.mkDerivation rec {
     cp makefiles/makefile.defs.linux.pulse makefile.defs
   '';
 
+  makeFlags = [
+    "AR=${stdenv.cc.targetPrefix}ar"
+  ];
+
   installPhase = ''
     install -Dt $out/bin praat
   '';

pkgs/applications/audio/pt2-clone/default.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pt2-clone";
-  version = "1.46";
+  version = "1.49";
 
   src = fetchFromGitHub {
     owner = "8bitbubsy";
     repo = "pt2-clone";
     rev = "v${version}";
-    sha256 = "sha256-xRq37hjuMiGxsWRnZ/ryXYLvQpjbfQEjQkMjjuqL7r8=";
+    sha256 = "sha256-mE7mcaQCJlMzFTec9/faTyIZ7aoA4ygn60wS5QgVF7k=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/applications/misc/clifm/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "clifm";
-  version = "1.4";
+  version = "1.5.1";
 
   src = fetchFromGitHub {
     owner = "leo-arch";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-62WxvJsXkzvDqFGFpid9VDB1mARgllkKnb6mFC5pdl8=";
+    sha256 = "sha256-JdVRi5xHKpYjP8h7df4WdizSU1dy+CtPfOiPEK+MEOE=";
   };
 
   buildInputs = [ libcap acl file readline ];

pkgs/applications/networking/browsers/vivaldi/widevine.nix

@@ -1,22 +1,16 @@
-{ lib, stdenv, fetchurl
-, unzip
+{ lib, stdenv, fetchzip
 }:
 
 stdenv.mkDerivation rec {
   pname = "widevine";
   version = "4.10.2449.0";
 
-  src = fetchurl {
+  src = fetchzip {
     url = "https://dl.google.com/widevine-cdm/${version}-linux-x64.zip";
-    sha256 = "sha256-XZuXK3NCfqbaQ1tuMOXj/U4yJC18futqo1WjuMqMrRA=";
+    sha256 = "sha256-f2kAkP+s3fB+krEZsiujEoI4oznkzSyaIB/CRJZWlXE=";
+    stripRoot = false;
   };
 
-  nativeBuildInputs = [ unzip ];
-
-  unpackPhase = ''
-    unzip $src
-  '';
-
   installPhase = ''
     install -vD manifest.json $out/share/google/chrome/WidevineCdm/manifest.json
     install -vD LICENSE.txt $out/share/google/chrome/WidevineCdm/LICENSE.txt

pkgs/applications/networking/instant-messengers/zoom-us/default.nix

@@ -46,7 +46,7 @@ let
   version = {
     aarch64-darwin = "5.10.4.6592";
     x86_64-darwin = "5.10.4.6592";
-    x86_64-linux = "5.10.4.2845";
+    x86_64-linux = "5.10.6.3192";
    }.${system} or throwSystem;
 
   srcs = {
@@ -60,7 +60,7 @@ let
     };
     x86_64-linux = fetchurl {
       url = "https://zoom.us/client/${version}/zoom_x86_64.pkg.tar.xz";
-      sha256 = "9gspydrGaEjzAM0nK1u0XNm07HTupJ2wnPxCFWy+Nts=";
+      sha256 = "8QIkF5+875VFoGK6T0CROsqML6bJDG934c1gkuz8Klk=";
     };
   };
 

pkgs/applications/science/robotics/qgroundcontrol/default.nix

@@ -6,7 +6,7 @@
 
 mkDerivation rec {
   pname = "qgroundcontrol";
-  version = "4.2.0";
+  version = "4.2.1";
 
   qtInputs = [
     qtbase qtcharts qtlocation qtserialport qtsvg qtquickcontrols2
@@ -64,7 +64,7 @@ mkDerivation rec {
     owner = "mavlink";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-TBnJQKO9cwxP9q+bIB1CaGnm9npymJ3iEAD9kPJi9JA=";
+    sha256 = "sha256-7POrc6RUm3GVx3KuPUBNbKRUvUmA2UkEL7ezQVQt/yo=";
     fetchSubmodules = true;
   };
 

pkgs/applications/version-management/git-and-tools/gh/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "gh";
-  version = "2.10.1";
+  version = "2.11.0";
 
   src = fetchFromGitHub {
     owner = "cli";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-2lIHEO4+oW9+C7VSulmVwZJ1l6RYBbV6wlKMvdOGqi8=";
+    sha256 = "sha256-VWbkthOaq34tAiBkPlCXmz32RrJfO6dfVS+LLls39jA=";
   };
 
-  vendorSha256 = "sha256-EFJfd6sUK5iquFW0kXaiH6tLiNqbZNe9awpIqmqhp7I=";
+  vendorSha256 = "sha256-soNQXtpQ217scP606UA05+r9WIrUAMOCDBsfLKrVD+Q=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/development/compilers/ocaml/ber-metaocaml.nix

@@ -2,10 +2,10 @@
 , ncurses
 , libX11, xorgproto, buildEnv
 , fetchpatch
+, useX11 ? stdenv.hostPlatform.isx86
 }:
 
 let
-   useX11 = stdenv.hostPlatform.isx86;
    x11deps = [ libX11 xorgproto ];
    inherit (lib) optionals;
 

pkgs/development/interpreters/jruby/default.nix

@@ -6,11 +6,11 @@ rubyVersion = callPackage ../ruby/ruby-version.nix {} "2" "5" "7" "";
 jruby = stdenv.mkDerivation rec {
   pname = "jruby";
 
-  version = "9.3.3.0";
+  version = "9.3.4.0";
 
   src = fetchurl {
     url = "https://s3.amazonaws.com/jruby.org/downloads/${version}/jruby-bin-${version}.tar.gz";
-    sha256 = "sha256-Pagoy+KH1UaFB/HCxCvvbPNLxTYbzWpdmcIHshuf3Fw=";
+    sha256 = "sha256-UxVE0yeocVXYyATxU6LfPPBPAYJWHLLdLJNy9IYFtlw=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/development/ocaml-modules/linenoise/default.nix

@@ -2,7 +2,7 @@
 
 buildDunePackage rec {
   pname = "linenoise";
-  version = "1.3.0";
+  version = "1.3.1";
 
   useDune2 = true;
 
@@ -12,7 +12,7 @@ buildDunePackage rec {
     owner = "fxfactorial";
     repo = "ocaml-${pname}";
     rev = "v${version}";
-    sha256 = "0m9mm1arsawi5w5aqm57z41sy1wfxvhfgbdiw7hzy631i391144g";
+    sha256 = "sha256-5DlF56reh52Tvbi3wGK8ZrPBAYK0ZTBV3jz8qUsyKGk=";
   };
 
   propagatedBuildInputs = [ result ];

pkgs/development/python-modules/django-guardian/default.nix

@@ -1,7 +1,13 @@
-{ lib, buildPythonPackage, fetchPypi
-, django-environ, mock, django
-, pytest, pytest-runner, pytest-django
+{ lib
+, buildPythonPackage
+, fetchPypi
+, django-environ
+, mock
+, django
+, pytestCheckHook
+, pytest-django
 }:
+
 buildPythonPackage rec {
   pname = "django-guardian";
   version = "2.4.0";
@@ -11,12 +17,21 @@ buildPythonPackage rec {
     sha256 = "c58a68ae76922d33e6bdc0e69af1892097838de56e93e78a8361090bcd9f89a0";
   };
 
-  checkInputs = [ pytest pytest-runner pytest-django django-environ mock ];
   propagatedBuildInputs = [ django ];
 
+  checkInputs = [
+    django-environ
+    mock
+    pytestCheckHook
+    pytest-django
+  ];
+
+  pythonImportsCheck = [ "guardian" ];
+
   meta = with lib; {
     description = "Per object permissions for Django";
     homepage = "https://github.com/django-guardian/django-guardian";
-    license = [ licenses.mit licenses.bsd2 ];
+    license = with licenses; [ mit bsd2 ];
+    maintainers = with maintainers; [ SuperSandro2000 ];
   };
 }

pkgs/development/python-modules/djangorestframework/default.nix

@@ -1,26 +1,52 @@
-{ lib, buildPythonPackage, fetchFromGitHub, django, pytz, isPy27 }:
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, coreapi
+, django
+, django-guardian
+, pythonOlder
+, pytest-django
+, pytestCheckHook
+, pytz
+, pyyaml
+, uritemplate
+}:
 
 buildPythonPackage rec {
-  version = "3.12.4";
   pname = "djangorestframework";
-  disabled = isPy27;
+  version = "3.13.1";
+  disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "encode";
     repo = "django-rest-framework";
     rev = version;
-    sha256 = "sha256-FjMRfVyLmm5J9uOUTLZpO3Pvge3RoYnqIRvzMng7wZo=";
+    sha256 = "sha256-XmX6DZBZYzVCe72GERplAWt5jIjV/cYercZGb0pYjoc=";
   };
 
-  # Test settings are missing
-  doCheck = false;
 
-  propagatedBuildInputs = [ django pytz ];
+  propagatedBuildInputs = [
+    django
+    pytz
+  ];
+
+  checkInputs = [
+    pytest-django
+    pytestCheckHook
+
+    # optional tests
+    coreapi
+    django-guardian
+    pyyaml
+    uritemplate
+  ];
+
+  pythonImportsCheck = [ "rest_framework" ];
 
   meta = with lib; {
     description = "Web APIs for Django, made easy";
     homepage = "https://www.django-rest-framework.org/";
-    maintainers = with maintainers; [ desiderius ];
+    maintainers = with maintainers; [ desiderius SuperSandro2000 ];
     license = licenses.bsd2;
   };
 }

pkgs/development/tools/rust/probe-run/default.nix

@@ -3,14 +3,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "probe-run";
-  version = "0.3.2";
+  version = "0.3.3";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-SXA77LXM1SuBJ8BH+ahwJl/3gWsCbdLXBiHZdJySWq0=";
+    sha256 = "sha256-7o0aRiCxWoDoMysXIPyiBqH/8TtFo87im6Y0OFL0cTA=";
   };
 
-  cargoSha256 = "sha256-e9POSuA/I7IUKUOxMTfCWxNn0AicojpGQpxamzmHa7g=";
+  cargoSha256 = "sha256-vREz3FTZXMrc18LXIycJXX6SgW6IKGIgL/+79dMfNjk=";
 
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libusb1 ]

pkgs/games/black-hole-solver/default.nix

@@ -6,7 +6,7 @@
 
 stdenv.mkDerivation rec {
   pname = "black-hole-solver";
-  version = "1.10.1";
+  version = "1.12.0";
 
   meta = with lib; {
     homepage = "https://www.shlomifish.org/open-source/projects/black-hole-solitaire-solver/";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://fc-solve.shlomifish.org/downloads/fc-solve/${pname}-${version}.tar.xz";
-    sha256 = "1qhihmk4fwz6n16c7bnxnh3v7jhbb7xhkc9wk9484bp0k4x9bq9n";
+    sha256 = "sha256-0y8yU291cykliPQbsNha5C1WE3bCGNxKtrrf5JBKN6c=";
   };
 
   nativeBuildInputs = [ cmake perl pkg-config python3 ];

pkgs/games/cutemaze/default.nix

@@ -1,15 +1,26 @@
-{ lib, stdenv, fetchurl, qmake, qttools, qtsvg, mkDerivation }:
+{ lib
+, stdenv
+, fetchurl
+, cmake
+, qttools
+, wrapQtAppsHook
+, qtsvg
+}:
 
-mkDerivation rec {
+stdenv.mkDerivation rec {
   pname = "cutemaze";
-  version = "1.3.0";
+  version = "1.3.1";
 
   src = fetchurl {
     url = "https://gottcode.org/cutemaze/${pname}-${version}-src.tar.bz2";
-    sha256 = "sha256-h7+H2E37ZVSnlPa6ID+lNEvFtU5PfdMSlBjqBumojoU=";
+    sha256 = "6944931cd39e9ef202c11483b7b2b7409a068c52fa5fd4419ff938b1158c72ab";
   };
 
-  nativeBuildInputs = [ qmake qttools ];
+  nativeBuildInputs = [
+    cmake
+    qttools
+    wrapQtAppsHook
+  ];
 
   buildInputs = [ qtsvg ];
 

pkgs/os-specific/linux/kernel/htmldocs.nix

@@ -0,0 +1,84 @@
+{ lib
+, stdenv
+, graphviz
+, imagemagick
+, linux_latest
+, makeFontsConf
+, perl
+, python3
+, sphinx
+, which
+}:
+
+let
+  py = python3.override {
+    packageOverrides = final: prev: rec {
+      docutils_old = prev.docutils.overridePythonAttrs (oldAttrs: rec {
+        version = "0.16";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "sha256-wt46YOnn0Hvia38rAMoDCcIH4GwQD5zCqUkx/HWkePw=";
+        };
+      });
+
+      sphinx = (prev.sphinx.override rec {
+        alabaster = prev.alabaster.override { inherit pygments; };
+        docutils = docutils_old;
+        pygments = prev.pygments.override { docutils = docutils_old; };
+      }).overridePythonAttrs {
+        # fails due to duplicated packages
+        doCheck = false;
+      };
+
+      sphinx_rtd_theme = prev.sphinx_rtd_theme.override {
+        inherit sphinx;
+        docutils = docutils_old;
+      };
+    };
+  };
+in
+
+stdenv.mkDerivation {
+  pname = "linux-kernel-latest-htmldocs";
+
+  inherit (linux_latest) version src;
+
+  postPatch = ''
+    patchShebangs \
+      Documentation/sphinx/parse-headers.pl \
+      scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install}
+  '';
+
+  FONTCONFIG_FILE = makeFontsConf {
+    fontDirectories = [ ];
+  };
+
+  nativeBuildInputs = [
+    graphviz
+    imagemagick
+    perl
+    py.pkgs.sphinx
+    py.pkgs.sphinx_rtd_theme
+    which
+  ];
+
+  preBuild = ''
+    export XDG_CACHE_HOME="$(mktemp -d)"
+  '';
+
+  makeFlags = [ "htmldocs" ];
+
+  installPhase = ''
+    mkdir -p $out/share/doc
+    mv Documentation/output $out/share/doc/linux-doc
+    cp -r Documentation/* $out/share/doc/linux-doc/
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel html documentation";
+    homepage = "https://www.kernel.org/doc/htmldocs/";
+    platforms = platforms.linux;
+    inherit (linux_latest.meta) license;
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}

pkgs/servers/http/go-camo/default.nix

@@ -0,0 +1,25 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "go-camo";
+  version = "2.4.0";
+
+  src = fetchFromGitHub {
+    owner = "cactus";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1Wzy5EHFJAPnxusUBvNoJnXyVAx/LiiTgIQZE9r01Lw=";
+  };
+
+  vendorSha256 = "31B6LXCutIdPwxqMFTMUfxAaCuYW14py8Vu1EycBydE=";
+
+  ldflags = [ "-s" "-w" "-X=main.ServerVersion=${version}" ];
+
+  meta = with lib; {
+    description = "A camo server is a special type of image proxy that proxies non-secure images over SSL/TLS";
+    homepage = "https://github.com/cactus/go-camo";
+    changelog = "https://github.com/cactus/go-camo/releases/tag/v${version}";
+    license = licenses.mit;
+    maintainers = with maintainers; [ viraptor ];
+  };
+}

pkgs/servers/http/nginx/generic.nix

@@ -2,7 +2,7 @@ outer@{ lib, stdenv, fetchurl, fetchpatch, openssl, zlib, pcre, libxml2, libxslt
 , nginx-doc
 
 , nixosTests
-, substituteAll, gd, geoip, perl
+, substituteAll, removeReferencesTo, gd, geoip, perl
 , withDebug ? false
 , withKTLS ? false
 , withStream ? true
@@ -22,7 +22,7 @@ outer@{ lib, stdenv, fetchurl, fetchpatch, openssl, zlib, pcre, libxml2, libxslt
 , extraPatches ? []
 , fixPatch ? p: p
 , preConfigure ? ""
-, postInstall ? null
+, postInstall ? ""
 , meta ? null
 , nginx-doc ? outer.nginx-doc
 , passthru ? { tests = {}; }
@@ -158,9 +158,14 @@ stdenv.mkDerivation {
     cp -r ${nginx-doc}/* $doc
   '';
 
-  postInstall = if postInstall != null then postInstall else ''
-    mv $out/sbin $out/bin
-  '';
+  nativeBuildInputs = [ removeReferencesTo ];
+
+  disallowedReferences = map (m: m.src) modules;
+
+  postInstall =
+    let
+      noSourceRefs = lib.concatMapStrings (m: "remove-references-to -t ${m.src} $out/sbin/nginx\n") modules;
+    in noSourceRefs + postInstall;
 
   passthru = {
     modules = modules;

pkgs/tools/admin/trivy/default.nix

@@ -2,8 +2,6 @@
 , stdenv
 , buildGoModule
 , fetchFromGitHub
-, CoreFoundation
-, Security
 }:
 
 buildGoModule rec {
@@ -20,16 +18,13 @@ buildGoModule rec {
 
   excludedPackages = "misc";
 
-  buildInputs = lib.optionals (stdenv.isDarwin && stdenv.isx86_64)
-    [ CoreFoundation Security ];
-
   ldflags = [
     "-s"
     "-w"
     "-X main.version=v${version}"
   ];
 
-  # Tests requires network access
+  # Tests require network access
   doCheck = false;
 
   doInstallCheck = true;
@@ -54,5 +49,8 @@ buildGoModule rec {
     '';
     license = licenses.asl20;
     maintainers = with maintainers; [ jk ];
+    # Need updated macOS SDK
+    # https://github.com/NixOS/nixpkgs/issues/101229
+    broken = (stdenv.isDarwin && stdenv.isx86_64);
   };
 }

pkgs/tools/networking/flannel/plugin.nix

@@ -2,16 +2,23 @@
 
 buildGoModule rec {
   pname = "cni-plugin-flannel";
-  version = "1.0.0";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "flannel-io";
     repo = "cni-plugin";
     rev = "v${version}";
-    sha256 = "sha256-zWxw4LZIlkT88yGTnxdupq7cUSacNRxPzzp01O9USDw=";
+    sha256 = "sha256-Rq1hVZazeF39YGiuuWC8adff3AhPsSLnnfVpGCaMqgc=";
   };
 
-  vendorSha256 = "sha256-zteMlrvRTVxOFlBy+z/qfiSii8+c8PMapwIsdbN+Aig=";
+  vendorSha256 = "sha256-ddwNJZzdyO/wEdy0C7Z8IoOWXY4jggcgIHxmRUGGf9s=";
+
+  ldflags = [
+    "-s" "-w"
+    "-X main.Version=${version}"
+    "-X main.Commit=${version}"
+    "-X main.Program=flannel"
+  ];
 
   postInstall = ''
     mv $out/bin/cni-plugin $out/bin/flannel
@@ -22,7 +29,7 @@ buildGoModule rec {
 
   installCheckPhase = ''
     runHook preInstallCheck
-    $out/bin/flannel 2>&1 | fgrep -q v$version
+    $out/bin/flannel 2>&1 | fgrep -q $version
     runHook postInstallCheck
   '';
 

pkgs/tools/security/lastpass-cli/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchFromGitHub
+, fetchpatch
 , asciidoc
 , cmake
 , docbook_xsl
@@ -23,6 +24,16 @@ stdenv.mkDerivation rec {
     sha256 = "168jg8kjbylfgalhicn0llbykd7kdc9id2989gg0nxlgmnvzl58a";
   };
 
+  patches = [
+    # Pull fix pending upstream inclusion for -fno-common toolchains:
+    #   https://github.com/lastpass/lastpass-cli/pull/576
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/lastpass/lastpass-cli/commit/e3311cebdb29a3267843cf656a32f01c5062897e.patch";
+      sha256 = "1yjx2p98nb3n8ywc9lhf2zal5fswawb5i6lgnicdin23zngff5l8";
+    })
+  ];
+
   nativeBuildInputs = [ asciidoc cmake docbook_xsl pkg-config ];
 
   buildInputs = [

pkgs/tools/security/tracee/bpf-core-clang-bpf.patch

@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index d5cd754..db1c1d3 100644
+--- a/Makefile
++++ b/Makefile
+@@ -411,7 +411,7 @@ $(OUTPUT_DIR)/tracee.bpf.core.o: \
+ 	$(TRACEE_EBPF_OBJ_CORE_HEADERS)
+ #
+ 	$(MAKE) $(OUTPUT_DIR)/tracee.bpf
+-	$(CMD_CLANG) \
++	$(CMD_CLANG_BPF) \
+ 		-D__TARGET_ARCH_$(LINUX_ARCH) \
+ 		-D__BPF_TRACING__ \
+ 		-DCORE \

pkgs/tools/security/tracee/default.nix

@@ -0,0 +1,113 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+
+, llvmPackages_13
+, pkg-config
+
+, zlib
+, libelf
+}:
+
+let
+  inherit (llvmPackages_13) clang;
+  clang-with-bpf =
+    (clang.overrideAttrs (o: { pname = o.pname + "-with-bpf"; })).override (o: {
+      extraBuildCommands = o.extraBuildCommands + ''
+        # make a separate wrapped clang we can target at bpf
+        cp $out/bin/clang $out/bin/clang-bpf
+        # extra flags to append after the cc-cflags
+        echo '-target bpf -fno-stack-protector' > $out/nix-support/cc-cflags-bpf
+        # use sed to attach the cc-cflags-bpf after cc-cflags
+        sed -i -E "s@^(extraAfter=\(\\$\NIX_CFLAGS_COMPILE_.*)(\))\$@\1 $(cat $out/nix-support/cc-cflags-bpf)\2@" $out/bin/clang-bpf
+      '';
+    });
+in
+buildGoModule rec {
+  pname = "tracee";
+  version = "0.7.0";
+
+  src = fetchFromGitHub {
+    owner = "aquasecurity";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-Y++FWxADnj1W5S3VrAlJAnotFYb6biCPJ6dpQ0Nin8o=";
+    # Once libbpf hits 1.0 we will migrate to the nixpkgs libbpf rather than the
+    # pinned copy in submodules
+    fetchSubmodules = true;
+  };
+  vendorSha256 = "sha256-C2RExp67qax8+zJIgyMJ18sBtn/xEYj4tAvGCCpBssQ=";
+
+  patches = [
+    # bpf-core can't be compiled with wrapped clang since it forces the target
+    # we need to be able to replace it with another wrapped clang that has
+    # it's target as bpf
+    ./bpf-core-clang-bpf.patch
+    # add -s to ldflags for smaller binaries
+    ./disable-go-symbol-table.patch
+  ];
+
+
+  enableParallelBuilding = true;
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config clang-with-bpf ];
+  buildInputs = [ zlib libelf ];
+
+  makeFlags = [
+    "VERSION=v${version}"
+    "CMD_CLANG_BPF=clang-bpf"
+    # don't actually need git but the Makefile checks for it
+    "CMD_GIT=echo"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES}
+    runHook postBuild
+  '';
+
+  doCheck = false;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{bin,share/tracee}
+
+    cp ./dist/tracee-ebpf $out/bin
+    cp ./dist/tracee-rules $out/bin
+
+    cp -r ./dist/rules $out/share/tracee/
+    cp -r ./cmd/tracee-rules/templates $out/share/tracee/
+
+    runHook postInstall
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    $out/bin/tracee-ebpf --help
+    $out/bin/tracee-ebpf --version | grep "v${version}"
+
+    $out/bin/tracee-rules --help
+
+    runHook postInstallCheck
+  '';
+
+  meta = with lib; {
+    homepage = "https://aquasecurity.github.io/tracee/latest/";
+    changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
+    description = "Linux Runtime Security and Forensics using eBPF";
+    longDescription = ''
+      Tracee is a Runtime Security and forensics tool for Linux. It is using
+      Linux eBPF technology to trace your system and applications at runtime,
+      and analyze collected events to detect suspicious behavioral patterns. It
+      is delivered as a Docker image that monitors the OS and detects suspicious
+      behavior based on a pre-defined set of behavioral patterns.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jk ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/tools/security/tracee/disable-go-symbol-table.patch

@@ -0,0 +1,22 @@
+diff --git a/Makefile b/Makefile
+index d5cd754..0b74a79 100644
+--- a/Makefile
++++ b/Makefile
+@@ -471,7 +471,7 @@ ifeq ($(BTFHUB), 1)
+ endif
+ 	$(GO_ENV_EBPF) $(CMD_GO) build \
+ 		-tags $(GO_TAGS_EBPF) \
+-		-ldflags="-w \
++		-ldflags="-s -w \
+ 			-extldflags \"$(CGO_EXT_LDFLAGS_EBPF)\" \
+ 			-X main.version=\"$(VERSION)\" \
+ 			" \
+@@ -552,7 +552,7 @@ $(OUTPUT_DIR)/tracee-rules: \
+ #
+ 	$(GO_ENV_RULES) $(CMD_GO) build \
+ 		-tags $(GO_TAGS_RULES) \
+-		-ldflags="-w \
++		-ldflags="-s -w \
+ 			-extldflags \"$(CGO_EXT_LDFLAGS_RULES)\" \
+ 			" \
+ 		-v -o $@ \

pkgs/tools/security/tracee/skip-init-test.patch

@@ -0,0 +1,12 @@
+diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
+index 8601eb9..57088d2 100644
+--- a/tests/integration/integration_test.go
++++ b/tests/integration/integration_test.go
+@@ -149,6 +149,7 @@ func checkUidzero(t *testing.T, gotOutput *bytes.Buffer) {
+ 
+ // only capture pids of 1
+ func checkPidOne(t *testing.T, gotOutput *bytes.Buffer) {
++    t.Skip("Not compatible with systemd init")
+ 	_, _ = exec.Command("init", "q").CombinedOutput()
+ 
+ 	waitForTraceeOutput(gotOutput, time.Now())

pkgs/tools/security/tracee/skip-magic_write-test.patch

@@ -0,0 +1,12 @@
+diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
+index 8601eb9..a8a3eed 100644
+--- a/tests/integration/integration_test.go
++++ b/tests/integration/integration_test.go
+@@ -75,6 +75,7 @@ func waitForTraceeOutput(gotOutput *bytes.Buffer, now time.Time) {
+ 
+ // small set of actions to trigger a magic write event
+ func checkMagicwrite(t *testing.T, gotOutput *bytes.Buffer) {
++    t.Skip()
+ 	// create a temp dir for testing
+ 	d, err := ioutil.TempDir("", "Test_MagicWrite-dir-*")
+ 	require.NoError(t, err)

pkgs/tools/security/tracee/test.nix

@@ -0,0 +1,41 @@
+{ pkgs ? import ../../../../. { } }:
+
+# manually run `nix-build ./pkgs/tools/security/tracee/test.nix` to test
+pkgs.nixosTest ({
+  name = "tracee-test";
+  nodes = {
+    machine = { config, pkgs, ... }: {
+      environment.systemPackages = [
+        pkgs.tracee
+        # build the go integration tests as a binary
+        (pkgs.tracee.overrideAttrs (oa: {
+          pname = oa.pname + "-integration";
+          patches = oa.patches or [] ++ [
+            # skip test that runs `init -q` which is incompatible with systemd init
+            ./skip-init-test.patch
+            # skip magic_write test that currently fails
+            ./skip-magic_write-test.patch
+          ];
+          # just build the static lib we need for the go test binary
+          makeFlags = oa.makeFlags ++ [ "./dist/libbpf/libbpf.a" ];
+          postBuild = ''
+            # by default the tests are disabled and this is intended to be commented out
+            sed -i '/t.Skip("This test requires root privileges")/d' ./tests/integration/integration_test.go
+            CGO_CFLAGS="-I$PWD/dist/libbpf" CGO_LDFLAGS="-lelf -lz $PWD/dist/libbpf/libbpf.a" go test -tags ebpf,integration -c -o $GOPATH/tracee-integration ./tests/integration
+          '';
+          doCheck = false;
+          installPhase = ''
+            mkdir -p $out/bin
+            cp $GOPATH/tracee-integration $out/bin
+          '';
+          doInstallCheck = false;
+        }))
+      ];
+    };
+  };
+
+  testScript = ''
+    with subtest("run integration tests"):
+      print(machine.succeed('TRC_BIN="$(which tracee-ebpf)" tracee-integration -test.v -test.run "Test_Events"'))
+  '';
+})

pkgs/tools/system/systeroid/default.nix

@@ -0,0 +1,39 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, linux-doc
+, xorg
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "systeroid";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "orhun";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0xf81wyp5qg67r0vyqg0209pcabx70vvxx4nrg2y7qa0mhvf6p94";
+  };
+
+  postPatch = ''
+    substituteInPlace systeroid-core/src/parsers.rs \
+      --replace '"/usr/share/doc/kernel-doc-*/Documentation/*",' '"${linux-doc}/share/doc/linux-doc/*",'
+  '';
+
+  cargoSha256 = "sha256-D/sSeMR1Zg3OH1fdSVKdxdIcoP4OLp3T8mwQ28O8rfk=";
+
+  buildInputs = [
+    xorg.libxcb
+  ];
+
+  # tries to access /sys/
+  doCheck = false;
+
+  meta = with lib; {
+    description = "More powerful alternative to sysctl(8) with a terminal user interface";
+    homepage = "https://github.com/orhun/systeroid";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1176,6 +1176,8 @@ with pkgs;
 
   sx-go = callPackage ../tools/security/sx-go { };
 
+  systeroid = callPackage ../tools/system/systeroid { };
+
   tauon = callPackage ../applications/audio/tauon { };
 
   termusic = callPackage ../applications/audio/termusic { };
@@ -5456,7 +5458,6 @@ with pkgs;
 
   trivy = callPackage ../tools/admin/trivy {
     buildGoModule = buildGo118Module;
-    inherit (darwin.apple_sdk.frameworks) CoreFoundation Security;
   };
 
   trompeloeil = callPackage ../development/libraries/trompeloeil { };
@@ -11014,6 +11015,8 @@ with pkgs;
 
   tracebox = callPackage ../tools/networking/tracebox { };
 
+  tracee = callPackage ../tools/security/tracee { };
+
   tracefilegen = callPackage ../development/tools/analysis/garcosim/tracefilegen { };
 
   tracefilesim = callPackage ../development/tools/analysis/garcosim/tracefilesim { };
@@ -21742,6 +21745,8 @@ with pkgs;
 
   nats-server = callPackage ../servers/nats-server { };
 
+  go-camo = callPackage ../servers/http/go-camo { };
+
   gofish = callPackage ../servers/gopher/gofish { };
 
   grafana = callPackage ../servers/monitoring/grafana { };
@@ -23262,6 +23267,8 @@ with pkgs;
   linuxPackages_xanmod_latest = linuxKernel.packages.linux_xanmod_latest;
   linux_xanmod_latest = linuxKernel.kernels.linux_xanmod_latest;
 
+  linux-doc = callPackage ../os-specific/linux/kernel/htmldocs.nix { };
+
   cryptodev = linuxKernel.packages.linux_4_9.cryptodev;
 
   dpdk = callPackage ../os-specific/linux/dpdk {
@@ -31552,7 +31559,7 @@ with pkgs;
   curseofwar = callPackage ../games/curseofwar { SDL = null; };
   curseofwar-sdl = callPackage ../games/curseofwar { ncurses = null; };
 
-  cutemaze = libsForQt5.callPackage ../games/cutemaze { };
+  cutemaze = qt6Packages.callPackage ../games/cutemaze { };
 
   cuyo = callPackage ../games/cuyo { };
 

pkgs/top-level/python-aliases.nix

@@ -58,6 +58,7 @@ mapAliases ({
   django_appconf = django-appconf; # added 2022-03-03
   django_environ = django-environ; # added 2021-12-25
   django_extensions = django-extensions; # added 2022-01-09
+  django_guardian = django-guardian; # added 2022-05-19
   django_modelcluster = django-modelcluster; # added 2022-04-02
   django_redis = django-redis; # added 2021-10-11
   django_taggit = django-taggit; # added 2021-10-11

pkgs/top-level/python-packages.nix

@@ -2329,7 +2329,7 @@ in {
 
   django-gravatar2 = callPackage ../development/python-modules/django-gravatar2 { };
 
-  django_guardian = callPackage ../development/python-modules/django_guardian { };
+  django-guardian = callPackage ../development/python-modules/django-guardian { };
 
   django-haystack = callPackage ../development/python-modules/django-haystack { };