Merge staging-next into staging

2022-04-23 00:02:52 +00:00 · 2022-04-23 00:02:52 +00:00 · 90d2d8da85
parent 05f9abf294 6bf551f367
commit 90d2d8da85
24 changed files with 294 additions and 163 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -1,10 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:

 with lib;

 let
  luks = config.boot.initrd.luks;
  kernelPackages = config.boot.kernelPackages;
+  defaultPrio = (mkOptionDefault {}).priority;

  commonFunctions = ''
    die() {
@ -474,6 +475,16 @@ let
  preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
  postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;

+  stage1Crypttab = pkgs.writeText "initrd-crypttab" (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let
+    opts = v.crypttabExtraOpts
+      ++ optional v.allowDiscards "discard"
+      ++ optionals v.bypassWorkqueues [ "no-read-workqueue" "no-write-workqueue" ]
+      ++ optional (v.header != null) "header=${v.header}"
+      ++ optional (v.keyFileOffset != null) "keyfile-offset=${v.keyFileOffset}"
+      ++ optional (v.keyFileSize != null) "keyfile-size=${v.keyFileSize}"
+    ;
+  in "${n} ${v.device} ${if v.keyFile == null then "-" else v.keyFile} ${lib.concatStringsSep "," opts}") luks.devices));
+
 in
 {
  imports = [
@ -802,6 +813,18 @@ in
              Commands that should be run right after we have mounted our LUKS device.
            '';
          };
+
+          crypttabExtraOpts = mkOption {
+            type = with types; listOf singleLineStr;
+            default = [];
+            example = [ "_netdev" ];
+            visible = false;
+            description = ''
+              Only used with systemd stage 1.
+
+              Extra options to append to the last column of the generated crypttab file.
+            '';
+          };
        };
      }));
    };
@ -853,6 +876,31 @@ in
                      -> versionAtLeast kernelPackages.kernel.version "5.9";
          message = "boot.initrd.luks.devices.<name>.bypassWorkqueues is not supported for kernels older than 5.9";
        }
+
+        { assertion = config.boot.initrd.systemd.enable -> all (dev: !dev.fallbackToPassword) (attrValues luks.devices);
+          message = "boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1.";
+        }
+        { assertion = config.boot.initrd.systemd.enable -> all (dev: dev.preLVM) (attrValues luks.devices);
+          message = "boot.initrd.luks.devices.<name>.preLVM is not used by systemd stage 1.";
+        }
+        { assertion = config.boot.initrd.systemd.enable -> options.boot.initrd.luks.reusePassphrases.highestPrio == defaultPrio;
+          message = "boot.initrd.luks.reusePassphrases has no effect with systemd stage 1.";
+        }
+        { assertion = config.boot.initrd.systemd.enable -> all (dev: dev.preOpenCommands == "" && dev.postOpenCommands == "") (attrValues luks.devices);
+          message = "boot.initrd.luks.devices.<name>.preOpenCommands and postOpenCommands is not supported by systemd stage 1. Please bind a service to cryptsetup.target or cryptsetup-pre.target instead.";
+        }
+        # TODO
+        { assertion = config.boot.initrd.systemd.enable -> !luks.gpgSupport;
+          message = "systemd stage 1 does not support GPG smartcards yet.";
+        }
+        # TODO
+        { assertion = config.boot.initrd.systemd.enable -> !luks.fido2Support;
+          message = "systemd stage 1 does not support FIDO2 yet.";
+        }
+        # TODO
+        { assertion = config.boot.initrd.systemd.enable -> !luks.yubikeySupport;
+          message = "systemd stage 1 does not support Yubikeys yet.";
+        }
      ];

    # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@ -867,7 +915,7 @@ in
      ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []);

    # copy the cryptsetup binary and it's dependencies
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) ''
      copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup
      copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass
      sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass
@ -915,7 +963,7 @@ in
      ''}
    '';

-    boot.initrd.extraUtilsCommandsTest = ''
+    boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) ''
      $out/bin/cryptsetup --version
      ${optionalString luks.yubikeySupport ''
        $out/bin/ykchalresp -V
@ -932,9 +980,27 @@ in
      ''}
    '';

-    boot.initrd.preFailCommands = postCommands;
-    boot.initrd.preLVMCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands;
-    boot.initrd.postDeviceCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands;
+    boot.initrd.systemd = {
+      contents."/etc/crypttab".source = stage1Crypttab;
+
+      extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup";
+
+      additionalUpstreamUnits = [
+        "cryptsetup-pre.target"
+        "cryptsetup.target"
+        "remote-cryptsetup.target"
+      ];
+      storePaths = [
+        "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup"
+      ];
+
+    };
+    # We do this because we need the udev rules from the package
+    boot.initrd.services.lvm.enable = true;
+
+    boot.initrd.preFailCommands = mkIf (!config.boot.initrd.systemd.enable) postCommands;
+    boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands);
+    boot.initrd.postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands);

    environment.systemPackages = [ pkgs.cryptsetup ];
  };
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -524,6 +524,8 @@ in
  systemd-confinement = handleTest ./systemd-confinement.nix {};
  systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {};
  systemd-escaping = handleTest ./systemd-escaping.nix {};
+  systemd-initrd-luks-keyfile = handleTest ./systemd-initrd-luks-keyfile.nix {};
+  systemd-initrd-luks-password = handleTest ./systemd-initrd-luks-password.nix {};
  systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; };
  systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix {};
  systemd-initrd-swraid = handleTest ./systemd-initrd-swraid.nix {};
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -299,6 +299,13 @@ let
          virtualisation.qemu.diskInterface =
            if grubVersion == 1 then "scsi" else "virtio";

+          # We don't want to have any networking in the guest whatsoever.
+          # Also, if any vlans are enabled, the guest will reboot
+          # (with a different configuration for legacy reasons),
+          # and spend 5 minutes waiting for the vlan interface to show up
+          # (which will never happen).
+          virtualisation.vlans = [];
+
          boot.loader.systemd-boot.enable = mkIf (bootLoader == "systemd-boot") true;

          hardware.enableAllFirmware = mkForce false;
@ -313,6 +320,7 @@ let
            docbook5
            docbook_xsl_ns
            kmod.dev
+            libarchive.dev
            libxml2.bin
            libxslt.bin
            nixos-artwork.wallpapers.simple-dark-gray-bottom
--- a/nixos/tests/nar-serve.nix
+++ b/nixos/tests/nar-serve.nix
@ -31,7 +31,7 @@ import ./make-test-python.nix (

      # Create a fake cache with Nginx service the static files
      server.succeed(
-          "nix copy --to file:///var/www ${pkgs.hello}"
+          "nix --experimental-features nix-command copy --to file:///var/www ${pkgs.hello}"
      )
      server.wait_for_unit("nginx.service")
      server.wait_for_open_port(80)
--- a/nixos/tests/systemd-initrd-luks-keyfile.nix
+++ b/nixos/tests/systemd-initrd-luks-keyfile.nix
@ -0,0 +1,53 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: let
+
+  keyfile = pkgs.writeText "luks-keyfile" ''
+    MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2
+    gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6
+    FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC
+  '';
+
+in {
+  name = "systemd-initrd-luks-keyfile";
+
+  nodes.machine = { pkgs, ... }: {
+    # Use systemd-boot
+    virtualisation = {
+      emptyDiskImages = [ 512 ];
+      useBootLoader = true;
+      useEFIBoot = true;
+    };
+    boot.loader.systemd-boot.enable = true;
+
+    environment.systemPackages = with pkgs; [ cryptsetup ];
+    boot.initrd.systemd = {
+      enable = true;
+      emergencyAccess = true;
+    };
+
+    specialisation.boot-luks.configuration = {
+      boot.initrd.luks.devices = lib.mkVMOverride {
+        cryptroot = {
+          device = "/dev/vdc";
+          keyFile = "/etc/cryptroot.key";
+        };
+      };
+      virtualisation.bootDevice = "/dev/mapper/cryptroot";
+      boot.initrd.systemd.contents."/etc/cryptroot.key".source = keyfile;
+    };
+  };
+
+  testScript = ''
+    # Create encrypted volume
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("cryptsetup luksFormat -q --iter-time=1 -d ${keyfile} /dev/vdc")
+
+    # Boot from the encrypted disk
+    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
+    machine.succeed("sync")
+    machine.crash()
+
+    # Boot and decrypt the disk
+    machine.wait_for_unit("multi-user.target")
+    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
+  '';
+})
--- a/nixos/tests/systemd-initrd-luks-password.nix
+++ b/nixos/tests/systemd-initrd-luks-password.nix
@ -0,0 +1,48 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "systemd-initrd-luks-password";
+
+  nodes.machine = { pkgs, ... }: {
+    # Use systemd-boot
+    virtualisation = {
+      emptyDiskImages = [ 512 512 ];
+      useBootLoader = true;
+      useEFIBoot = true;
+    };
+    boot.loader.systemd-boot.enable = true;
+
+    environment.systemPackages = with pkgs; [ cryptsetup ];
+    boot.initrd.systemd = {
+      enable = true;
+      emergencyAccess = true;
+    };
+
+    specialisation.boot-luks.configuration = {
+      boot.initrd.luks.devices = lib.mkVMOverride {
+        # We have two disks and only type one password - key reuse is in place
+        cryptroot.device = "/dev/vdc";
+        cryptroot2.device = "/dev/vdd";
+      };
+      virtualisation.bootDevice = "/dev/mapper/cryptroot";
+    };
+  };
+
+  testScript = ''
+    # Create encrypted volume
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
+    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -")
+
+    # Boot from the encrypted disk
+    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
+    machine.succeed("sync")
+    machine.crash()
+
+    # Boot and decrypt the disk
+    machine.start()
+    machine.wait_for_console_text("Please enter passphrase for disk cryptroot")
+    machine.send_console("supersecret\n")
+    machine.wait_for_unit("multi-user.target")
+
+    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
+  '';
+})
--- a/pkgs/applications/misc/mob/default.nix
+++ b/pkgs/applications/misc/mob/default.nix
@ -9,13 +9,13 @@

 buildGoPackage rec {
  pname = "mob";
-  version = "2.6.0";
+  version = "3.0.0";

  src = fetchFromGitHub {
    rev = "v${version}";
    owner = "remotemobprogramming";
    repo = pname;
-    sha256 = "sha256-GJ4V4GQRUoXelk0ksHPoFL4iB1W7pe2UydK2AhYjysg=";
+    sha256 = "sha256-silAgScvhl388Uf6HkWqEkNmr/K6aUt/lj/rxzkk/f0=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json
@ -19,9 +19,9 @@
    }
  },
  "beta": {
-    "version": "101.0.4951.34",
-    "sha256": "1pqglzc8k31a4x06jn9pd6y8m4nmmb7rv5b3zancmh0d3z0nz3v5",
-    "sha256bin64": "1zhif47j8nqglaj1z3ism3dl6z8n5ilyyr835an32mf6igkfj217",
+    "version": "101.0.4951.41",
+    "sha256": "0dzsbr309n70jg7fpq2qfnrgcm4553akvdmnzhss1fc85s467609",
+    "sha256bin64": "1jbj5cykxamf32c1s4gsid1wxcsdf4hng2d19q9h7b2ashkvvrbi",
    "deps": {
      "gn": {
        "version": "2022-03-14",
--- a/pkgs/applications/networking/cluster/kops/default.nix
+++ b/pkgs/applications/networking/cluster/kops/default.nix
@ -65,8 +65,8 @@ rec {
  };

  kops_1_23 = mkKops rec {
-    version = "1.23.0";
-    sha256 = "sha256-tiVNUaW0an6C8M9bxEX5pvB/W5IjZ/S24RdPikzm3bc=";
+    version = "1.23.1";
+    sha256 = "sha256-SiseHs5cMj8DR1f6z9PTbtF/h3Bn9riiLWW5KMYwVUg=";
    rev = "v${version}";
  };
 }
--- a/pkgs/applications/networking/n8n/node-packages.nix
+++ b/pkgs/applications/networking/n8n/node-packages.nix
@ -337,6 +337,15 @@ let
        sha512 = "/5O7Fq6Vnv8L6ucmPjaWbVG1XkP4FO+w5glqfkIsq3Xw4oyNAdJddbnYodNDAfjVUvo/rrSCTom4kAND7T1o5Q==";
      };
    };
+    "@techteamer/ocsp-1.0.0" = {
+      name = "_at_techteamer_slash_ocsp";
+      packageName = "@techteamer/ocsp";
+      version = "1.0.0";
+      src = fetchurl {
+        url = "https://registry.npmjs.org/@techteamer/ocsp/-/ocsp-1.0.0.tgz";
+        sha512 = "lNAOoFHaZN+4huo30ukeqVrUmfC+avoEBYQ11QAnAw1PFhnI5oBCg8O/TNiCoEWix7gNGBIEjrQwtPREqKMPog==";
+      };
+    };
    "@tokenizer/token-0.1.1" = {
      name = "_at_tokenizer_slash_token";
      packageName = "@tokenizer/token";
@ -850,15 +859,6 @@ let
        sha512 = "ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==";
      };
    };
-    "asn1.js-4.10.1" = {
-      name = "asn1.js";
-      packageName = "asn1.js";
-      version = "4.10.1";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz";
-        sha512 = "p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==";
-      };
-    };
    "asn1.js-5.4.1" = {
      name = "asn1.js";
      packageName = "asn1.js";
@ -868,15 +868,6 @@ let
        sha512 = "+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==";
      };
    };
-    "asn1.js-rfc2560-4.0.6" = {
-      name = "asn1.js-rfc2560";
-      packageName = "asn1.js-rfc2560";
-      version = "4.0.6";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/asn1.js-rfc2560/-/asn1.js-rfc2560-4.0.6.tgz";
-        sha512 = "ysf48ni+f/efNPilq4+ApbifUPcSW/xbDeQAh055I+grr2gXgNRQqHew7kkO70WSMQ2tEOURVwsK+dJqUNjIIg==";
-      };
-    };
    "asn1.js-rfc2560-5.0.1" = {
      name = "asn1.js-rfc2560";
      packageName = "asn1.js-rfc2560";
@ -886,15 +877,6 @@ let
        sha512 = "1PrVg6kuBziDN3PGFmRk3QrjpKvP9h/Hv5yMrFZvC1kpzP6dQRzf5BpKstANqHBkaOUmTpakJWhicTATOA/SbA==";
      };
    };
-    "asn1.js-rfc5280-2.0.1" = {
-      name = "asn1.js-rfc5280";
-      packageName = "asn1.js-rfc5280";
-      version = "2.0.1";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/asn1.js-rfc5280/-/asn1.js-rfc5280-2.0.1.tgz";
-        sha512 = "1e2ypnvTbYD/GdxWK77tdLBahvo1fZUHlQJqAVUuZWdYj0rdjGcf2CWYUtbsyRYpYUMwMWLZFUtLxog8ZXTrcg==";
-      };
-    };
    "asn1.js-rfc5280-3.0.0" = {
      name = "asn1.js-rfc5280";
      packageName = "asn1.js-rfc5280";
@ -922,15 +904,6 @@ let
        sha1 = "f12e0f3c5d77b0b1cdd9146942e4e96c1e4dd525";
      };
    };
-    "async-1.5.2" = {
-      name = "async";
-      packageName = "async";
-      version = "1.5.2";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/async/-/async-1.5.2.tgz";
-        sha1 = "ec6a61ae56480c0c3cb241c95618e20892f9672a";
-      };
-    };
    "async-2.6.4" = {
      name = "async";
      packageName = "async";
@ -976,13 +949,13 @@ let
        sha512 = "z4oo33lmnvvNRqfUe3YjDGGpqu/L2+wXBIhMtwq6oqZ+exOUAkQYM6zd2VWKF7AIlajOF8ZZuPFfryTG9iLC/w==";
      };
    };
-    "aws-sdk-2.1116.0" = {
+    "aws-sdk-2.1118.0" = {
      name = "aws-sdk";
      packageName = "aws-sdk";
-      version = "2.1116.0";
+      version = "2.1118.0";
      src = fetchurl {
-        url = "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1116.0.tgz";
-        sha512 = "36JFrxPPh/fRQWsgGrZZbzTxRu7dq4KyCKKXPxgVMXylEJsG/KEAVMB1f3eq4PiI5eGxYrpt2OkKoMQZQZLjPA==";
+        url = "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1118.0.tgz";
+        sha512 = "R3g06c4RC0Gz/lwMA7wgC7+FwYf5vaO30sPIigoX5m6Tfb7tdzfCYD7pnpvkPRNUvWJ3f5kQk+pEeW25DstRrQ==";
      };
    };
    "aws-sign2-0.7.0" = {
@ -1840,13 +1813,13 @@ let
        sha1 = "e303a882b342cc3ee8ca513a79999734dab3ae2c";
      };
    };
-    "core-js-3.22.0" = {
+    "core-js-3.22.1" = {
      name = "core-js";
      packageName = "core-js";
-      version = "3.22.0";
+      version = "3.22.1";
      src = fetchurl {
-        url = "https://registry.npmjs.org/core-js/-/core-js-3.22.0.tgz";
-        sha512 = "8h9jBweRjMiY+ORO7bdWSeWfHhLPO7whobj7Z2Bl0IDo00C228EdGgH7FE4jGumbEjzcFfkfW8bXgdkEDhnwHQ==";
+        url = "https://registry.npmjs.org/core-js/-/core-js-3.22.1.tgz";
+        sha512 = "l6CwCLq7XgITOQGhv1dIUmwCFoqFjyQ6zQHUCQlS0xKmb9d6OHIg8jDiEoswhaettT21BSF5qKr6kbvE+aKwxw==";
      };
    };
    "core-util-is-1.0.2" = {
@ -2965,13 +2938,13 @@ let
        sha1 = "34f5049ce1ecdf2b0649af3ef24e45ed35416d91";
      };
    };
-    "has-bigints-1.0.1" = {
+    "has-bigints-1.0.2" = {
      name = "has-bigints";
      packageName = "has-bigints";
-      version = "1.0.1";
+      version = "1.0.2";
      src = fetchurl {
-        url = "https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.1.tgz";
-        sha512 = "LSBS2LjbNBTf6287JEbEzvJgftkF5qFkmCo9hDRpAzKhUOlJ+hx8dd4USs00SgsUNwc4617J9ki5YtEClM2ffA==";
+        url = "https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz";
+        sha512 = "tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==";
      };
    };
    "has-flag-4.0.0" = {
@ -3127,15 +3100,6 @@ let
        sha1 = "9aecd925114772f3d95b65a60abb8f7c18fbace1";
      };
    };
-    "http-signature-1.3.6" = {
-      name = "http-signature";
-      packageName = "http-signature";
-      version = "1.3.6";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/http-signature/-/http-signature-1.3.6.tgz";
-        sha512 = "3adrsD6zqo4GsTqtO7FyrejHNv+NgiIfAfv68+jVlFmSr9OGy7zrxONceFRLKvnnZA5jbxQBX1u9PpB6Wi32Gw==";
-      };
-    };
    "https-proxy-agent-5.0.1" = {
      name = "https-proxy-agent";
      packageName = "https-proxy-agent";
@ -3766,15 +3730,6 @@ let
        sha512 = "P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==";
      };
    };
-    "jsprim-2.0.2" = {
-      name = "jsprim";
-      packageName = "jsprim";
-      version = "2.0.2";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/jsprim/-/jsprim-2.0.2.tgz";
-        sha512 = "gqXddjPqQ6G40VdnI6T6yObEC+pDNvyP95wdQhkWkg7crHH3km5qP1FsOXEkzEQwnz6gz5qGTn1c2Y52wP3OyQ==";
-      };
-    };
    "jwa-1.4.1" = {
      name = "jwa";
      packageName = "jwa";
@ -4540,13 +4495,13 @@ let
        sha512 = "FzJhsid5OxdUvL5R4IYA6iflrGdpuwJUwe1SqeP5OQJVHw345PJ+MeJ7I5+viDF2nJ8rZRQ9boFSW+N/YHh+ZQ==";
      };
    };
-    "n8n-nodes-base-0.171.0" = {
+    "n8n-nodes-base-0.171.1" = {
      name = "n8n-nodes-base";
      packageName = "n8n-nodes-base";
-      version = "0.171.0";
+      version = "0.171.1";
      src = fetchurl {
-        url = "https://registry.npmjs.org/n8n-nodes-base/-/n8n-nodes-base-0.171.0.tgz";
-        sha512 = "qYOjGs95rNItY+65pXoSJWkXQIKh2CxDTOBmx4LPKrWUJ1oLNQBxhFakmlJOQ37+J4nwkwe/wE5WfwHzs2BfdA==";
+        url = "https://registry.npmjs.org/n8n-nodes-base/-/n8n-nodes-base-0.171.1.tgz";
+        sha512 = "VPdyYKAbBfCITznwVEH8hmrdtp23C1W0Ci8u/963UfQrPh2mYmqbNsnxAGlAOLvdPUap4YFwsoegUjq8/qDvFg==";
      };
    };
    "n8n-workflow-0.96.0" = {
@ -4657,22 +4612,22 @@ let
        sha512 = "ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==";
      };
    };
-    "node-html-markdown-1.1.3" = {
+    "node-html-markdown-1.2.0" = {
      name = "node-html-markdown";
      packageName = "node-html-markdown";
-      version = "1.1.3";
+      version = "1.2.0";
      src = fetchurl {
-        url = "https://registry.npmjs.org/node-html-markdown/-/node-html-markdown-1.1.3.tgz";
-        sha512 = "iB5Nb8eQjeKHr1k9ot0FkVo5uah6IvYzSbOiNPbmtMt8OWf8os9TCsGEg1Xf51xwYLW461AvKl74HVjiMxvblg==";
+        url = "https://registry.npmjs.org/node-html-markdown/-/node-html-markdown-1.2.0.tgz";
+        sha512 = "mGA53bSqo7j62PjmMuFPdO0efNT9pqiGYhQTNVCWkY7PdduRIECJF7n7NOrr5cb+d/js1GdYRLpoTYDwawRk6A==";
      };
    };
-    "node-html-parser-4.1.5" = {
+    "node-html-parser-5.3.3" = {
      name = "node-html-parser";
      packageName = "node-html-parser";
-      version = "4.1.5";
+      version = "5.3.3";
      src = fetchurl {
-        url = "https://registry.npmjs.org/node-html-parser/-/node-html-parser-4.1.5.tgz";
-        sha512 = "NLgqUXtftqnBqIjlRjYSaApaqE7TTxfTiH4VqKCjdUJKFOtUzRwney83EHz2qYc0XoxXAkYdmLjENCuZHvsIFg==";
+        url = "https://registry.npmjs.org/node-html-parser/-/node-html-parser-5.3.3.tgz";
+        sha512 = "ncg1033CaX9UexbyA7e1N0aAoAYRDiV8jkTvzEnfd1GDvzFdrsXLzR4p4ik8mwLgnaKP/jyUFWDy9q3jvRT2Jw==";
      };
    };
    "node-ssh-12.0.4" = {
@ -4819,15 +4774,6 @@ let
        sha512 = "VdDoCwvJI4QdC6ndjpqFmoL3/+HxffFBbcJzKi5hwLLqqx3mdbedRpfZDdK0SrOSauj8X4GzBvnDZl4vTN7dOw==";
      };
    };
-    "ocsp-1.2.0" = {
-      name = "ocsp";
-      packageName = "ocsp";
-      version = "1.2.0";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/ocsp/-/ocsp-1.2.0.tgz";
-        sha1 = "469a1776b457dee67eb0201408c1946bac4076cc";
-      };
-    };
    "on-finished-2.3.0" = {
      name = "on-finished";
      packageName = "on-finished";
@ -6205,13 +6151,13 @@ let
        sha1 = "68fd025eb0490b4f567a027f0bf22480b5f84133";
      };
    };
-    "showdown-2.0.3" = {
+    "showdown-2.1.0" = {
      name = "showdown";
      packageName = "showdown";
-      version = "2.0.3";
+      version = "2.1.0";
      src = fetchurl {
-        url = "https://registry.npmjs.org/showdown/-/showdown-2.0.3.tgz";
-        sha512 = "jHytkv5c5YFTAOYIIaTT1zLL/aC+7C1FiP0CIGQozhHnnFSbor1oYkaNqWFL6CpB3zJNPPSxJrAlsHgzN14knQ==";
+        url = "https://registry.npmjs.org/showdown/-/showdown-2.1.0.tgz";
+        sha512 = "/6NVYu4U819R2pUIk79n67SYgJHWCce0a5xTP979WbNp0FL9MN1I1QK662IDU1b6JzKTvmhgI7T7JYIxBi3kMQ==";
      };
    };
    "side-channel-1.0.4" = {
@ -6232,13 +6178,13 @@ let
        sha512 = "wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==";
      };
    };
-    "simple-git-3.6.0" = {
+    "simple-git-3.7.0" = {
      name = "simple-git";
      packageName = "simple-git";
-      version = "3.6.0";
+      version = "3.7.0";
      src = fetchurl {
-        url = "https://registry.npmjs.org/simple-git/-/simple-git-3.6.0.tgz";
-        sha512 = "2e+4QhOVO59GeLsHgwSMKNrSKCnuACeA/gMNrLCYR8ID9qwm4hViVt4WsODcUGjx//KDv6GMLC6Hs/MeosgXxg==";
+        url = "https://registry.npmjs.org/simple-git/-/simple-git-3.7.0.tgz";
+        sha512 = "O9HlI83ywqkYqnr7Wh3CqKNNrMkfjzpKQSGtJAhk7+H5P+lAxHBTIPgu/eO/0D9pMciepgs433p0d5S+NYv5Jg==";
      };
    };
    "simple-lru-cache-0.0.2" = {
@ -6277,13 +6223,13 @@ let
        sha512 = "LAOh4z89bGQvl9pFfNF8V146i7o7/CqFPbqzYgP+yYzDIDeS9HaNFtXABamRW+AQzEVODcvE79ljJ+8a9YSdMg==";
      };
    };
-    "snowflake-sdk-1.6.8" = {
+    "snowflake-sdk-1.6.9" = {
      name = "snowflake-sdk";
      packageName = "snowflake-sdk";
-      version = "1.6.8";
+      version = "1.6.9";
      src = fetchurl {
-        url = "https://registry.npmjs.org/snowflake-sdk/-/snowflake-sdk-1.6.8.tgz";
-        sha512 = "ZmzeR2W4mQVri546mUxUW+jBxTn0JRKm06EtndO7MUFLcS8YChf60tXTa+s7A0hO8FxQkSQAFonCmtz4nzPoSA==";
+        url = "https://registry.npmjs.org/snowflake-sdk/-/snowflake-sdk-1.6.9.tgz";
+        sha512 = "Rt16zh5t++mZH+CXUBq3sYUUaEQnEMKT86mFtzfgIUk8MnZFJ4qBOwdheSWYU7OI9QnLqLmy8nZN40o9CFgm5A==";
      };
    };
    "source-map-0.6.1" = {
@ -7507,10 +7453,10 @@ in
  n8n = nodeEnv.buildNodePackage {
    name = "n8n";
    packageName = "n8n";
-    version = "0.173.0";
+    version = "0.173.1";
    src = fetchurl {
-      url = "https://registry.npmjs.org/n8n/-/n8n-0.173.0.tgz";
-      sha512 = "V4VPLLYpTWoSs3RE5s6IunrKlEdQEEpwXYYdLqZld4/nTyFrJkFcrTa7LlbmpYUSrLAL7VAPfjJLz/8gUxKTRw==";
+      url = "https://registry.npmjs.org/n8n/-/n8n-0.173.1.tgz";
+      sha512 = "p6sfFQBAvLH4AK9x4E1n00B9F+jVxf/bQiHMzNkGDHvBv+b3OMXnJ1SpLG6hK1vZvXbwvEhZWqH+PrPJHR2eNQ==";
    };
    dependencies = [
      (sources."@azure/abort-controller-1.0.5" // {
@ -7608,6 +7554,11 @@ in
      sources."@selderee/plugin-htmlparser2-0.6.0"
      sources."@servie/events-1.0.0"
      sources."@sqltools/formatter-1.2.2"
+      (sources."@techteamer/ocsp-1.0.0" // {
+        dependencies = [
+          sources."async-3.2.3"
+        ];
+      })
      sources."@tokenizer/token-0.3.0"
      sources."@tootallnate/once-1.1.2"
      sources."@types/bluebird-3.5.36"
@ -7690,7 +7641,7 @@ in
        ];
      })
      sources."avsc-5.7.4"
-      (sources."aws-sdk-2.1116.0" // {
+      (sources."aws-sdk-2.1118.0" // {
        dependencies = [
          sources."buffer-4.9.2"
          sources."events-1.1.1"
@ -7860,7 +7811,7 @@ in
      sources."cookie-0.4.1"
      sources."cookie-parser-1.4.6"
      sources."cookie-signature-1.0.6"
-      sources."core-js-3.22.0"
+      sources."core-js-3.22.1"
      sources."core-util-is-1.0.2"
      sources."crc-32-1.2.2"
      sources."cron-1.7.2"
@ -8028,7 +7979,7 @@ in
          sources."ansi-regex-2.1.1"
        ];
      })
-      sources."has-bigints-1.0.1"
+      sources."has-bigints-1.0.2"
      sources."has-flag-4.0.0"
      sources."has-property-descriptors-1.0.0"
      sources."has-symbols-1.0.3"
@ -8244,7 +8195,7 @@ in
      sources."n8n-core-0.114.0"
      sources."n8n-design-system-0.17.0"
      sources."n8n-editor-ui-0.140.0"
-      (sources."n8n-nodes-base-0.171.0" // {
+      (sources."n8n-nodes-base-0.171.1" // {
        dependencies = [
          sources."iconv-lite-0.6.3"
        ];
@ -8274,8 +8225,8 @@ in
      sources."node-addon-api-4.3.0"
      sources."node-ensure-0.0.0"
      sources."node-fetch-2.6.7"
-      sources."node-html-markdown-1.1.3"
-      sources."node-html-parser-4.1.5"
+      sources."node-html-markdown-1.2.0"
+      sources."node-html-parser-5.3.3"
      sources."node-ssh-12.0.4"
      sources."nodeify-1.0.1"
      sources."nodemailer-6.7.3"
@ -8290,14 +8241,6 @@ in
      sources."object-keys-1.1.1"
      sources."object.assign-4.1.2"
      sources."object.getownpropertydescriptors-2.1.3"
-      (sources."ocsp-1.2.0" // {
-        dependencies = [
-          sources."asn1.js-4.10.1"
-          sources."asn1.js-rfc2560-4.0.6"
-          sources."asn1.js-rfc5280-2.0.1"
-          sources."async-1.5.2"
-        ];
-      })
      sources."on-finished-2.4.1"
      sources."on-headers-1.0.2"
      sources."once-1.4.0"
@ -8508,14 +8451,14 @@ in
      sources."setprototypeof-1.2.0"
      sources."sha.js-2.4.11"
      sources."shell-escape-0.2.0"
-      (sources."showdown-2.0.3" // {
+      (sources."showdown-2.1.0" // {
        dependencies = [
          sources."commander-9.2.0"
        ];
      })
      sources."side-channel-1.0.4"
      sources."signal-exit-3.0.7"
-      sources."simple-git-3.6.0"
+      sources."simple-git-3.7.0"
      sources."simple-lru-cache-0.0.2"
      sources."simple-swizzle-0.2.2"
      sources."slash-3.0.0"
@ -8524,11 +8467,9 @@ in
          sources."tslib-2.3.1"
        ];
      })
-      (sources."snowflake-sdk-1.6.8" // {
+      (sources."snowflake-sdk-1.6.9" // {
        dependencies = [
          sources."debug-3.2.7"
-          sources."http-signature-1.3.6"
-          sources."jsprim-2.0.2"
          sources."tmp-0.2.1"
          sources."uuid-3.4.0"
        ];
--- a/pkgs/applications/version-management/git-lfs/default.nix
+++ b/pkgs/applications/version-management/git-lfs/default.nix
@ -2,13 +2,13 @@

 buildGoPackage rec {
  pname = "git-lfs";
-  version = "3.1.2";
+  version = "3.1.4";

  src = fetchFromGitHub {
    rev = "v${version}";
    owner = "git-lfs";
    repo = "git-lfs";
-    sha256 = "sha256-IEo8poEYPjAbBGk+SQdJqyhwgMYjNLdibI+AktVIg1g=";
+    sha256 = "sha256-dGqb7gw7l2SPGwhHIFbEq6XqMB9QRw3+3Pfbk2S4kW4=";
  };

  goPackagePath = "github.com/git-lfs/git-lfs";
--- a/pkgs/applications/video/ani-cli/default.nix
+++ b/pkgs/applications/video/ani-cli/default.nix
@ -12,13 +12,13 @@

 stdenvNoCC.mkDerivation rec {
  pname = "ani-cli";
-  version = "2.0";
+  version = "2.1";

  src = fetchFromGitHub {
    owner = "pystardust";
    repo = "ani-cli";
    rev = "v${version}";
-    sha256 = "sha256-cDxb/IcpzR5akWnA8RN+fKQn0+QnpBV8tAbUjjPICsA=";
+    sha256 = "sha256-A1c7YdBh2VOhw/xTvhNV50j9n+SELyRTHI5w+AeiWDs=";
  };

  nativeBuildInputs = [ makeWrapper ];
--- a/pkgs/development/libraries/libe57format/default.nix
+++ b/pkgs/development/libraries/libe57format/default.nix
@ -1,6 +1,7 @@
 {
  lib, stdenv,
  cmake,
+  fetchpatch,
  fetchFromGitHub,
  boost,
  xercesc,
@ -18,6 +19,14 @@ stdenv.mkDerivation rec {
    sha256 = "15l23spjvak5h3n7aj3ggy0c3cwcg8mvnc9jlbd9yc2ra43bx7bp";
  };

+  patches = [
+    # gcc11 header fix
+    (fetchpatch {
+      url = "https://github.com/asmaloney/libE57Format/commit/13f6a16394ce3eb50ea4cd21f31f77f53294e8d0.patch";
+      sha256 = "sha256-4vVhKrCxnWO106DSAk+xxo4uk6zC89m9VQAPaDJ8Ed4=";
+    })
+  ];
+
  nativeBuildInputs = [
    cmake
  ];
--- a/pkgs/development/libraries/libvirt/default.nix
+++ b/pkgs/development/libraries/libvirt/default.nix
@ -26,6 +26,7 @@
 , ninja
 , perl
 , perlPackages
+, polkit
 , pkg-config
 , pmutils
 , python3
@ -227,6 +228,9 @@ stdenv.mkDerivation rec {
        --replace "gmake" "make" \
        --replace "ggrep" "grep"

+      substituteInPlace src/util/virpolkit.h \
+        --replace '"/usr/bin/pkttyagent"' '"${polkit.bin}/bin/pkttyagent"'
+
      patchShebangs .
    ''
    + (lib.concatStringsSep "\n" (lib.mapAttrsToList patchBuilder overrides));
--- a/pkgs/development/python-modules/flask-httpauth/default.nix
+++ b/pkgs/development/python-modules/flask-httpauth/default.nix
@ -2,14 +2,14 @@

 buildPythonPackage rec {
  pname = "flask-httpauth";
-  version = "4.5.0";
+  version = "4.6.0";

  disabled = python.pythonOlder "3";

  src = fetchPypi {
    pname = "Flask-HTTPAuth";
    version = version;
-    sha256 = "0ada63rkcvwkakjyx4ay98fjzwx5h55br12ys40ghkc5lbyl0l1r";
+    sha256 = "sha256-IHbPhuhMaqRC7gM0S/91Hq4TPTWhpIkx5vmfFHFhtVs=";
  };

  checkInputs = [ pytestCheckHook ];
--- a/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix
+++ b/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix
@ -40,15 +40,15 @@ let
 in
 buildPythonPackage rec {
  pname = "qiskit-ibmq-provider";
-  version = "0.19.0";
+  version = "0.19.1";

  disabled = pythonOlder "3.6";

  src = fetchFromGitHub {
    owner = "Qiskit";
    repo = pname;
-    rev = version;
-    sha256 = "sha256-ODu8OgGpzlMjRX7ebMu4DXKj6jUyohCq4Hb8aV5eWIU=";
+    rev = "refs/tags/${version}";
+    sha256 = "sha256-VdGdaOxCwD2Qa0JCCDVZJtcjhmTssS/KgpcjoaPXYB8=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/qiskit-terra/default.nix
+++ b/pkgs/development/python-modules/qiskit-terra/default.nix
@ -55,7 +55,7 @@ in

 buildPythonPackage rec {
  pname = "qiskit-terra";
-  version = "0.20.0";
+  version = "0.20.1";

  disabled = pythonOlder "3.7";

@ -63,7 +63,7 @@ buildPythonPackage rec {
    owner = "qiskit";
    repo = pname;
    rev = version;
-    sha256 = "sha256-/t87IgazpJlfd8NT2Pkn5b6/Ut104DcJEFCubQ/bBiw=";
+    sha256 = "sha256-spKLPUlUXBmnIo/rnBPUFf72Vxd53xFhh409KzytpkI=";
  };

  nativeBuildInputs = [ setuptools-rust ] ++ (with rustPlatform; [ rust.rustc rust.cargo cargoSetupHook ]);
@ -71,7 +71,7 @@ buildPythonPackage rec {
  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit src;
    name = "${pname}-${version}";
-    sha256 = "sha256-tNiBXn32g1PTuTmKNXSac+4PLSc1Ao9n+oAMfvVYR30=";
+    sha256 = "sha256-KNx7c5Jc1AWIpldMQ1AcWYuMb4W+yLY/cgB87hzPuVY=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/qiskit/default.nix
+++ b/pkgs/development/python-modules/qiskit/default.nix
@ -28,7 +28,7 @@ in
 buildPythonPackage rec {
  pname = "qiskit";
  # NOTE: This version denotes a specific set of subpackages. See https://qiskit.org/documentation/release_notes.html#version-history
-  version = "0.36.0";
+  version = "0.36.1";

  disabled = pythonOlder "3.6";

@ -36,7 +36,7 @@ buildPythonPackage rec {
    owner = "Qiskit";
    repo = "qiskit";
    rev = version;
-    sha256 = "sha256-zTdvROru56/HNpoHKSVe3pQZeDSMFmaTCUAr1FOaE5A=";
+    sha256 = "sha256-cprFWWvYgfoJXvK0Xoi67BwOXQfz7XeHT/JbfErqblk=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/tools/analysis/cppcheck/default.nix
+++ b/pkgs/development/tools/analysis/cppcheck/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "cppcheck";
-  version = "2.7.4";
+  version = "2.7.5";

  src = fetchFromGitHub {
    owner = "danmar";
    repo = "cppcheck";
    rev = version;
-    sha256 = "sha256-bMDH3TRAdDoI1AaHTpIl4P/yk9wsV0ReNh6bMmCsKys=";
+    sha256 = "sha256-GRhQXGldirIhUBI4CucDTTxuZhG0XW0qp1FjYXhVS0o=";
  };

  buildInputs = [ pcre
--- a/pkgs/development/tools/analysis/flow/default.nix
+++ b/pkgs/development/tools/analysis/flow/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "flow";
-  version = "0.175.1";
+  version = "0.176.2";

  src = fetchFromGitHub {
    owner = "facebook";
    repo = "flow";
    rev = "v${version}";
-    sha256 = "sha256-40Kc/Qg0ppTQLU2ySbKXZyhap3hH4BiIMhJeNDU6mKA=";
+    sha256 = "sha256-/4wEafdmrXj4ALUVYx8DM9XyRP/wvbwAl0St1S/+9Ws=";
  };

  makeFlags = [ "FLOW_RELEASE=1" ];
--- a/pkgs/development/tools/build-managers/tup/setup-hook.sh
+++ b/pkgs/development/tools/build-managers/tup/setup-hook.sh
@ -19,7 +19,7 @@ tupConfigurePhase() {
    echo "${tupConfig-}" >> tup.config

    tup init
-    tup generate tupBuild.sh
+    tup generate --verbose tupBuild.sh

    runHook postConfigure
 }
@ -33,7 +33,7 @@ tupBuildPhase() {
    runHook preBuild

    pushd .
-    . tupBuild.sh
+    ./tupBuild.sh
    popd

    runHook postBuild
--- a/pkgs/development/tools/misc/saleae-logic-2/default.nix
+++ b/pkgs/development/tools/misc/saleae-logic-2/default.nix
@ -1,10 +1,10 @@
 { lib, fetchurl, makeDesktopItem, appimageTools, gtk3 }:
 let
  name = "saleae-logic-2";
-  version = "2.3.47";
+  version = "2.3.50";
  src = fetchurl {
    url = "https://downloads.saleae.com/logic2/Logic-${version}-master.AppImage";
-    sha256 = "sha256-6/FtdupveKnbAK6LizmJ6BokE0kXgUaMz0sOWi+Fq8k=";
+    sha256 = "sha256-jkdFdgiSP2ssrUajl85FA4E21Qi6BUgrjKFdlBYyG7c=";
  };
  desktopItem = makeDesktopItem {
    inherit name;
--- a/pkgs/servers/plex/raw.nix
+++ b/pkgs/servers/plex/raw.nix
@ -12,16 +12,16 @@
 # server, and the FHS userenv and corresponding NixOS module should
 # automatically pick up the changes.
 stdenv.mkDerivation rec {
-  version = "1.25.9.5721-965587f64";
+  version = "1.26.0.5715-8cf78dab3";
  pname = "plexmediaserver";

  # Fetch the source
  src = if stdenv.hostPlatform.system == "aarch64-linux" then fetchurl {
    url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_arm64.deb";
-    hash = "sha256-qD4VZ0ksR+VyBVVjeSCC2EG+uUHh5RE2fihHrIJUItY=";
+    hash = "sha256-Ou5DlQPk+zAt/wE5Nry4nzLaR1Id6tQdwl73qawig4M=";
  } else fetchurl {
    url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb";
-    hash = "sha256-NPfpQ8JwXDaq8xpvSabyqdDqMWjoqbeoJdu41nhdsI0=";
+    hash = "sha256-DQbRobiJwT7Xr4NzKS2iQOszOsd/bS/+kJ4p+QUVXfg=";
  };

  outputs = [ "out" "basedb" ];
--- a/pkgs/tools/admin/ejson2env/default.nix
+++ b/pkgs/tools/admin/ejson2env/default.nix
@ -2,16 +2,16 @@

 buildGoModule rec {
  pname = "ejson2env";
-  version = "2.0.4";
+  version = "2.0.5";

  src = fetchFromGitHub {
    owner = "Shopify";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-Oc0fWihOUafYN5t9SxHxaYJEv5e46CCDNe4xo+Dcjrs=";
+    sha256 = "sha256-HcUmFajbOUZ0T5Th6OA9WBtfTz646qLbXx8NVeJsVng=";
  };

-  vendorSha256 = "sha256-BY45WirK9AVhvFGB5uqI4dLxzO2WuNNhhJbQ6nsRXao=";
+  vendorSha256 = "sha256-agWcD8vFNde1SCdkRovMNPf+1KODxV8wW1mXvE0w/CI=";

  ldflags = [
    "-X main.version=${version}"