Merge master into staging-next

flake.nix

@@ -57,6 +57,19 @@
 
       nixosModules = {
         notDetected = ./nixos/modules/installer/scan/not-detected.nix;
+
+        /*
+          Make the `nixpkgs.*` configuration read-only. Guarantees that `pkgs`
+          is the way you initialize it.
+
+          Example:
+
+              {
+                imports = [ nixpkgs.nixosModules.readOnlyPkgs ];
+                nixpkgs.pkgs = nixpkgs.legacyPackages.x86_64-linux;
+              }
+        */
+        readOnlyPkgs = ./nixos/modules/misc/nixpkgs/read-only.nix;
       };
     };
 }

lib/types.nix

@@ -476,6 +476,14 @@ rec {
       check = x: isDerivation x && hasAttr "shellPath" x;
     };
 
+    pkgs = addCheck
+      (unique { message = "A Nixpkgs pkgs set can not be merged with another pkgs set."; } attrs // {
+        name = "pkgs";
+        descriptionClass = "noun";
+        description = "Nixpkgs package set";
+      })
+      (x: (x._type or null) == "pkgs");
+
     path = mkOptionType {
       name = "path";
       descriptionClass = "noun";

maintainers/maintainer-list.nix

@@ -15950,6 +15950,12 @@
     githubId = 8577941;
     name = "Kevin Rauscher";
   };
+  tomaskala = {
+    email = "public+nixpkgs@tomaskala.com";
+    github = "tomaskala";
+    githubId = 7727887;
+    name = "Tomas Kala";
+  };
   tomberek = {
     email = "tomberek@gmail.com";
     matrix = "@tomberek:matrix.org";

maintainers/scripts/copy-tarballs.pl

@@ -162,13 +162,18 @@ elsif (defined $expr) {
     # Check every fetchurl call discovered by find-tarballs.nix.
     my $mirrored = 0;
     my $have = 0;
-    foreach my $fetch (sort { $a->{url} cmp $b->{url} } @{$fetches}) {
-        my $url = $fetch->{url};
+    foreach my $fetch (sort { $a->{urls}->[0] cmp $b->{urls}->[0] } @{$fetches}) {
+        my $urls = $fetch->{urls};
         my $algo = $fetch->{type};
         my $hash = $fetch->{hash};
         my $name = $fetch->{name};
         my $isPatch = $fetch->{isPatch};
 
+        if ($isPatch) {
+            print STDERR "skipping $urls->[0] (support for patches is missing)\n";
+            next;
+        }
+
         if ($hash =~ /^([a-z0-9]+)-([A-Za-z0-9+\/=]+)$/) {
             $algo = $1;
             $hash = `nix hash to-base16 $hash` or die;
@@ -183,62 +188,60 @@ elsif (defined $expr) {
             chomp $hash;
         }
 
-        if (defined $ENV{DEBUG}) {
-            print "$url $algo $hash\n";
-            next;
-        }
-
-        if ($url !~ /^http:/ && $url !~ /^https:/ && $url !~ /^ftp:/ && $url !~ /^mirror:/) {
-            print STDERR "skipping $url (unsupported scheme)\n";
-            next;
-        }
-
-        if ($isPatch) {
-            print STDERR "skipping $url (support for patches is missing)\n";
-            next;
-        }
-
-        next if defined $exclude && $url =~ /$exclude/;
-
-        if (alreadyMirrored($algo, $hash)) {
-            $have++;
-            next;
-        }
-
         my $storePath = makeFixedOutputPath(0, $algo, $hash, $name);
 
-        print STDERR "mirroring $url ($storePath, $algo, $hash)...\n";
+        for my $url (@$urls) {
+            if (defined $ENV{DEBUG}) {
+                print "$url $algo $hash\n";
+                next;
+            }
 
-        if ($dryRun) {
+            if ($url !~ /^http:/ && $url !~ /^https:/ && $url !~ /^ftp:/ && $url !~ /^mirror:/) {
+                print STDERR "skipping $url (unsupported scheme)\n";
+                next;
+            }
+
+            next if defined $exclude && $url =~ /$exclude/;
+
+            if (alreadyMirrored($algo, $hash)) {
+                $have++;
+                last;
+            }
+
+            print STDERR "mirroring $url ($storePath, $algo, $hash)...\n";
+
+            if ($dryRun) {
+                $mirrored++;
+                last;
+            }
+
+            # Substitute the output.
+            if (!isValidPath($storePath)) {
+                system("nix-store", "-r", $storePath);
+            }
+
+            # Otherwise download the file using nix-prefetch-url.
+            if (!isValidPath($storePath)) {
+                $ENV{QUIET} = 1;
+                $ENV{PRINT_PATH} = 1;
+                my $fh;
+                my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
+                waitpid($pid, 0) or die;
+                if ($? != 0) {
+                    print STDERR "failed to fetch $url: $?\n";
+                    next;
+                }
+                <$fh>; my $storePath2 = <$fh>; chomp $storePath2;
+                if ($storePath ne $storePath2) {
+                    warn "strange: $storePath != $storePath2\n";
+                    next;
+                }
+            }
+
+            uploadFile($storePath, $url);
             $mirrored++;
-            next;
+            last;
         }
-
-        # Substitute the output.
-        if (!isValidPath($storePath)) {
-            system("nix-store", "-r", $storePath);
-        }
-
-        # Otherwise download the file using nix-prefetch-url.
-        if (!isValidPath($storePath)) {
-            $ENV{QUIET} = 1;
-            $ENV{PRINT_PATH} = 1;
-            my $fh;
-            my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
-            waitpid($pid, 0) or die;
-            if ($? != 0) {
-                print STDERR "failed to fetch $url: $?\n";
-                next;
-            }
-            <$fh>; my $storePath2 = <$fh>; chomp $storePath2;
-            if ($storePath ne $storePath2) {
-                warn "strange: $storePath != $storePath2\n";
-                next;
-            }
-        }
-
-        uploadFile($storePath, $url);
-        $mirrored++;
     }
 
     print STDERR "mirrored $mirrored files, already have $have files\n";

maintainers/scripts/find-tarballs.nix

@@ -9,12 +9,12 @@ let
 
   root = expr;
 
-  uniqueUrls = map (x: x.file) (genericClosure {
-    startSet = map (file: { key = file.url; inherit file; }) urls;
+  uniqueFiles = map (x: x.file) (genericClosure {
+    startSet = map (file: { key = with file; (if type == null then "" else type + "+") + hash; inherit file; }) files;
     operator = const [ ];
   });
 
-  urls = map (drv: { url = head (drv.urls or [ drv.url ]); hash = drv.outputHash; isPatch = (drv?postFetch && drv.postFetch != ""); type = drv.outputHashAlgo; name = drv.name; }) fetchurlDependencies;
+  files = map (drv: { urls = drv.urls or [ drv.url ]; hash = drv.outputHash; isPatch = (drv?postFetch && drv.postFetch != ""); type = drv.outputHashAlgo; name = drv.name; }) fetchurlDependencies;
 
   fetchurlDependencies =
     filter
@@ -47,4 +47,4 @@ let
 
   canEval = val: (builtins.tryEval val).success;
 
-in uniqueUrls
+in uniqueFiles

nixos/doc/manual/development/option-types.section.md

@@ -99,6 +99,10 @@ merging is handled.
     problems.
     :::
 
+`types.pkgs`
+
+:   A type for the top level Nixpkgs package set.
+
 ### Numeric types {#sec-option-types-numeric}
 
 `types.int`

nixos/lib/eval-config.nix

@@ -38,6 +38,8 @@ let pkgs_ = pkgs;
 in
 
 let
+  inherit (lib) optional;
+
   evalModulesMinimal = (import ./default.nix {
     inherit lib;
     # Implicit use of feature is noted in implementation.
@@ -47,15 +49,19 @@ let
   pkgsModule = rec {
     _file = ./eval-config.nix;
     key = _file;
-    config = {
-      # Explicit `nixpkgs.system` or `nixpkgs.localSystem` should override
-      # this.  Since the latter defaults to the former, the former should
-      # default to the argument. That way this new default could propagate all
-      # they way through, but has the last priority behind everything else.
-      nixpkgs.system = lib.mkIf (system != null) (lib.mkDefault system);
-
-      _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_);
-    };
+    config = lib.mkMerge (
+      (optional (system != null) {
+        # Explicit `nixpkgs.system` or `nixpkgs.localSystem` should override
+        # this.  Since the latter defaults to the former, the former should
+        # default to the argument. That way this new default could propagate all
+        # they way through, but has the last priority behind everything else.
+        nixpkgs.system = lib.mkDefault system;
+      })
+      ++
+      (optional (pkgs_ != null) {
+        _module.args.pkgs = lib.mkForce pkgs_;
+      })
+    );
   };
 
   withWarnings = x:

nixos/lib/testing/nodes.nix

@@ -1,13 +1,22 @@
 testModuleArgs@{ config, lib, hostPkgs, nodes, ... }:
 
 let
-  inherit (lib) mkOption mkForce optional types mapAttrs mkDefault mdDoc;
-
-  system = hostPkgs.stdenv.hostPlatform.system;
+  inherit (lib)
+    literalExpression
+    literalMD
+    mapAttrs
+    mdDoc
+    mkDefault
+    mkIf
+    mkOption mkForce
+    optional
+    optionalAttrs
+    types
+    ;
 
   baseOS =
     import ../eval-config.nix {
-      inherit system;
+      system = null; # use modularly defined system
       inherit (config.node) specialArgs;
       modules = [ config.defaults ];
       baseModules = (import ../../modules/module-list.nix) ++
@@ -17,11 +26,17 @@ let
           ({ config, ... }:
             {
               virtualisation.qemu.package = testModuleArgs.config.qemu.package;
-
+            })
+          (optionalAttrs (!config.node.pkgsReadOnly) {
+            key = "nodes.nix-pkgs";
+            config = {
               # Ensure we do not use aliases. Ideally this is only set
               # when the test framework is used by Nixpkgs NixOS tests.
               nixpkgs.config.allowAliases = false;
-            })
+              # TODO: switch to nixpkgs.hostPlatform and make sure containers-imperative test still evaluates.
+              nixpkgs.system = hostPkgs.stdenv.hostPlatform.system;
+            };
+          })
           testModuleArgs.config.extraBaseModules
         ];
     };
@@ -68,6 +83,30 @@ in
       default = { };
     };
 
+    node.pkgs = mkOption {
+      description = mdDoc ''
+        The Nixpkgs to use for the nodes.
+
+        Setting this will make the `nixpkgs.*` options read-only, to avoid mistakenly testing with a Nixpkgs configuration that diverges from regular use.
+      '';
+      type = types.nullOr types.pkgs;
+      default = null;
+      defaultText = literalMD ''
+        `null`, so construct `pkgs` according to the `nixpkgs.*` options as usual.
+      '';
+    };
+
+    node.pkgsReadOnly = mkOption {
+      description = mdDoc ''
+        Whether to make the `nixpkgs.*` options read-only. This is only relevant when [`node.pkgs`](#test-opt-node.pkgs) is set.
+
+        Set this to `false` when any of the [`nodes`](#test-opt-nodes) needs to configure any of the `nixpkgs.*` options. This will slow down evaluation of your test a bit.
+      '';
+      type = types.bool;
+      default = config.node.pkgs != null;
+      defaultText = literalExpression ''node.pkgs != null'';
+    };
+
     node.specialArgs = mkOption {
       type = types.lazyAttrsOf types.raw;
       default = { };
@@ -100,5 +139,11 @@ in
         config.nodes;
 
     passthru.nodes = config.nodesCompat;
+
+    defaults = mkIf config.node.pkgsReadOnly {
+      nixpkgs.pkgs = config.node.pkgs;
+      imports = [ ../../modules/misc/nixpkgs/read-only.nix ];
+    };
+
   };
 }

nixos/modules/misc/nixpkgs.nix

@@ -49,10 +49,10 @@ let
     merge = lib.mergeOneOption;
   };
 
-  pkgsType = mkOptionType {
-    name = "nixpkgs";
+  pkgsType = types.pkgs // {
+    # This type is only used by itself, so let's elaborate the description a bit
+    # for the purpose of documentation.
     description = "An evaluation of Nixpkgs; the top level attribute set of packages";
-    check = builtins.isAttrs;
   };
 
   # Whether `pkgs` was constructed by this module - not if nixpkgs.pkgs or

nixos/modules/misc/nixpkgs/read-only.nix

@@ -0,0 +1,74 @@
+# A replacement for the traditional nixpkgs module, such that none of the modules
+# can add their own configuration. This ensures that the Nixpkgs configuration is
+# exactly as the user intends.
+# This may also be used as a performance optimization when evaluating multiple
+# configurations at once, with a shared `pkgs`.
+
+# This is a separate module, because merging this logic into the nixpkgs module
+# is too burdensome, considering that it is already burdened with legacy.
+# Moving this logic into a module does not lose any composition benefits, because
+# its purpose is not something that composes anyway.
+
+{ lib, config, ... }:
+
+let
+  cfg = config.nixpkgs;
+  inherit (lib) mkOption types;
+
+in
+{
+  disabledModules = [
+    ../nixpkgs.nix
+  ];
+  options = {
+    nixpkgs = {
+      pkgs = mkOption {
+        type = lib.types.pkgs;
+        description = lib.mdDoc ''The pkgs module argument.'';
+      };
+      config = mkOption {
+        internal = true;
+        type = types.unique { message = "nixpkgs.config is set to read-only"; } types.anything;
+        description = lib.mdDoc ''
+          The Nixpkgs `config` that `pkgs` was initialized with.
+        '';
+      };
+      overlays = mkOption {
+        internal = true;
+        type = types.unique { message = "nixpkgs.overlays is set to read-only"; } types.anything;
+        description = lib.mdDoc ''
+          The Nixpkgs overlays that `pkgs` was initialized with.
+        '';
+      };
+      hostPlatform = mkOption {
+        internal = true;
+        readOnly = true;
+        description = lib.mdDoc ''
+          The platform of the machine that is running the NixOS configuration.
+        '';
+      };
+      buildPlatform = mkOption {
+        internal = true;
+        readOnly = true;
+        description = lib.mdDoc ''
+          The platform of the machine that built the NixOS configuration.
+        '';
+      };
+      # NOTE: do not add the legacy options such as localSystem here. Let's keep
+      #       this module simple and let module authors upgrade their code instead.
+    };
+  };
+  config = {
+    _module.args.pkgs =
+      # find mistaken definitions
+      builtins.seq cfg.config
+      builtins.seq cfg.overlays
+      builtins.seq cfg.hostPlatform
+      builtins.seq cfg.buildPlatform
+      cfg.pkgs;
+    nixpkgs.config = cfg.pkgs.config;
+    nixpkgs.overlays = cfg.pkgs.overlays;
+    nixpkgs.hostPlatform = cfg.pkgs.stdenv.hostPlatform;
+    nixpkgs.buildPlatform = cfg.pkgs.stdenv.buildPlatform;
+  };
+}

nixos/modules/misc/nixpkgs/test.nix

@@ -1,3 +1,5 @@
+# [nixpkgs]$ nix-build -A nixosTests.nixpkgs --show-trace
+
 { evalMinimalConfig, pkgs, lib, stdenv }:
 let
   eval = mod: evalMinimalConfig {
@@ -27,6 +29,47 @@ let
     let
       uncheckedEval = lib.evalModules { modules = [ ../nixpkgs.nix module ]; };
     in map (ass: ass.message) (lib.filter (ass: !ass.assertion) uncheckedEval.config.assertions);
+
+  readOnlyUndefined = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+  };
+
+  readOnlyBad = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = { };
+  };
+
+  readOnly = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = pkgs;
+  };
+
+  readOnlyBadConfig = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = pkgs;
+    nixpkgs.config.allowUnfree = true; # do in pkgs instead!
+  };
+
+  readOnlyBadOverlays = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = pkgs;
+    nixpkgs.overlays = [ (_: _: {}) ]; # do in pkgs instead!
+  };
+
+  readOnlyBadHostPlatform = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = pkgs;
+    nixpkgs.hostPlatform = "foo-linux"; # do in pkgs instead!
+  };
+
+  readOnlyBadBuildPlatform = evalMinimalConfig {
+    imports = [ ./read-only.nix ];
+    nixpkgs.pkgs = pkgs;
+    nixpkgs.buildPlatform = "foo-linux"; # do in pkgs instead!
+  };
+
+  throws = x: ! (builtins.tryEval x).success;
+
 in
 lib.recurseIntoAttrs {
   invokeNixpkgsSimple =
@@ -65,5 +108,21 @@ lib.recurseIntoAttrs {
         nixpkgs.pkgs = pkgs;
       } == [];
 
+
+    # Tests for the read-only.nix module
+    assert readOnly._module.args.pkgs.stdenv.hostPlatform.system == pkgs.stdenv.hostPlatform.system;
+    assert throws readOnlyBad._module.args.pkgs.stdenv;
+    assert throws readOnlyUndefined._module.args.pkgs.stdenv;
+    assert throws readOnlyBadConfig._module.args.pkgs.stdenv;
+    assert throws readOnlyBadOverlays._module.args.pkgs.stdenv;
+    assert throws readOnlyBadHostPlatform._module.args.pkgs.stdenv;
+    assert throws readOnlyBadBuildPlatform._module.args.pkgs.stdenv;
+    # read-only.nix does not provide legacy options, for the sake of simplicity
+    # If you're bothered by this, upgrade your configs to use the new *Platform
+    # options.
+    assert !readOnly.options.nixpkgs?system;
+    assert !readOnly.options.nixpkgs?localSystem;
+    assert !readOnly.options.nixpkgs?crossSystem;
+
     pkgs.emptyFile;
 }

nixos/tests/all-tests.nix

@@ -46,7 +46,7 @@ let
   inherit
     (rec {
       doRunTest = arg: ((import ../lib/testing-python.nix { inherit system pkgs; }).evalTest {
-        imports = [ arg ];
+        imports = [ arg readOnlyPkgs ];
       }).config.result;
       findTests = tree:
         if tree?recurseForDerivations && tree.recurseForDerivations
@@ -65,6 +65,23 @@ let
     runTestOn
     ;
 
+  # Using a single instance of nixpkgs makes test evaluation faster.
+  # To make sure we don't accidentally depend on a modified pkgs, we make the
+  # related options read-only. We need to test the right configuration.
+  #
+  # If your service depends on a nixpkgs setting, first try to avoid that, but
+  # otherwise, you can remove the readOnlyPkgs import and test your service as
+  # usual.
+  readOnlyPkgs =
+    # TODO: We currently accept this for nixosTests, so that the `pkgs` argument
+    #       is consistent with `pkgs` in `pkgs.nixosTests`. Can we reinitialize
+    #       it with `allowAliases = false`?
+    # warnIf pkgs.config.allowAliases "nixosTests: pkgs includes aliases."
+    {
+      _class = "nixosTest";
+      node.pkgs = pkgs;
+    };
+
 in {
 
   # Testing the test driver
@@ -267,7 +284,7 @@ in {
   gitdaemon = handleTest ./gitdaemon.nix {};
   gitea = handleTest ./gitea.nix { giteaPackage = pkgs.gitea; };
   github-runner = handleTest ./github-runner.nix {};
-  gitlab = handleTest ./gitlab.nix {};
+  gitlab = runTest ./gitlab.nix;
   gitolite = handleTest ./gitolite.nix {};
   gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {};
   glusterfs = handleTest ./glusterfs.nix {};

nixos/tests/gitlab.nix

@@ -6,7 +6,10 @@
 # - Creating Merge Requests and merging them
 # - Opening and closing issues.
 # - Downloading repository archives as tar.gz and tar.bz2
-import ./make-test-python.nix ({ pkgs, lib, ... }:
+# Run with
+# [nixpkgs]$ nix-build -A nixosTests.gitlab
+
+{ pkgs, lib, ... }:
 
 with lib;
 
@@ -174,7 +177,7 @@ in {
         gitlab.wait_for_unit("gitlab.service")
         gitlab.wait_for_unit("gitlab-pages.service")
         gitlab.wait_for_unit("gitlab-sidekiq.service")
-        gitlab.wait_for_file("${nodes.gitlab.config.services.gitlab.statePath}/tmp/sockets/gitlab.socket")
+        gitlab.wait_for_file("${nodes.gitlab.services.gitlab.statePath}/tmp/sockets/gitlab.socket")
         gitlab.wait_until_succeeds("curl -sSf http://gitlab/users/sign_in")
       '';
 
@@ -419,15 +422,15 @@ in {
     + ''
       gitlab.systemctl("start gitlab-backup.service")
       gitlab.wait_for_unit("gitlab-backup.service")
-      gitlab.wait_for_file("${nodes.gitlab.config.services.gitlab.statePath}/backup/dump_gitlab_backup.tar")
+      gitlab.wait_for_file("${nodes.gitlab.services.gitlab.statePath}/backup/dump_gitlab_backup.tar")
       gitlab.systemctl("stop postgresql.service gitlab.target")
       gitlab.succeed(
-          "find ${nodes.gitlab.config.services.gitlab.statePath} -mindepth 1 -maxdepth 1 -not -name backup -execdir rm -r {} +"
+          "find ${nodes.gitlab.services.gitlab.statePath} -mindepth 1 -maxdepth 1 -not -name backup -execdir rm -r {} +"
       )
       gitlab.succeed("systemd-tmpfiles --create")
-      gitlab.succeed("rm -rf ${nodes.gitlab.config.services.postgresql.dataDir}")
+      gitlab.succeed("rm -rf ${nodes.gitlab.services.postgresql.dataDir}")
       gitlab.systemctl("start gitlab-config.service gitaly.service gitlab-postgresql.service")
-      gitlab.wait_for_file("${nodes.gitlab.config.services.gitlab.statePath}/tmp/sockets/gitaly.socket")
+      gitlab.wait_for_file("${nodes.gitlab.services.gitlab.statePath}/tmp/sockets/gitaly.socket")
       gitlab.succeed(
           "sudo -u gitlab -H gitlab-rake gitlab:backup:restore RAILS_ENV=production BACKUP=dump force=yes"
       )
@@ -435,4 +438,4 @@ in {
     ''
     + waitForServices
     + test false;
-})
+}

nixos/tests/harmonia.nix

@@ -8,6 +8,7 @@
       services.harmonia = {
         enable = true;
         signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==";
+        settings.priority = 35;
       };
 
       networking.firewall.allowedTCPPorts = [ 5000 ];
@@ -26,7 +27,8 @@
     start_all()
 
     harmonia.wait_for_unit("harmonia.service")
-    client01.wait_until_succeeds("curl -f http://harmonia:5000/nix-cache-info")
+
+    client01.wait_until_succeeds("curl -f http://harmonia:5000/nix-cache-info | grep '${toString nodes.harmonia.services.harmonia.settings.priority}' >&2")
     client01.succeed("curl -f http://harmonia:5000/version | grep '${nodes.harmonia.services.harmonia.package.version}' >&2")
 
     client01.succeed("cat /etc/nix/nix.conf >&2")

pkgs/applications/audio/cyanrip/default.nix

@@ -12,13 +12,13 @@
 }:
 stdenv.mkDerivation rec {
   pname = "cyanrip";
-  version = "0.8.1";
+  version = "0.9.0";
 
   src = fetchFromGitHub {
     owner = "cyanreg";
     repo = pname;
     rev = "v${version}";
-    sha256 = "17bi2xhjv3f3i870whkyqckvjlg32wqkspash87zi0jw7m7jm229";
+    sha256 = "sha256-gH/rWTRYX10Q2Y9oSaMu0bOy3SMbcSNmH3dkXHFAw90";
   };
 
   nativeBuildInputs = [ meson ninja pkg-config ];

pkgs/applications/misc/megacmd/default.nix

@@ -23,13 +23,13 @@
 
 stdenv.mkDerivation rec {
   pname = "megacmd";
-  version = "1.6.1";
+  version = "1.6.3";
 
   src = fetchFromGitHub {
     owner = "meganz";
     repo = "MEGAcmd";
     rev = "${version}_Linux";
-    sha256 = "sha256-X8ysTVr4oZS3VHuCyq96J6TL9nvtAT/HVnMyz5iXSXo=";
+    sha256 = "sha256-JnxfFbM+NyeUrEMok62zlsQIxjrUvLLg4tUTiKPDZFc=";
     fetchSubmodules = true;
   };
 

pkgs/applications/misc/swaynotificationcenter/default.nix

@@ -83,6 +83,7 @@ stdenv.mkDerivation (finalAttrs: rec {
     changelog = "https://github.com/ErikReider/SwayNotificationCenter/releases/tag/v${version}";
     license = licenses.gpl3;
     platforms = platforms.linux;
+    mainProgram = "swaync";
     maintainers = with maintainers; [ berbiche pedrohlc ];
   };
 })

pkgs/applications/networking/cluster/cmctl/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "cmctl";
-  version = "1.11.1";
+  version = "1.11.2";
 
   src = fetchFromGitHub {
     owner = "cert-manager";
     repo = "cert-manager";
-    rev = "e3a2a803e8ed7f8a88d5f535d6e9a061c1571194";
-    sha256 = "0484dh520plgmrv39lbih44z1dz0r3sf115kqvcpfmg13b0328d0";
+    rev = "4767427a40e0e193c976fd6bc228f50de8950572";
+    sha256 = "128s5vd4hp5mr0rnb21grzmijzx0ibpv71as36dcgw7z4v3gq7lx";
   };
 
-  vendorSha256 = "sha256-tKvvqYGwLEoSfGzBRLx8xC/0Kz1uLmHYQ+gcHOW+550=";
+  vendorSha256 = "sha256-+r0QpD97r6dokUr07Qjb9kvoK+oz2rvml0cIebtYuHg=";
 
   subPackages = [ "cmd/ctl" ];
 

pkgs/applications/networking/cluster/kubefirst/default.nix

@@ -0,0 +1,26 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "kubefirst";
+  version = "2.0.8";
+
+  src = fetchFromGitHub {
+    owner = "kubefirst";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-JGseXRUehRuH1kuTfmkAJcfRN3vM0zN7K8pnOfJ0LAs=";
+  };
+
+  vendorHash = "sha256-Sc6HXJXkZ9vW6sxEKCTo6LDHeOGLTz0oN9JH11iUA/k=";
+
+  ldflags = [ "-s" "-w" "-X github.com/kubefirst/runtime/configs.K1Version=v${version}"];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "The Kubefirst CLI creates instant GitOps platforms that integrate some of the best tools in cloud native from scratch.";
+    homepage = "https://github.com/kubefirst/kubefirst/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ qjoly ];
+  };
+}

pkgs/applications/networking/cluster/tfautomv/default.nix

@@ -0,0 +1,27 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "tfautomv";
+  version = "0.5.1";
+
+  src = fetchFromGitHub {
+    owner = "padok-team";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-shpoi/N/gfzisjj1tvZGSEuorqaoOJMhYOjx+Y8F/Ds=";
+  };
+
+  vendorHash = "sha256-BjmtUamecTSwT7gHM/6uz1r/P8O0TWzp9Dk43rdmxXU=";
+
+  ldflags = [ "-s" "-w" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/padok-team/tfautomv";
+    description = "When refactoring a Terraform codebase, you often need to write moved blocks. This can be tedious. Let tfautomv do it for you";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ qjoly ];
+  };
+}

pkgs/applications/virtualization/pods/Cargo.lock

@@ -120,9 +120,9 @@ dependencies = [
 
 [[package]]
 name = "bumpalo"
-version = "3.12.1"
+version = "3.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8"
+checksum = "3c6ed94e98ecff0c12dd1b04c15ec0d7d9458ca8fe806cea6f12954efe74c63b"
 
 [[package]]
 name = "byteorder"
@@ -1092,9 +1092,9 @@ checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
 
 [[package]]
 name = "js-sys"
-version = "0.3.61"
+version = "0.3.62"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730"
+checksum = "68c16e1bfd491478ab155fd8b4896b86f9ede344949b641e61501e07c2b8b4d5"
 dependencies = [
  "wasm-bindgen",
 ]
@@ -1142,9 +1142,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.142"
+version = "0.2.144"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317"
+checksum = "2b00cc1c228a6782d0f076e7b232802e0c5689d41bb5df366f2a6b6621cfdfe1"
 
 [[package]]
 name = "libpanel"
@@ -1188,9 +1188,9 @@ dependencies = [
 
 [[package]]
 name = "linux-raw-sys"
-version = "0.3.6"
+version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b64f40e5e03e0d54f03845c8197d0291253cdbedfb1cb46b13c2c117554a9f4c"
+checksum = "ece97ea872ece730aed82664c424eb4c8291e1ff2480247ccf7409044bc6479f"
 
 [[package]]
 name = "locale_config"
@@ -1477,9 +1477,9 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.26"
+version = "0.3.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
+checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
 
 [[package]]
 name = "podman-api"
@@ -1518,7 +1518,7 @@ dependencies = [
 
 [[package]]
 name = "pods"
-version = "1.1.1"
+version = "1.1.2"
 dependencies = [
  "anyhow",
  "ashpd",
@@ -1594,9 +1594,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.26"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc"
+checksum = "8f4f29d145265ec1c483c7c654450edde0bfe043d3938d6972630663356d9500"
 dependencies = [
  "proc-macro2",
 ]
@@ -1677,9 +1677,9 @@ dependencies = [
 
 [[package]]
 name = "rustix"
-version = "0.37.18"
+version = "0.37.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bbfc1d1c7c40c01715f47d71444744a81669ca84e8b63e25a55e169b1f86433"
+checksum = "acf8729d8542766f1b2cf77eb034d52f40d375bb8b615d0b147089946e16613d"
 dependencies = [
  "bitflags",
  "errno",
@@ -1709,18 +1709,18 @@ checksum = "bebd363326d05ec3e2f532ab7660680f3b02130d780c299bca73469d521bc0ed"
 
 [[package]]
 name = "serde"
-version = "1.0.160"
+version = "1.0.162"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb2f3770c8bce3bcda7e149193a069a0f4365bda1fa5cd88e03bca26afc1216c"
+checksum = "71b2f6e1ab5c2b98c05f0f35b236b22e8df7ead6ffbf51d7808da7f8817e7ab6"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.160"
+version = "1.0.162"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df"
+checksum = "a2a0814352fd64b58489904a44ea8d90cb1a91dcb6b4f5ebabc32c8318e93cb6"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1868,14 +1868,14 @@ dependencies = [
  "hostname",
  "libc",
  "log",
- "time 0.3.20",
+ "time 0.3.21",
 ]
 
 [[package]]
 name = "system-deps"
-version = "6.0.5"
+version = "6.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0fe581ad25d11420b873cf9aedaca0419c2b411487b134d4d21065f3d092055"
+checksum = "e5fa6fb9ee296c0dc2df41a656ca7948546d061958115ddb0bcaae43ad0d17d2"
 dependencies = [
  "cfg-expr",
  "heck",
@@ -1962,9 +1962,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.20"
+version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890"
+checksum = "8f3403384eaacbca9923fa06940178ac13e4edb725486d70e8e15881d0c836cc"
 dependencies = [
  "itoa",
  "libc",
@@ -1976,15 +1976,15 @@ dependencies = [
 
 [[package]]
 name = "time-core"
-version = "0.1.0"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd"
+checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb"
 
 [[package]]
 name = "time-macros"
-version = "0.2.8"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd80a657e71da814b8e5d60d3374fc6d35045062245d80224748ae522dd76f36"
+checksum = "372950940a5f07bf38dbe211d7283c9e6d7327df53794992d293e534c733d09b"
 dependencies = [
  "time-core",
 ]
@@ -2006,9 +2006,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.28.0"
+version = "1.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3c786bf8134e5a3a166db9b29ab8f48134739014a3eca7bc6bfa95d673b136f"
+checksum = "0aa32867d44e6f2ce3385e89dceb990188b8bb0fb25b0cf576647a6f98ac5105"
 dependencies = [
  "autocfg",
  "bytes 1.4.0",
@@ -2274,9 +2274,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.84"
+version = "0.2.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b"
+checksum = "5b6cb788c4e39112fbe1822277ef6fb3c55cd86b95cb3d3c4c1c9597e4ac74b4"
 dependencies = [
  "cfg-if",
  "wasm-bindgen-macro",
@@ -2284,24 +2284,24 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.84"
+version = "0.2.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9"
+checksum = "35e522ed4105a9d626d885b35d62501b30d9666283a5c8be12c14a8bdafe7822"
 dependencies = [
  "bumpalo",
  "log",
  "once_cell",
  "proc-macro2",
  "quote",
- "syn 1.0.109",
+ "syn 2.0.15",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.84"
+version = "0.2.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5"
+checksum = "358a79a0cb89d21db8120cbfb91392335913e4890665b1a7981d9e956903b434"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -2309,22 +2309,22 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.84"
+version = "0.2.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6"
+checksum = "4783ce29f09b9d93134d41297aded3a712b7b979e9c6f28c32cb88c973a94869"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.109",
+ "syn 2.0.15",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.84"
+version = "0.2.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d"
+checksum = "a901d592cafaa4d711bc324edfaff879ac700b19c3dfd60058d2b445be2691eb"
 
 [[package]]
 name = "winapi"

pkgs/applications/virtualization/pods/default.nix

@@ -17,13 +17,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pods";
-  version = "1.1.1";
+  version = "1.1.2";
 
   src = fetchFromGitHub {
     owner = "marhkb";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-GTRHysG1zPr6MorGoSKYq8TgAdTH/bU/AxVrP2Ghqec=";
+    sha256 = "sha256-5euSMmyumZbUFsZuP7fa3wCm4n0Hx+F8bPlv4Xw/Hvw=";
   };
 
   cargoDeps = rustPlatform.importCargoLock {

pkgs/development/python-modules/aws-secretsmanager-caching/default.nix

@@ -0,0 +1,63 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, setuptools-scm
+, botocore
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "aws_secretsmanager_caching";
+  version = "1.1.1.5";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "5cee2762bb89b72f3e5123feee8e45fbe44ffe163bfca08b28f27b2e2b7772e1";
+  };
+
+  nativeBuildInputs = [
+    setuptools-scm
+  ];
+
+  propagatedBuildInputs = [
+    botocore
+  ];
+
+  patches = [
+    # Remove coverage tests from the pytest invocation in setup.cfg.
+    ./remove-coverage-tests.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "'pytest-runner'," ""
+  '';
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  disabledTestPaths = [
+    # Integration tests require networking.
+    "test/integ"
+  ];
+
+  pythonImportsCheck = [
+    "aws_secretsmanager_caching"
+  ];
+
+  meta = with lib; {
+    description = "Client-side AWS secrets manager caching library";
+    homepage = "https://github.com/aws/aws-secretsmanager-caching-python";
+    changelog = "https://github.com/aws/aws-secretsmanager-caching-python/releases/tag/v${version}";
+    longDescription = ''
+      The AWS Secrets Manager Python caching client enables in-process caching of secrets for Python applications.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ tomaskala ];
+  };
+}

pkgs/development/python-modules/aws-secretsmanager-caching/remove-coverage-tests.patch

@@ -0,0 +1,14 @@
+diff --git a/setup.cfg b/setup.cfg
+index 5aa81b2..0c02ded 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -3,9 +3,6 @@ xfail_strict = true
+ addopts = 
+ 	--verbose
+ 	--doctest-modules
+-	--cov aws_secretsmanager_caching
+-	--cov-fail-under 90
+-	--cov-report term-missing
+ 	--ignore doc/
+ 
+ [aliases]

pkgs/development/python-modules/azure-mgmt-datafactory/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-datafactory";
-  version = "3.0.0";
+  version = "3.1.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    hash = "sha256-aVfH65fJnsTSr0MR0Fr5yamxIOv2+aST953uCr7QXOk=";
+    hash = "sha256-lsOUxDoXocf1fUIcY4q74/vd86LO7yumJg7rJ6i3zcg=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/riscv-isac/default.nix

@@ -1,44 +1,62 @@
-{ buildPythonPackage
+{ lib
+, buildPythonPackage
 , fetchFromGitHub
-, lib
 , click
 , colorlog
 , gitpython
+, pluggy
 , pyelftools
 , pytablewriter
-, pytest
+, pytestCheckHook
 , pyyaml
 , ruamel-yaml
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "riscv-isac";
-  version = "0.16.1";
+  version = "0.17.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "riscv-software-src";
     repo = pname;
-    rev = version;
-    hash = "sha256-Krjr9bvpoOeNfMbYj/QbJ+Y+AVLjwrzj8KKMUXCfnMA=";
+    rev = "refs/tags/${version}";
+    hash = "sha256-I0RsvSCrSlNGVj8z+WUQx6vbdNkKCRyMFvNx+0mTBAE=";
   };
 
-  postPatch = "substituteInPlace riscv_isac/requirements.txt --replace 'pyelftools==0.26' pyelftools";
+  postPatch = ''
+    substituteInPlace riscv_isac/requirements.txt \
+      --replace "pyelftools==0.26" "pyelftools" \
+      --replace "pytest" ""
+  '';
 
   propagatedBuildInputs = [
     click
     colorlog
     gitpython
+    pluggy
     pyelftools
     pytablewriter
-    pytest
     pyyaml
     ruamel-yaml
   ];
 
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "riscv_isac"
+  ];
+
   meta = with lib; {
-    homepage = "https://github.com/riscv/riscv-isac";
     description = "An ISA coverage extraction tool";
-    maintainers = with maintainers; [ genericnerdyusername ];
+    homepage = "https://github.com/riscv/riscv-isac";
+    changelog = "https://github.com/riscv-software-src/riscv-isac/blob/${version}/CHANGELOG.md";
     license = licenses.bsd3;
+    maintainers = with maintainers; [ genericnerdyusername ];
   };
 }

pkgs/development/python-modules/xhtml2pdf/default.nix

@@ -15,18 +15,16 @@
 
 buildPythonPackage rec {
   pname = "xhtml2pdf";
-  version = "0.2.9";
+  version = "0.2.11";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
-  # Tests are only available on GitHub
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    # Currently it is not possible to fetch from version as there is a branch with the same name
-    rev = "refs/tags/${version}";
-    hash = "sha256-MrzAsa0AZX3+0LN/Can3QBoPBRxb0a/F2jLBd8rD5H4=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-L/HCw+O8bidtE5nDdO+cLS54m64dlJL+9Gjcye5gM+w=";
   };
 
   propagatedBuildInputs = [
@@ -51,6 +49,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "A PDF generator using HTML and CSS";
     homepage = "https://github.com/xhtml2pdf/xhtml2pdf";
+    changelog = "https://github.com/xhtml2pdf/xhtml2pdf/releases/tag/v${version}";
     license = licenses.asl20;
     maintainers = with maintainers; [ ];
   };

pkgs/development/tools/rust/cargo-audit/default.nix

@@ -9,14 +9,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-audit";
-  version = "0.17.5";
+  version = "0.17.6";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-qsHy4MKQHBzChcOJ9TrlUbEnEtVxlzxDgZlahhDsoxM=";
+    sha256 = "sha256-ICNcBqlkX1k3J5vc/bfoXw/+l2LdHOchv4PfY0G7Y94=";
   };
 
-  cargoSha256 = "sha256-7uBRybAkexBl3SldV4qudwPZ8JcKCUaAlwbAcT9JXy8=";
+  cargoSha256 = "sha256-ViqaiSLVfDJhMuHjHGi+NVRLPcRhe2a+oKXl4UNM+K8=";
 
   nativeBuildInputs = [
     pkg-config

pkgs/os-specific/darwin/apple-sdk-11.0/default.nix

@@ -70,7 +70,7 @@ let
     stdenv = mkStdenv stdenv;
   } // builtins.listToAttrs (map
     (v: { name = "clang${v}Stdenv"; value = mkStdenv pkgs."llvmPackages_${v}".stdenv; })
-    [ "12" "13" "14" "15" ]
+    [ "12" "13" "14" "15" "16" ]
   );
 
   callPackage = newScope (packages // pkgs.darwin // { inherit MacOSX-SDK; });

pkgs/os-specific/linux/minimal-bootstrap/default.nix

@@ -10,15 +10,21 @@ lib.makeScope
   # declared here.
   (extra: lib.callPackageWith ({ inherit lib config buildPlatform hostPlatform; } // extra))
   (self: with self; {
-    inherit (callPackage ./utils.nix { }) fetchurl derivationWithMeta writeTextFile writeText runCommand;
 
-    inherit (callPackage ./stage0-posix { }) kaem m2libc mescc-tools mescc-tools-extra;
+    gnupatch = callPackage ./gnupatch { tinycc = tinycc-mes; };
+
+    gnumake = callPackage ./gnumake { tinycc = tinycc-mes; };
+
+    ln-boot = callPackage ./ln-boot { };
 
     mes = callPackage ./mes { };
     mes-libc = callPackage ./mes/libc.nix { };
 
-    ln-boot = callPackage ./ln-boot { };
+    inherit (callPackage ./stage0-posix { }) kaem m2libc mescc-tools mescc-tools-extra;
 
     tinycc-bootstrappable = callPackage ./tinycc/bootstrappable.nix { };
     tinycc-mes = callPackage ./tinycc/mes.nix { };
+
+    inherit (callPackage ./utils.nix { }) fetchurl derivationWithMeta writeTextFile writeText runCommand;
+
   })

pkgs/os-specific/linux/minimal-bootstrap/gnumake/0001-No-impure-bin-sh.patch

@@ -0,0 +1,35 @@
+From e00a5257a6ca5fedbf68b09eee7df3502971a057 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sat, 24 Apr 2021 10:11:40 +0200
+Subject: [PATCH 1/2] No impure bin sh
+
+default_shell is used to populuate default shell used to execute jobs.
+Unless SHELL is set to a different value this would be /bin/sh.
+Our stdenv provides sh in form of bash anyway. Having this value not
+hard-coded has some advantages:
+
+- It would ensure that on all systems it uses sh from its PATH rather
+  than /bin/sh, which helps as different systems might have different
+  shells there (bash vs. dash)
+- In the past I had issues with LD_PRELOAD with BEAR, where /bin/sh
+  used a different glibc than BEAR which came from my development shell.
+---
+ src/job.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/job.c b/src/job.c
+index ae1f18b..6b4ddb3 100644
+--- a/src/job.c
++++ b/src/job.c
+@@ -77,7 +77,7 @@ char * vms_strsignal (int status);
+ 
+ #else
+ 
+-const char *default_shell = "/bin/sh";
++const char *default_shell = "sh";
+ int batch_mode_shell = 0;
+ 
+ #endif
+-- 
+2.31.1
+

pkgs/os-specific/linux/minimal-bootstrap/gnumake/0002-remove-impure-dirs.patch

@@ -0,0 +1,40 @@
+From 795d63d3c8b5c0dbb7e544954f75507b371b7228 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sat, 24 Apr 2021 10:20:16 +0200
+Subject: [PATCH 2/2] remove impure dirs
+
+---
+ src/read.c   | 3 ---
+ src/remake.c | 2 --
+ 2 files changed, 5 deletions(-)
+
+diff --git a/src/read.c b/src/read.c
+index fa197fb..defacfb 100644
+--- a/src/read.c
++++ b/src/read.c
+@@ -109,9 +109,6 @@ static const char *default_include_directories[] =
+ #endif
+     INCLUDEDIR,
+ #ifndef _AMIGA
+-    "/usr/gnu/include",
+-    "/usr/local/include",
+-    "/usr/include",
+ #endif
+     0
+   };
+diff --git a/src/remake.c b/src/remake.c
+index fb237c5..94bff7d 100644
+--- a/src/remake.c
++++ b/src/remake.c
+@@ -1601,8 +1601,6 @@ library_search (const char *lib, FILE_TIMESTAMP *mtime_ptr)
+   static const char *dirs[] =
+     {
+ #ifndef _AMIGA
+-      "/lib",
+-      "/usr/lib",
+ #endif
+ #if defined(WINDOWS32) && !defined(LIBDIR)
+ /*
+-- 
+2.31.1
+

pkgs/os-specific/linux/minimal-bootstrap/gnumake/0003-tinycc-support.patch

@@ -0,0 +1,58 @@
+diff --git a/src/dir.c b/src/dir.c
+index 3e94b98..cfaa6a2 100644
+--- a/src/dir.c
++++ b/src/dir.c
+@@ -1331,10 +1331,9 @@ local_stat (const char *path, struct stat *buf)
+ 
+ /* Similarly for lstat.  */
+ #if !defined(lstat) && !defined(WINDOWS32) || defined(VMS)
+-# ifndef VMS
+-#  ifndef HAVE_SYS_STAT_H
++// mes-libc implements but does not declare lstat
++# if (!defined(VMS) && !defined(HAVE_SYS_STAT_H)) || defined(__TINYC__)
+ int lstat (const char *path, struct stat *sbuf);
+-#  endif
+ # else
+     /* We are done with the fake lstat.  Go back to the real lstat */
+ #   ifdef lstat
+diff --git a/src/job.c b/src/job.c
+index ea88561..8388a82 100644
+--- a/src/job.c
++++ b/src/job.c
+@@ -2052,7 +2052,8 @@ job_next_command (struct child *child)
+ static int
+ load_too_high (void)
+ {
+-#if defined(__MSDOS__) || defined(VMS) || defined(_AMIGA) || defined(__riscos__)
++// mes-libc does not support getloadavg
++#if defined(__MSDOS__) || defined(VMS) || defined(_AMIGA) || defined(__riscos__) || defined (__TINYC__)
+   return 1;
+ #else
+   static double last_sec;
+diff --git a/src/main.c b/src/main.c
+index a9d3a64..664d40f 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -2770,7 +2770,7 @@ main (int argc, char **argv, char **envp)
+               char *b = alloca (40);
+               sprintf (b, "MAKE_RESTARTS=%s%u",
+                        OUTPUT_IS_TRACED () ? "-" : "", restarts);
+-              putenv (b);
++              // mes-libc does not support putenv
+             }
+ 
+           fflush (stdout);
+diff --git a/src/misc.c b/src/misc.c
+index eb14f40..bffca82 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -653,7 +653,8 @@ get_tmppath ()
+ 
+ # ifdef HAVE_MKTEMP
+   path = get_tmptemplate ();
+-  if (*mktemp (path) == '\0')
++  // tinycc: "src/misc.c:656: error: pointer expected"
++  if (!strcmp(mktemp (path), ""))
+     {
+       OSS (error, NILF,
+            _("cannot generate temp path from %s: %s"), path, strerror (errno));

pkgs/os-specific/linux/minimal-bootstrap/gnumake/default.nix

@@ -0,0 +1,190 @@
+{ lib
+, runCommand
+, fetchurl
+, tinycc
+, gnupatch
+}:
+let
+  pname = "gnumake";
+  version = "4.4.1";
+
+  src = fetchurl {
+    url = "mirror://gnu/make/make-${version}.tar.gz";
+    sha256 = "1cwgcmwdn7gqn5da2ia91gkyiqs9birr10sy5ykpkaxzcwfzn5nx";
+  };
+
+  patches = [
+    # Replaces /bin/sh with sh, see patch file for reasoning
+    ./0001-No-impure-bin-sh.patch
+    # Purity: don't look for library dependencies (of the form `-lfoo') in /lib
+    # and /usr/lib. It's a stupid feature anyway. Likewise, when searching for
+    # included Makefiles, don't look in /usr/include and friends.
+    ./0002-remove-impure-dirs.patch
+    # Fixes for tinycc. See comments in patch file for reasoning
+    ./0003-tinycc-support.patch
+  ];
+
+  CFLAGS = [
+    "-I./src"
+    "-I./lib"
+    "-DHAVE_CONFIG_H"
+    "-DMAKE_MAINTAINER_MODE"
+    "-DLIBDIR=\\\"${placeholder "out"}/lib\\\""
+    "-DLOCALEDIR=\\\"/fake-locale\\\""
+    "-DPOSIX=1"
+    # mes-libc doesn't implement osync_* methods
+    "-DNO_OUTPUT_SYNC=1"
+    # mes-libc doesn't define O_TMPFILE
+    "-DO_TMPFILE=020000000"
+  ] ++ config;
+
+  /*
+    Maintenance notes:
+
+    Generated by
+        ./configure \
+          --build i686-pc-linux-gnu \
+          --host i686-pc-linux-gnu \
+          CC="${tinycc-mes}/bin/tcc -static" \
+          ac_cv_func_dup=no
+    - `ac_cv_func_dup` disabled as mes-libc doesn't implement tmpfile()
+
+    The output src/config.h was then manually filtered, removing definitions that
+    didn't have uses in the source code
+  */
+  config = [
+    "-DFILE_TIMESTAMP_HI_RES=0"
+    "-DHAVE_ALLOCA"
+    "-DHAVE_ALLOCA_H"
+    "-DHAVE_ATEXIT"
+    "-DHAVE_DECL_BSD_SIGNAL=0"
+    "-DHAVE_DECL_GETLOADAVG=0"
+    "-DHAVE_DECL_SYS_SIGLIST=0"
+    "-DHAVE_DECL__SYS_SIGLIST=0"
+    "-DHAVE_DECL___SYS_SIGLIST=0"
+    "-DHAVE_DIRENT_H"
+    "-DHAVE_DUP2"
+    "-DHAVE_FCNTL_H"
+    "-DHAVE_FDOPEN"
+    "-DHAVE_GETCWD"
+    "-DHAVE_GETTIMEOFDAY"
+    "-DHAVE_INTTYPES_H"
+    "-DHAVE_ISATTY"
+    "-DHAVE_LIMITS_H"
+    "-DHAVE_LOCALE_H"
+    "-DHAVE_MEMORY_H"
+    "-DHAVE_MKTEMP"
+    "-DHAVE_SA_RESTART"
+    "-DHAVE_SETVBUF"
+    "-DHAVE_SIGACTION"
+    "-DHAVE_SIGSETMASK"
+    "-DHAVE_STDINT_H"
+    "-DHAVE_STDLIB_H"
+    "-DHAVE_STRDUP"
+    "-DHAVE_STRERROR"
+    "-DHAVE_STRINGS_H"
+    "-DHAVE_STRING_H"
+    "-DHAVE_STRTOLL"
+    "-DHAVE_SYS_FILE_H"
+    "-DHAVE_SYS_PARAM_H"
+    "-DHAVE_SYS_RESOURCE_H"
+    "-DHAVE_SYS_SELECT_H"
+    "-DHAVE_SYS_STAT_H"
+    "-DHAVE_SYS_TIMEB_H"
+    "-DHAVE_SYS_TIME_H"
+    "-DHAVE_SYS_WAIT_H"
+    "-DHAVE_TTYNAME"
+    "-DHAVE_UMASK"
+    "-DHAVE_UNISTD_H"
+    "-DHAVE_WAITPID"
+    "-DMAKE_JOBSERVER"
+    "-DMAKE_SYMLINKS"
+    "-DPATH_SEPARATOR_CHAR=':'"
+    "-DSCCS_GET=\\\"get\\\""
+    "-DSTDC_HEADERS"
+    "-Dsig_atomic_t=int"
+    "-Dvfork=fork"
+  ];
+
+  # Maintenance note: list of source files derived from Basic.mk
+  make_SOURCES = [
+    "src/ar.c"
+    "src/arscan.c"
+    "src/commands.c"
+    "src/default.c"
+    "src/dir.c"
+    "src/expand.c"
+    "src/file.c"
+    "src/function.c"
+    "src/getopt.c"
+    "src/getopt1.c"
+    "src/guile.c"
+    "src/hash.c"
+    "src/implicit.c"
+    "src/job.c"
+    "src/load.c"
+    "src/loadapi.c"
+    "src/main.c"
+    "src/misc.c"
+    "src/output.c"
+    "src/read.c"
+    "src/remake.c"
+    "src/rule.c"
+    "src/shuffle.c"
+    "src/signame.c"
+    "src/strcache.c"
+    "src/variable.c"
+    "src/version.c"
+    "src/vpath.c"
+  ];
+  glob_SOURCES = [ "lib/fnmatch.c" "lib/glob.c" ];
+  remote_SOURCES = [ "src/remote-stub.c" ];
+  sources = make_SOURCES ++ glob_SOURCES ++ remote_SOURCES ++ [
+    "src/posixos.c"
+  ];
+
+  objects = map (x: lib.replaceStrings [".c"] [".o"] (builtins.baseNameOf x)) sources;
+in
+runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [ tinycc gnupatch ];
+
+  meta = with lib; {
+    description = "A tool to control the generation of non-source files from sources";
+    homepage = "https://www.gnu.org/software/make";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ emilytrau ];
+    mainProgram = "make";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output make.tar
+  untar --file make.tar
+  rm make.tar
+  cd make-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+
+  # Configure
+  catm src/config.h src/mkconfig.h src/mkcustom.h
+  cp lib/glob.in.h lib/glob.h
+  cp lib/fnmatch.in.h lib/fnmatch.h
+
+  # Compile
+  alias CC="tcc ${lib.concatStringsSep " " CFLAGS}"
+  ${lib.concatMapStringsSep "\n" (f: "CC -c ${f}") sources}
+
+  # Link
+  CC -static -o make ${lib.concatStringsSep " " objects}
+
+  # Check
+  ./make --version
+
+  # Install
+  mkdir -p ''${out}/bin
+  cp ./make ''${out}/bin
+  chmod 555 ''${out}/bin/make
+''

pkgs/os-specific/linux/minimal-bootstrap/gnupatch/default.nix

@@ -0,0 +1,107 @@
+{ lib
+, runCommand
+, fetchurl
+, tinycc
+}:
+let
+  pname = "gnupatch";
+  # 2.6.x and later use features not implemented in mes-libc (eg. quotearg.h)
+  version = "2.5.9";
+
+  src = fetchurl {
+    url = "mirror://gnu/patch/patch-${version}.tar.gz";
+    sha256 = "12nv7jx3gxfp50y11nxzlnmqqrpicjggw6pcsq0wyavkkm3cddgc";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/patch-2.5.9/mk/main.mk
+  CFLAGS = [
+    "-I."
+    "-DHAVE_DECL_GETENV"
+    "-DHAVE_DECL_MALLOC"
+    "-DHAVE_DIRENT_H"
+    "-DHAVE_LIMITS_H"
+    "-DHAVE_GETEUID"
+    "-DHAVE_MKTEMP"
+    "-DPACKAGE_BUGREPORT="
+    "-Ded_PROGRAM=\\\"/nullop\\\""
+    "-Dmbstate_t=int" # When HAVE_MBRTOWC is not enabled uses of mbstate_t are always a no-op
+    "-DRETSIGTYPE=int"
+    "-DHAVE_MKDIR"
+    "-DHAVE_RMDIR"
+    "-DHAVE_FCNTL_H"
+    "-DPACKAGE_NAME=\\\"patch\\\""
+    "-DPACKAGE_VERSION=\\\"${version}\\\""
+    "-DHAVE_MALLOC"
+    "-DHAVE_REALLOC"
+    "-DSTDC_HEADERS"
+    "-DHAVE_STRING_H"
+    "-DHAVE_STDLIB_H"
+  ];
+
+  # Maintenance note: List of sources from Makefile.in
+  SRCS = [
+    "addext.c"
+    "argmatch.c"
+    "backupfile.c"
+    "basename.c"
+    "dirname.c"
+    "getopt.c"
+    "getopt1.c"
+    "inp.c"
+    "maketime.c"
+    "partime.c"
+    "patch.c"
+    "pch.c"
+    "quote.c"
+    "quotearg.c"
+    "quotesys.c"
+    "util.c"
+    "version.c"
+    "xmalloc.c"
+  ];
+  sources = SRCS ++ [
+    # mes-libc doesn't implement `error()`
+    "error.c"
+  ];
+
+  objects = map (x: lib.replaceStrings [".c"] [".o"] (builtins.baseNameOf x)) sources;
+in
+runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [ tinycc ];
+
+  meta = with lib; {
+    description = "GNU Patch, a program to apply differences to files";
+    homepage = "https://www.gnu.org/software/patch";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ emilytrau ];
+    mainProgram = "patch";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output patch.tar
+  untar --file patch.tar
+  rm patch.tar
+  cd patch-${version}
+
+  # Configure
+  catm config.h
+
+  # Build
+  alias CC="tcc ${lib.concatStringsSep " " CFLAGS}"
+  ${lib.concatMapStringsSep "\n" (f: "CC -c ${f}") sources}
+
+  # Link
+  CC -static -o patch ${lib.concatStringsSep " " objects}
+
+  # Check
+  ./patch --version
+
+  # Install
+  mkdir -p ''${out}/bin
+  cp ./patch ''${out}/bin
+  chmod 555 ''${out}/bin/patch
+''

pkgs/servers/http/couchdb/3.nix

@@ -1,31 +1,55 @@
-{ lib, stdenv, fetchurl, erlang, icu, openssl, spidermonkey_91
-, coreutils, bash, python3, nixosTests }:
+{ lib
+, stdenv
+, fetchurl
+, erlang
+, icu
+, openssl
+, spidermonkey_91
+, python3
+, nixosTests
+}:
 
 stdenv.mkDerivation rec {
   pname = "couchdb";
-  version = "3.3.1";
+  version = "3.3.2";
 
   src = fetchurl {
     url = "mirror://apache/couchdb/source/${version}/apache-${pname}-${version}.tar.gz";
-    sha256 = "sha256-m4nXtU9+9StCvVGmoKLTsbBszjld8smdjx9H+TVeK+4=";
+    hash = "sha256-PWgj1C0Qzw1PhsnE/lnJkyyJ1oV4/LbEtCeNx2kwjao=";
   };
 
+  postPatch = ''
+    substituteInPlace src/couch/rebar.config.script --replace '/usr/include/mozjs-91' "${spidermonkey_91.dev}/include/mozjs-91"
+    substituteInPlace configure --replace '/usr/include/''${SM_HEADERS}' "${spidermonkey_91.dev}/include/mozjs-91"
+    patchShebangs bin/rebar
+  '';
+
   nativeBuildInputs = [
     erlang
   ];
-  buildInputs = [ icu openssl spidermonkey_91 (python3.withPackages(ps: with ps; [ requests ]))];
-  postPatch = ''
-    substituteInPlace src/couch/rebar.config.script --replace '/usr/include/mozjs-91' "${spidermonkey_91.dev}/include/mozjs-91"
-    patchShebangs bin/rebar
-  '';
+
+  buildInputs = [
+    icu
+    openssl
+    spidermonkey_91
+    (python3.withPackages(ps: with ps; [ requests ]))
+  ];
 
   dontAddPrefix= "True";
-  configureFlags = ["--spidermonkey-version=91"];
-  buildFlags = ["release"];
+
+  configureFlags = [
+    "--spidermonkey-version=91"
+  ];
+
+  buildFlags = [
+    "release"
+  ];
 
   installPhase = ''
+    runHook preInstall
     mkdir -p $out
     cp -r rel/couchdb/* $out
+    runHook postInstall
   '';
 
   passthru.tests = {

pkgs/servers/ldap/lldap/default.nix

@@ -1,68 +1,115 @@
-{ fetchFromGitHub
+{ binaryen
+, fetchFromGitHub
+, fetchpatch
 , fetchzip
 , lib
 , lldap
 , nixosTests
 , rustPlatform
+, stdenv
+, wasm-bindgen-cli
+, wasm-pack
+, which
 }:
 
 let
-  # We cannot build the wasm frontend from source, as the
-  # wasm32-unknown-unknown rustc target isn't available in nixpkgs yet.
-  # Tracking issue: https://github.com/NixOS/nixpkgs/issues/89426
-  frontend = fetchzip {
-    url = "https://github.com/lldap/lldap/releases/download/v${lldap.version}/amd64-lldap.tar.gz";
-    hash = "sha256-/Ml4L5Gxpnmt1pLSiLNuxtzQYjTCatsVe/hE+Btl8BI=";
-    name = "lldap-frontend-${lldap.version}";
-    postFetch = ''
-      mv $out $TMPDIR/extracted
-      mv $TMPDIR/extracted/app $out
+
+  # version of wasm-opt, with https://github.com/rustwasm/wasm-pack/pull/1257 backported
+  wasm-pack-git = wasm-pack.overrideAttrs (oldAttrs: {
+    version = oldAttrs.version + "-git";
+    patches = [(fetchpatch {
+      url = "https://patch-diff.githubusercontent.com/raw/rustwasm/wasm-pack/pull/1257.patch";
+      sha256 = "sha256-npi9ewh0NaD67crTcje9AYxaLLOJOMzqjqEJXZF2LbQ=";
+    })];
+  });
+
+  # replace with upstream wasm rustc, after resolution of
+  # https://github.com/NixOS/nixpkgs/issues/89426
+  rustc-wasm = (rustPlatform.rust.rustc.override {
+    stdenv = stdenv.override {
+      targetPlatform = stdenv.targetPlatform // {
+        parsed = {
+          cpu.name = "wasm32";
+          vendor.name = "unknown";
+          kernel.name = "unknown";
+          abi.name = "unknown";
+        };
+      };
+    };
+  }).overrideAttrs (attrs: {
+    configureFlags = attrs.configureFlags ++ ["--set=build.docs=false"];
+  });
+
+  commonDerivationAttrs = rec {
+    pname = "lldap";
+    version = "0.4.3";
+
+    src = fetchFromGitHub {
+      owner = "lldap";
+      repo = "lldap";
+      rev = "v${version}";
+      hash = "sha256-FAUTykFh2eGVpx6LrCjV9xWbBPH8pCgAJv3vOXFMFZ4=";
+    };
+
+    postPatch = ''
+      ln -s --force ${./Cargo.lock} Cargo.lock
     '';
-  };
-in
-rustPlatform.buildRustPackage rec {
-  pname = "lldap";
-  version = "0.4.3";
 
-  src = fetchFromGitHub {
-    owner = "lldap";
-    repo = "lldap";
-    rev = "v${version}";
-    hash = "sha256-FAUTykFh2eGVpx6LrCjV9xWbBPH8pCgAJv3vOXFMFZ4=";
-  };
-
-  # `Cargo.lock` has git dependencies, meaning can't use `cargoHash`
-  cargoLock = {
-    # 0.4.3 has been tagged before the actual Cargo.lock bump, resulting in an inconsitent lock file.
-    # To work around this, the Cargo.lock below is from the commit right after the tag:
-    # https://github.com/lldap/lldap/commit/7b4188a376baabda48d88fdca3a10756da48adda
-    lockFile = ./Cargo.lock;
-    outputHashes = {
-      "lber-0.4.1" = "sha256-2rGTpg8puIAXggX9rEbXPdirfetNOHWfFc80xqzPMT4=";
-      "opaque-ke-0.6.1" = "sha256-99gaDv7eIcYChmvOKQ4yXuaGVzo2Q6BcgSQOzsLF+fM=";
-      "yew_form-0.1.8" = "sha256-1n9C7NiFfTjbmc9B5bDEnz7ZpYJo9ZT8/dioRXJ65hc=";
+    # `Cargo.lock` has git dependencies, meaning can't use `cargoHash`
+    cargoLock = {
+      # 0.4.3 has been tagged before the actual Cargo.lock bump, resulting in an inconsitent lock file.
+      # To work around this, the Cargo.lock below is from the commit right after the tag:
+      # https://github.com/lldap/lldap/commit/7b4188a376baabda48d88fdca3a10756da48adda
+      lockFile = ./Cargo.lock;
+      outputHashes = {
+        "lber-0.4.1" = "sha256-2rGTpg8puIAXggX9rEbXPdirfetNOHWfFc80xqzPMT4=";
+        "opaque-ke-0.6.1" = "sha256-99gaDv7eIcYChmvOKQ4yXuaGVzo2Q6BcgSQOzsLF+fM=";
+        "yew_form-0.1.8" = "sha256-1n9C7NiFfTjbmc9B5bDEnz7ZpYJo9ZT8/dioRXJ65hc=";
+      };
     };
   };
 
+  frontend = rustPlatform.buildRustPackage (commonDerivationAttrs // {
+    pname = commonDerivationAttrs.pname + "-frontend";
+
+    nativeBuildInputs = [
+      wasm-pack-git wasm-bindgen-cli binaryen which rustc-wasm rustc-wasm.llvmPackages.lld
+    ];
+
+    buildPhase = ''
+      HOME=`pwd` RUSTFLAGS="-C linker=lld" ./app/build.sh
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp -R app/{index.html,pkg,static} $out/
+    '';
+
+    doCheck = false;
+  });
+
+in rustPlatform.buildRustPackage (commonDerivationAttrs // {
   patches = [
     ./static-frontend-path.patch
   ];
 
-  postPatch = ''
-    ln -s --force ${./Cargo.lock} Cargo.lock
+  postPatch = commonDerivationAttrs.postPatch + ''
     substituteInPlace server/src/infra/tcp_server.rs --subst-var-by frontend '${frontend}'
   '';
 
-  passthru.tests = {
-    inherit (nixosTests) lldap;
+  passthru = {
+    inherit frontend;
+    tests = {
+      inherit (nixosTests) lldap;
+    };
   };
 
   meta = with lib; {
     description = "A lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication";
     homepage = "https://github.com/lldap/lldap";
-    changelog = "https://github.com/lldap/lldap/blob/v${version}/CHANGELOG.md";
+    changelog = "https://github.com/lldap/lldap/blob/v${lldap.version}/CHANGELOG.md";
     license = licenses.gpl3Only;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ indeednotjames ];
+    maintainers = with maintainers; [ indeednotjames bendlas ];
   };
-}
+})

pkgs/servers/tailscale/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "tailscale";
-  version = "1.40.0";
+  version = "1.40.1";
 
   src = fetchFromGitHub {
     owner = "tailscale";
     repo = "tailscale";
     rev = "v${version}";
-    hash = "sha256-iPf3ams613VHPesbxoBaaw9eav5p781+wEmbJ+15yfY=";
+    hash = "sha256-OCKWr62peDrh6zQVAS2iPPzgB1uZb1Fev23szvNNPkE=";
   };
   vendorHash = "sha256-lirn07XE3JOS6oiwZBMwxzywkbXHowOJUMWWLrZtccY=";
 

pkgs/top-level/aliases.nix

@@ -236,6 +236,7 @@ mapAliases ({
   clang13Stdenv = lowPrio llvmPackages_13.stdenv;
   clang14Stdenv = lowPrio llvmPackages_14.stdenv;
   clang15Stdenv = lowPrio llvmPackages_15.stdenv;
+  clang16Stdenv = lowPrio llvmPackages_16.stdenv;
 
   clangAnalyzer = throw "'clangAnalyzer' has been renamed to/replaced by 'clang-analyzer'"; # Converted to throw 2022-02-22
   clasp = clingo; # added 2022-12-22

pkgs/top-level/all-packages.nix

@@ -31688,6 +31688,8 @@ with pkgs;
 
   kubecfg = callPackage ../applications/networking/cluster/kubecfg { };
 
+  kubefirst = callPackage ../applications/networking/cluster/kubefirst { };
+
   kube-score = callPackage ../applications/networking/cluster/kube-score { };
 
   kubectl-evict-pod = callPackage ../applications/networking/cluster/kubectl-evict-pod {
@@ -39508,6 +39510,8 @@ with pkgs;
 
   terragrunt = callPackage ../applications/networking/cluster/terragrunt { };
 
+  tfautomv = callPackage ../applications/networking/cluster/tfautomv { };
+
   terranix = callPackage ../applications/networking/cluster/terranix { };
 
   terraspace = callPackage ../applications/networking/cluster/terraspace { };

pkgs/top-level/python-packages.nix

@@ -873,6 +873,8 @@ self: super: with self; {
 
   aws-sam-translator = callPackage ../development/python-modules/aws-sam-translator { };
 
+  aws-secretsmanager-caching = callPackage ../development/python-modules/aws-secretsmanager-caching { };
+
   aws-xray-sdk = callPackage ../development/python-modules/aws-xray-sdk { };
 
   awscrt = callPackage ../development/python-modules/awscrt {