Merge remote-tracking branch 'origin/master' into staging-next

Conflicts:
 pkgs/development/tools/kubie/default.nix

nixos/modules/services/networking/znc/default.nix

@@ -299,9 +299,8 @@ in
         # Ensure essential files exist.
         if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then
             echo "No znc.conf file found in ${cfg.dataDir}. Creating one now."
-            cp --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf
+            cp --no-preserve=ownership --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf
             chmod u+rw ${cfg.dataDir}/configs/znc.conf
-            chown ${cfg.user} ${cfg.dataDir}/configs/znc.conf
         fi
 
         if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then

nixos/modules/services/web-apps/keycloak.nix

@@ -54,6 +54,7 @@ in
 
     frontendUrl = lib.mkOption {
       type = lib.types.str;
+      apply = x: if lib.hasSuffix "/" x then x else x + "/";
       example = "keycloak.example.com/auth";
       description = ''
         The public URL used as base for all frontend requests. Should
@@ -84,113 +85,128 @@ in
       '';
     };
 
-    certificatePrivateKeyBundle = lib.mkOption {
+    sslCertificate = lib.mkOption {
       type = lib.types.nullOr lib.types.path;
       default = null;
       example = "/run/keys/ssl_cert";
       description = ''
-        The path to a PEM formatted bundle of the private key and
+        The path to a PEM formatted certificate to use for TLS/SSL
-        certificate to use for TLS connections.
+        connections.
 
         This should be a string, not a Nix path, since Nix paths are
         copied into the world-readable Nix store.
       '';
     };
 
-    databaseType = lib.mkOption {
+    sslCertificateKey = lib.mkOption {
-      type = lib.types.enum [ "mysql" "postgresql" ];
-      default = "postgresql";
-      example = "mysql";
-      description = ''
-        The type of database Keycloak should connect to.
-      '';
-    };
-
-    databaseHost = lib.mkOption {
-      type = lib.types.str;
-      default = "localhost";
-      description = ''
-        Hostname of the database to connect to.
-      '';
-    };
-
-    databasePort =
-      let
-        dbPorts = {
-          postgresql = 5432;
-          mysql = 3306;
-        };
-      in
-        lib.mkOption {
-          type = lib.types.port;
-          default = dbPorts.${cfg.databaseType};
-          description = ''
-            Port of the database to connect to.
-          '';
-        };
-
-    databaseUseSSL = lib.mkOption {
-      type = lib.types.bool;
-      default = cfg.databaseHost != "localhost";
-      description = ''
-        Whether the database connection should be secured by SSL /
-        TLS.
-      '';
-    };
-
-    databaseCaCert = lib.mkOption {
       type = lib.types.nullOr lib.types.path;
       default = null;
+      example = "/run/keys/ssl_key";
       description = ''
-        The SSL / TLS CA certificate that verifies the identity of the
+        The path to a PEM formatted private key to use for TLS/SSL
-        database server.
+        connections.
-
-        Required when PostgreSQL is used and SSL is turned on.
-
-        For MySQL, if left at <literal>null</literal>, the default
-        Java keystore is used, which should suffice if the server
-        certificate is issued by an official CA.
-      '';
-    };
-
-    databaseCreateLocally = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = ''
-        Whether a database should be automatically created on the
-        local host. Set this to false if you plan on provisioning a
-        local database yourself. This has no effect if
-        services.keycloak.databaseHost is customized.
-      '';
-    };
-
-    databaseUsername = lib.mkOption {
-      type = lib.types.str;
-      default = "keycloak";
-      description = ''
-        Username to use when connecting to an external or manually
-        provisioned database; has no effect when a local database is
-        automatically provisioned.
-
-        To use this with a local database, set <xref
-        linkend="opt-services.keycloak.databaseCreateLocally" /> to
-        <literal>false</literal> and create the database and user
-        manually. The database should be called
-        <literal>keycloak</literal>.
-      '';
-    };
-
-    databasePasswordFile = lib.mkOption {
-      type = lib.types.path;
-      example = "/run/keys/db_password";
-      description = ''
-        File containing the database password.
 
         This should be a string, not a Nix path, since Nix paths are
         copied into the world-readable Nix store.
       '';
     };
 
+    database = {
+      type = lib.mkOption {
+        type = lib.types.enum [ "mysql" "postgresql" ];
+        default = "postgresql";
+        example = "mysql";
+        description = ''
+          The type of database Keycloak should connect to.
+        '';
+      };
+
+      host = lib.mkOption {
+        type = lib.types.str;
+        default = "localhost";
+        description = ''
+          Hostname of the database to connect to.
+        '';
+      };
+
+      port =
+        let
+          dbPorts = {
+            postgresql = 5432;
+            mysql = 3306;
+          };
+        in
+          lib.mkOption {
+            type = lib.types.port;
+            default = dbPorts.${cfg.database.type};
+            description = ''
+              Port of the database to connect to.
+            '';
+          };
+
+      useSSL = lib.mkOption {
+        type = lib.types.bool;
+        default = cfg.database.host != "localhost";
+        description = ''
+          Whether the database connection should be secured by SSL /
+          TLS.
+        '';
+      };
+
+      caCert = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        description = ''
+          The SSL / TLS CA certificate that verifies the identity of the
+          database server.
+
+          Required when PostgreSQL is used and SSL is turned on.
+
+          For MySQL, if left at <literal>null</literal>, the default
+          Java keystore is used, which should suffice if the server
+          certificate is issued by an official CA.
+        '';
+      };
+
+      createLocally = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = ''
+          Whether a database should be automatically created on the
+          local host. Set this to false if you plan on provisioning a
+          local database yourself. This has no effect if
+          services.keycloak.database.host is customized.
+        '';
+      };
+
+      username = lib.mkOption {
+        type = lib.types.str;
+        default = "keycloak";
+        description = ''
+          Username to use when connecting to an external or manually
+          provisioned database; has no effect when a local database is
+          automatically provisioned.
+
+          To use this with a local database, set <xref
+          linkend="opt-services.keycloak.database.createLocally" /> to
+          <literal>false</literal> and create the database and user
+          manually. The database should be called
+          <literal>keycloak</literal>.
+        '';
+      };
+
+      passwordFile = lib.mkOption {
+        type = lib.types.path;
+        example = "/run/keys/db_password";
+        description = ''
+          File containing the database password.
+
+          This should be a string, not a Nix path, since Nix paths are
+          copied into the world-readable Nix store.
+        '';
+      };
+    };
+
     package = lib.mkOption {
       type = lib.types.package;
       default = pkgs.keycloak;
@@ -261,12 +277,12 @@ in
   config =
     let
       # We only want to create a database if we're actually going to connect to it.
-      databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == "localhost";
+      databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost";
-      createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.databaseType == "postgresql";
+      createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql";
-      createLocalMySQL = databaseActuallyCreateLocally && cfg.databaseType == "mysql";
+      createLocalMySQL = databaseActuallyCreateLocally && cfg.database.type == "mysql";
 
       mySqlCaKeystore = pkgs.runCommandNoCC "mysql-ca-keystore" {} ''
-        ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.databaseCaCert} -keystore $out -storepass notsosecretpassword -noprompt
+        ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt
       '';
 
       keycloakConfig' = builtins.foldl' lib.recursiveUpdate {
@@ -282,11 +298,11 @@ in
         };
         "subsystem=datasources"."data-source=KeycloakDS" = {
           max-pool-size = "20";
-          user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.databaseUsername;
+          user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username;
           password = "@db-password@";
         };
       } [
-        (lib.optionalAttrs (cfg.databaseType == "postgresql") {
+        (lib.optionalAttrs (cfg.database.type == "postgresql") {
           "subsystem=datasources" = {
             "jdbc-driver=postgresql" = {
               driver-module-name = "org.postgresql";
@@ -294,16 +310,16 @@ in
               driver-xa-datasource-class-name = "org.postgresql.xa.PGXADataSource";
             };
             "data-source=KeycloakDS" = {
-              connection-url = "jdbc:postgresql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak";
+              connection-url = "jdbc:postgresql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak";
               driver-name = "postgresql";
-              "connection-properties=ssl".value = lib.boolToString cfg.databaseUseSSL;
+              "connection-properties=ssl".value = lib.boolToString cfg.database.useSSL;
-            } // (lib.optionalAttrs (cfg.databaseCaCert != null) {
+            } // (lib.optionalAttrs (cfg.database.caCert != null) {
-              "connection-properties=sslrootcert".value = cfg.databaseCaCert;
+              "connection-properties=sslrootcert".value = cfg.database.caCert;
               "connection-properties=sslmode".value = "verify-ca";
             });
           };
         })
-        (lib.optionalAttrs (cfg.databaseType == "mysql") {
+        (lib.optionalAttrs (cfg.database.type == "mysql") {
           "subsystem=datasources" = {
             "jdbc-driver=mysql" = {
               driver-module-name = "com.mysql";
@@ -311,22 +327,22 @@ in
               driver-class-name = "com.mysql.jdbc.Driver";
             };
             "data-source=KeycloakDS" = {
-              connection-url = "jdbc:mysql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak";
+              connection-url = "jdbc:mysql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak";
               driver-name = "mysql";
-              "connection-properties=useSSL".value = lib.boolToString cfg.databaseUseSSL;
+              "connection-properties=useSSL".value = lib.boolToString cfg.database.useSSL;
-              "connection-properties=requireSSL".value = lib.boolToString cfg.databaseUseSSL;
+              "connection-properties=requireSSL".value = lib.boolToString cfg.database.useSSL;
-              "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.databaseUseSSL;
+              "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.database.useSSL;
               "connection-properties=characterEncoding".value = "UTF-8";
               valid-connection-checker-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker";
               validate-on-match = true;
               exception-sorter-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter";
-            } // (lib.optionalAttrs (cfg.databaseCaCert != null) {
+            } // (lib.optionalAttrs (cfg.database.caCert != null) {
               "connection-properties=trustCertificateKeyStoreUrl".value = "file:${mySqlCaKeystore}";
               "connection-properties=trustCertificateKeyStorePassword".value = "notsosecretpassword";
             });
           };
         })
-        (lib.optionalAttrs (cfg.certificatePrivateKeyBundle != null) {
+        (lib.optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) {
           "socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort;
           "core-service=management"."security-realm=UndertowRealm"."server-identity=ssl" = {
             keystore-path = "/run/keycloak/ssl/certificate_private_key_bundle.p12";
@@ -537,7 +553,9 @@ in
 
       jbossCliScript = pkgs.writeText "jboss-cli-script" (mkJbossScript keycloakConfig');
 
-      keycloakConfig = pkgs.runCommandNoCC "keycloak-config" {} ''
+      keycloakConfig = pkgs.runCommandNoCC "keycloak-config" {
+        nativeBuildInputs = [ cfg.package ];
+      } ''
         export JBOSS_BASE_DIR="$(pwd -P)";
         export JBOSS_MODULEPATH="${cfg.package}/modules";
         export JBOSS_LOG_DIR="$JBOSS_BASE_DIR/log";
@@ -547,11 +565,11 @@ in
 
         mkdir -p {deployments,ssl}
 
-        "${cfg.package}/bin/standalone.sh"&
+        standalone.sh&
 
         attempt=1
         max_attempts=30
-        while ! ${cfg.package}/bin/jboss-cli.sh --connect ':read-attribute(name=server-state)'; do
+        while ! jboss-cli.sh --connect ':read-attribute(name=server-state)'; do
             if [[ "$attempt" == "$max_attempts" ]]; then
                 echo "ERROR: Could not connect to Keycloak after $attempt attempts! Failing.." >&2
                 exit 1
@@ -561,7 +579,7 @@ in
             (( attempt++ ))
         done
 
-        ${cfg.package}/bin/jboss-cli.sh --connect --file=${jbossCliScript} --echo-command
+        jboss-cli.sh --connect --file=${jbossCliScript} --echo-command
 
         cp configuration/standalone.xml $out
       '';
@@ -570,8 +588,8 @@ in
 
         assertions = [
           {
-            assertion = (cfg.databaseUseSSL && cfg.databaseType == "postgresql") -> (cfg.databaseCaCert != null);
+            assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);
-            message = "A CA certificate must be specified (in 'services.keycloak.databaseCaCert') when PostgreSQL is used with SSL";
+            message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";
           }
         ];
 
@@ -581,6 +599,7 @@ in
           after = [ "postgresql.service" ];
           before = [ "keycloak.service" ];
           bindsTo = [ "postgresql.service" ];
+          path = [ config.services.postgresql.package ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
@@ -588,13 +607,15 @@ in
             Group = "postgres";
           };
           script = ''
-            set -eu
+            set -o errexit -o pipefail -o nounset -o errtrace
+            shopt -s inherit_errexit
 
-            PSQL=${config.services.postgresql.package}/bin/psql
+            create_role="$(mktemp)"
+            trap 'rm -f "$create_role"' ERR EXIT
 
-            db_password="$(<'${cfg.databasePasswordFile}')"
+            echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.database.passwordFile}')' CREATEDB" > "$create_role"
-            $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tAc "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB"
+            psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role"
-            $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'
+            psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'
           '';
         };
 
@@ -602,6 +623,7 @@ in
           after = [ "mysql.service" ];
           before = [ "keycloak.service" ];
           bindsTo = [ "mysql.service" ];
+          path = [ config.services.mysql.package ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
@@ -609,13 +631,14 @@ in
             Group = config.services.mysql.group;
           };
           script = ''
-            set -eu
+            set -o errexit -o pipefail -o nounset -o errtrace
+            shopt -s inherit_errexit
 
-            db_password="$(<'${cfg.databasePasswordFile}')"
+            db_password="$(<'${cfg.database.passwordFile}')"
             ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';"
               echo "CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;"
               echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';"
-            ) | ${config.services.mysql.package}/bin/mysql -N
+            ) | mysql -N
           '';
         };
 
@@ -634,6 +657,8 @@ in
             bindsTo = databaseServices;
             wantedBy = [ "multi-user.target" ];
             path = with pkgs; [
+              cfg.package
+              openssl
               replace-secret
             ];
             environment = {
@@ -644,14 +669,21 @@ in
             serviceConfig = {
               ExecStartPre = let
                 startPreFullPrivileges = ''
-                  set -eu
+                  set -o errexit -o pipefail -o nounset -o errtrace
+                  shopt -s inherit_errexit
 
-                  install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password
+                  umask u=rwx,g=,o=
-                '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
+
-                  install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle
+                  install -T -m 0400 -o keycloak -g keycloak '${cfg.database.passwordFile}' /run/keycloak/secrets/db_password
+                '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
+                  install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificate}' /run/keycloak/secrets/ssl_cert
+                  install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificateKey}' /run/keycloak/secrets/ssl_key
                 '';
                 startPre = ''
-                  set -eu
+                  set -o errexit -o pipefail -o nounset -o errtrace
+                  shopt -s inherit_errexit
+
+                  umask u=rwx,g=,o=
 
                   install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
                   install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
@@ -659,13 +691,16 @@ in
                   replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml
 
                   export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
-                  ${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
+                  add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
-                '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
+                '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
                   pushd /run/keycloak/ssl/
-                  cat /run/keycloak/secrets/ssl_cert_pk_bundle <(echo) /etc/ssl/certs/ca-certificates.crt > allcerts.pem
+                  cat /run/keycloak/secrets/ssl_cert <(echo) \
-                  ${pkgs.openssl}/bin/openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert_pk_bundle -chain \
+                      /run/keycloak/secrets/ssl_key <(echo) \
-                                                     -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \
+                      /etc/ssl/certs/ca-certificates.crt \
-                                                     -CAfile allcerts.pem -passout pass:notsosecretpassword
+                      > allcerts.pem
+                  openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert -inkey /run/keycloak/secrets/ssl_key -chain \
+                                 -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \
+                                 -CAfile allcerts.pem -passout pass:notsosecretpassword
                   popd
                 '';
               in [
@@ -697,4 +732,5 @@ in
       };
 
   meta.doc = ./keycloak.xml;
+  meta.maintainers = [ lib.maintainers.talyz ];
 }

nixos/modules/services/web-apps/keycloak.xml

@@ -41,31 +41,31 @@
        <productname>PostgreSQL</productname> or
        <productname>MySQL</productname>. Which one is used can be
        configured in <xref
-       linkend="opt-services.keycloak.databaseType" />. The selected
+       linkend="opt-services.keycloak.database.type" />. The selected
        database will automatically be enabled and a database and role
        created unless <xref
-       linkend="opt-services.keycloak.databaseHost" /> is changed from
+       linkend="opt-services.keycloak.database.host" /> is changed from
        its default of <literal>localhost</literal> or <xref
-       linkend="opt-services.keycloak.databaseCreateLocally" /> is set
+       linkend="opt-services.keycloak.database.createLocally" /> is set
        to <literal>false</literal>.
      </para>
 
      <para>
        External database access can also be configured by setting
-       <xref linkend="opt-services.keycloak.databaseHost" />, <xref
+       <xref linkend="opt-services.keycloak.database.host" />, <xref
-       linkend="opt-services.keycloak.databaseUsername" />, <xref
+       linkend="opt-services.keycloak.database.username" />, <xref
-       linkend="opt-services.keycloak.databaseUseSSL" /> and <xref
+       linkend="opt-services.keycloak.database.useSSL" /> and <xref
-       linkend="opt-services.keycloak.databaseCaCert" /> as
+       linkend="opt-services.keycloak.database.caCert" /> as
        appropriate. Note that you need to manually create a database
        called <literal>keycloak</literal> and allow the configured
        database user full access to it.
      </para>
 
      <para>
-       <xref linkend="opt-services.keycloak.databasePasswordFile" />
+       <xref linkend="opt-services.keycloak.database.passwordFile" />
        must be set to the path to a file containing the password used
-       to log in to the database. If <xref linkend="opt-services.keycloak.databaseHost" />
+       to log in to the database. If <xref linkend="opt-services.keycloak.database.host" />
-       and <xref linkend="opt-services.keycloak.databaseCreateLocally" />
+       and <xref linkend="opt-services.keycloak.database.createLocally" />
        are kept at their defaults, the database role
        <literal>keycloak</literal> with that password is provisioned
        on the local database instance.
@@ -115,17 +115,17 @@
      </para>
 
      <para>
-       For HTTPS support, a TLS certificate and private key is
+       HTTPS support requires a TLS/SSL certificate and a private key,
-       required. They should be <link
+       both <link
        xlink:href="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM
-       formatted</link> and concatenated into a single file. The path
+       formatted</link>. Their paths should be set through <xref
-       to this file should be configured in
+       linkend="opt-services.keycloak.sslCertificate" /> and <xref
-       <xref linkend="opt-services.keycloak.certificatePrivateKeyBundle" />.
+       linkend="opt-services.keycloak.sslCertificateKey" />.
      </para>
 
      <warning>
        <para>
-         The path should be provided as a string, not a Nix path,
+         The paths should be provided as a strings, not a Nix paths,
          since Nix paths are copied into the world readable Nix store.
        </para>
      </warning>
@@ -195,8 +195,9 @@ services.keycloak = {
   <link linkend="opt-services.keycloak.initialAdminPassword">initialAdminPassword</link> = "e6Wcm0RrtegMEHl";  # change on first login
   <link linkend="opt-services.keycloak.frontendUrl">frontendUrl</link> = "https://keycloak.example.com/auth";
   <link linkend="opt-services.keycloak.forceBackendUrlToFrontendUrl">forceBackendUrlToFrontendUrl</link> = true;
-  <link linkend="opt-services.keycloak.certificatePrivateKeyBundle">certificatePrivateKeyBundle</link> = "/run/keys/ssl_cert";
+  <link linkend="opt-services.keycloak.sslCertificate">sslCertificate</link> = "/run/keys/ssl_cert";
-  <link linkend="opt-services.keycloak.databasePasswordFile">databasePasswordFile</link> = "/run/keys/db_password";
+  <link linkend="opt-services.keycloak.sslCertificateKey">sslCertificateKey</link> = "/run/keys/ssl_key";
+  <link linkend="opt-services.keycloak.database.passwordFile">database.passwordFile</link> = "/run/keys/db_password";
 };
 </programlisting>
      </para>

nixos/modules/services/web-apps/mastodon.nix

@@ -448,10 +448,10 @@ in {
                 join pg_namespace s on s.oid = c.relnamespace \
                 where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
                 and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
-          SAFETY_ASSURED=1 rake db:schema:load
+          SAFETY_ASSURED=1 rails db:schema:load
-          rake db:seed
+          rails db:seed
         else
-          rake db:migrate
+          rails db:migrate
         fi
       '';
       path = [ cfg.package pkgs.postgresql ];

nixos/tests/keycloak.nix

@@ -3,7 +3,8 @@
 # client using their Keycloak login.
 
 let
-  frontendUrl = "http://keycloak/auth";
+  certs = import ./common/acme/server/snakeoil-certs.nix;
+  frontendUrl = "https://${certs.domain}/auth";
   initialAdminPassword = "h4IhoJFnt2iQIR9";
 
   keycloakTest = import ./make-test-python.nix (
@@ -17,12 +18,27 @@ let
       nodes = {
         keycloak = { ... }: {
           virtualisation.memorySize = 1024;
+
+          security.pki.certificateFiles = [
+            certs.ca.cert
+          ];
+
+          networking.extraHosts = ''
+            127.0.0.1 ${certs.domain}
+          '';
+
           services.keycloak = {
             enable = true;
-            inherit frontendUrl databaseType initialAdminPassword;
+            inherit frontendUrl initialAdminPassword;
-            databaseUsername = "bogus";
+            sslCertificate = certs.${certs.domain}.cert;
-            databasePasswordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH";
+            sslCertificateKey = certs.${certs.domain}.key;
+            database = {
+              type = databaseType;
+              username = "bogus";
+              passwordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH";
+            };
           };
+
           environment.systemPackages = with pkgs; [
             xmlstarlet
             libtidy

pkgs/applications/audio/clementine/default.nix

@@ -1,8 +1,49 @@
-{ lib, mkDerivation, fetchFromGitHub, fetchpatch, boost, cmake, chromaprint, gettext, gst_all_1, liblastfm
+{ lib
-, qtbase, qtx11extras, qttools
+, mkDerivation
-, taglib, fftw, glew, qjson, sqlite, libgpod, libplist, usbmuxd, libmtp
+, fetchFromGitHub
-, libpulseaudio, gvfs, libcdio, libechonest, libspotify, pcre, projectm, protobuf
+, fetchpatch
-, qca2, pkg-config, sparsehash, config, makeWrapper, gst_plugins }:
+, boost
+, cmake
+, chromaprint
+, gettext
+, gst_all_1
+, liblastfm
+, qtbase
+, qtx11extras
+, qttools
+, taglib
+, fftw
+, glew
+, qjson
+, sqlite
+, libgpod
+, libplist
+, usbmuxd
+, libmtp
+, libpulseaudio
+, gvfs
+, libcdio
+, libechonest
+, libspotify
+, pcre
+, projectm
+, protobuf
+, qca2
+, pkg-config
+, sparsehash
+, config
+, makeWrapper
+, gst_plugins
+
+, util-linux
+, libunwind
+, libselinux
+, elfutils
+, libsepol
+, orc
+
+, alsaLib
+}:
 
 let
   withIpod = config.clementine.ipod or false;
@@ -22,9 +63,26 @@ let
 
   patches = [
     ./clementine-spotify-blob.patch
+    (fetchpatch {
+      # "short-term" fix for execution on wayland (1.4.0rc1-131-g2179027a6)
+      # for https://github.com/clementine-player/Clementine/issues/6587
+      url = "https://github.com/clementine-player/Clementine/commit/2179027a6d97530c857e43be873baacd696ff332.patch";
+      sha256 = "0344bfcyvjim5ph8w4km6zkg96rj5g9ybp9x14qgyw2gkdksimn6";
+    })
   ];
 
-  nativeBuildInputs = [ cmake pkg-config makeWrapper ];
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    makeWrapper
+
+    util-linux
+    libunwind
+    libselinux
+    elfutils
+    libsepol
+    orc
+  ];
 
   buildInputs = [
     boost
@@ -48,11 +106,13 @@ let
     qttools
     sqlite
     taglib
+
+    alsaLib
   ]
-  ++ lib.optionals (withIpod) [libgpod libplist usbmuxd]
+  ++ lib.optionals (withIpod) [ libgpod libplist usbmuxd ]
-  ++ lib.optionals (withMTP) [libmtp]
+  ++ lib.optionals (withMTP) [ libmtp ]
-  ++ lib.optionals (withCD) [libcdio]
+  ++ lib.optionals (withCD) [ libcdio ]
-  ++ lib.optionals (withCloud) [sparsehash];
+  ++ lib.optionals (withCloud) [ sparsehash ];
 
   postPatch = ''
     sed -i src/CMakeLists.txt \
@@ -132,4 +192,5 @@ let
     };
   };
 
-in free
+in
+free

pkgs/applications/backup/pika-backup/default.nix

@@ -19,20 +19,20 @@
 
 stdenv.mkDerivation rec {
   pname = "pika-backup";
-  version = "0.3.0";
+  version = "0.3.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "pika-backup";
     rev = "v${version}";
-    sha256 = "sha256-k9kl6cSohWx+MB/9jyVcTgpv02gsVwAk5KDSNqQrmzI=";
+    sha256 = "0cr3axfp15nzwmsqyz6j781qhr2gsn9p69m0jfzy89pl83d6vcz0";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    sha256 = "0r6nbffik5j82bi82cmc00b17xv9m7xn3w3sarzwfxz0h43lal8a";
+    sha256 = "1z0cbrkhxyzwf7vjjsvdppb7zhflpkw4m5cy90a2315nbll3hpbp";
   };
 
   patches = [

pkgs/applications/networking/cluster/nomad/1.0.nix

@@ -6,6 +6,6 @@
 
 callPackage ./generic.nix {
   inherit buildGoPackage nvidia_x11 nvidiaGpuSupport;
-  version = "1.0.5";
+  version = "1.0.6";
-  sha256 = "06l56fi4fhplvl8v0i88q18yh1hwwd12fngnrflb91janbyk6p4l";
+  sha256 = "1nzaw4014bndxv042dkxdj492b21r5v5f06vav2kr1azk4m9sf07";
 }

pkgs/applications/networking/cluster/nomad/1.1.nix

@@ -0,0 +1,11 @@
+{ callPackage
+, buildGoPackage
+, nvidia_x11
+, nvidiaGpuSupport
+}:
+
+callPackage ./generic.nix {
+  inherit buildGoPackage nvidia_x11 nvidiaGpuSupport;
+  version = "1.1.0";
+  sha256 = "0sz6blyxyxi5iq170s9v4nndb1hpz603z5ps2cxkdkaafal39767";
+}

pkgs/applications/networking/nextcloud-client/default.nix

@@ -20,13 +20,13 @@
 
 mkDerivation rec {
   pname = "nextcloud-client";
-  version = "3.2.0";
+  version = "3.2.1";
 
   src = fetchFromGitHub {
     owner = "nextcloud";
     repo = "desktop";
     rev = "v${version}";
-    sha256 = "1nklsa2lx9ayjp8rk1mycjysqqmnq47djig0wygzna5mycl3ji06";
+    sha256 = "sha256-I31w79GDZxSGlT6YPKSpq0aiyGnJiJBVdTyWI+DUoz4=";
   };
 
   patches = [

pkgs/development/python-modules/internetarchive/default.nix

@@ -19,11 +19,11 @@
 
 buildPythonPackage rec {
   pname = "internetarchive";
-  version = "2.0.2";
+  version = "2.0.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "515e6646a2b917c15f2241670d21f14a014b9c67dc509aef4d4aca5a59cdda65";
+    sha256 = "2ce0ab89fea37e5b2311bc7d163955e84f73f6beeac3942e17e9d51ad7cc9ffa";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/continuous-integration/gitlab-runner/default.nix

@@ -1,16 +1,16 @@
 { lib, buildGoPackage, fetchFromGitLab, fetchurl }:
 
 let
-  version = "13.11.0";
+  version = "13.12.0";
   # Gitlab runner embeds some docker images these are prebuilt for arm and x86_64
   docker_x86_64 = fetchurl {
     url = "https://gitlab-runner-downloads.s3.amazonaws.com/v${version}/helper-images/prebuilt-x86_64.tar.xz";
-    sha256 = "1vmj7vxz1a4js9kqz7mm6xgnkmb37c1jbx2lwsq2qkrybkxfcw8k";
+    sha256 = "0m0r295520jy45wn8jw3jzhiixl4c6yrfx7gvgbd4c1v4y8ivrci";
   };
 
   docker_arm = fetchurl {
     url = "https://gitlab-runner-downloads.s3.amazonaws.com/v${version}/helper-images/prebuilt-arm.tar.xz";
-    sha256 = "1c1pywz7ylaysplvq1m15v7rf1sgdkh9scbqklzcm55fjk128lif";
+    sha256 = "0syfggplp19bbmhhpyc17h0f1dii9hc6n04q483l0xdk7sv39fwx";
   };
 in
 buildGoPackage rec {
@@ -30,7 +30,7 @@ buildGoPackage rec {
     owner = "gitlab-org";
     repo = "gitlab-runner";
     rev = "v${version}";
-    sha256 = "07jqsxac50xwmhlv0nbnn098290nkpsmrxw872yh67n1s9gqfd27";
+    sha256 = "0jh5ghjyzr7srl3xjsklv9yskq8k88kmylpiigjir0mkbn43fgzq";
   };
 
   patches = [ ./fix-shell-path.patch ];

pkgs/development/tools/kind/default.nix

@@ -4,16 +4,16 @@ with lib;
 
 buildGoModule rec {
   pname = "kind";
-  version = "0.10.0";
+  version = "0.11.0";
 
   src = fetchFromGitHub {
     rev    = "v${version}";
     owner  = "kubernetes-sigs";
     repo   = "kind";
-    sha256 = "1pp2x4bfqsd15siahyv9xkdyswsipmp9n86iwavrd0xhliqxlsa7";
+    sha256 = "020s1fr92lv9yiy5kbnrfb8n0lpslriwyh5z31aym3x44qpc6jaj";
   };
 
-  vendorSha256 = "0c0j4s8kfzk2b3hy0d2g5bp1zr60l6vnwnpynsg6ksv8spwnpl5m";
+  vendorSha256 = "08cjvhk587f3aar4drn0hq9q1zlsnl4p7by4j38jzb4r8ix5s98y";
 
   doCheck = false;
 

pkgs/development/tools/kubie/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "kubie";
-  version = "0.13.4";
+  version = "0.14.1";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "sbstp";
     repo = "kubie";
-    sha256 = "sha256-ZD63Xtnw7qzTrzFxzzZ37N177/PnRaMEzBbhz7h/zCY=";
+    sha256 = "0mhm2j3i2ql7dz5vx0mwab8h8zr05ar5lfzdacgnrc293g1c01aq";
   };
 
-  cargoSha256 = "sha256-WSjIN7YVX61V5nEei2iZfasIcBLjXxlZP6ZUj9nDnpo=";
+  cargoSha256 = "1rfqk7dmcz5zfq9fm9kvxf5718m0v0yfjm5a8718d40zzzvam7sy";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/development/tools/misc/hydra/default.nix

@@ -1,4 +1,4 @@
-{ fetchFromGitHub, nixStable, callPackage, nixFlakes, nixosTests }:
+{ fetchFromGitHub, nixStable, callPackage, nixUnstable, nixosTests }:
 
 {
   hydra-unstable = callPackage ./common.nix {
@@ -9,7 +9,7 @@
       rev = "886e6f85e45a1f757e9b77d2a9e4539fbde29468";
       sha256 = "t7Qb57Xjc0Ou+VDGC1N5u9AmeODW6MVOwKSrYRJq5f0=";
     };
-    nix = nixFlakes;
+    nix = nixUnstable;
 
     tests = {
       basic = nixosTests.hydra.hydra-unstable;

pkgs/servers/mastodon/default.nix

@@ -1,5 +1,5 @@
 { lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, bundlerEnv
-, yarn, callPackage, imagemagick, ffmpeg, file, ruby_2_7, writeShellScript
+, yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0, writeShellScript
 
   # Allow building a fork or custom version of Mastodon:
 , pname ? "mastodon"
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   mastodon-gems = bundlerEnv {
     name = "${pname}-gems-${version}";
     inherit version;
-    ruby = ruby_2_7;
+    ruby = ruby_3_0;
     gemdir = src;
     gemset = dependenciesDir + "/gemset.nix";
     # This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem

pkgs/servers/mastodon/package.json

@@ -1,9 +1,9 @@
 {
-  "version": "3.3.0",
+  "version": "3.4.0",
   "name": "@tootsuite/mastodon",
   "license": "AGPL-3.0-or-later",
   "engines": {
-    "node": ">=10.13"
+    "node": ">=12"
   },
   "scripts": {
     "postversion": "git push --tags",
@@ -23,7 +23,7 @@
   },
   "browserslist": [
     "last 2 versions",
-    "IE >= 11",
+    "not IE 11",
     "iOS >= 9",
     "not dead"
   ],
@@ -60,37 +60,35 @@
   },
   "private": true,
   "dependencies": {
-    "@babel/core": "^7.12.7",
+    "@babel/core": "^7.14.0",
-    "@babel/plugin-proposal-class-properties": "^7.8.3",
+    "@babel/plugin-proposal-decorators": "^7.13.15",
-    "@babel/plugin-proposal-decorators": "^7.12.1",
+    "@babel/plugin-transform-react-inline-elements": "^7.12.13",
-    "@babel/plugin-transform-react-inline-elements": "^7.12.1",
+    "@babel/plugin-transform-runtime": "^7.13.15",
-    "@babel/plugin-transform-runtime": "^7.12.1",
+    "@babel/preset-env": "^7.14.1",
-    "@babel/preset-env": "^7.12.7",
+    "@babel/preset-react": "^7.13.13",
-    "@babel/preset-react": "^7.12.7",
+    "@babel/runtime": "^7.14.0",
-    "@babel/runtime": "^7.12.5",
-    "@clusterws/cws": "^3.0.0",
     "@gamestdio/websocket": "^0.3.2",
     "@github/webauthn-json": "^0.5.7",
-    "@rails/ujs": "^6.0.3",
+    "@rails/ujs": "^6.1.3",
-    "array-includes": "^3.1.1",
+    "array-includes": "^3.1.3",
     "arrow-key-navigation": "^1.2.0",
     "autoprefixer": "^9.8.6",
-    "axios": "^0.21.0",
+    "axios": "^0.21.1",
-    "babel-loader": "^8.2.1",
+    "babel-loader": "^8.2.2",
     "babel-plugin-lodash": "^3.3.4",
     "babel-plugin-preval": "^5.0.0",
     "babel-plugin-react-intl": "^6.2.0",
     "babel-plugin-transform-react-remove-prop-types": "^0.4.24",
     "babel-runtime": "^6.26.0",
     "blurhash": "^1.1.3",
-    "classnames": "^2.2.5",
+    "classnames": "^2.3.1",
-    "color-blend": "^3.0.0",
+    "color-blend": "^3.0.1",
     "compression-webpack-plugin": "^6.1.1",
-    "cross-env": "^7.0.2",
+    "cross-env": "^7.0.3",
-    "css-loader": "^5.0.1",
+    "css-loader": "^5.2.4",
-    "cssnano": "^4.1.10",
+    "cssnano": "^4.1.11",
-    "detect-passive-events": "^2.0.1",
+    "detect-passive-events": "^2.0.3",
-    "dotenv": "^8.2.0",
+    "dotenv": "^9.0.1",
     "emoji-mart": "Gargron/emoji-mart#build",
     "es6-symbol": "^3.1.3",
     "escape-html": "^1.0.3",
@@ -98,29 +96,29 @@
     "express": "^4.17.1",
     "file-loader": "^6.2.0",
     "font-awesome": "^4.7.0",
-    "glob": "^7.1.6",
+    "glob": "^7.1.7",
     "history": "^4.10.1",
     "http-link-header": "^1.0.3",
     "immutable": "^3.8.2",
     "imports-loader": "^1.2.0",
-    "intersection-observer": "^0.11.0",
+    "intersection-observer": "^0.12.0",
     "intl": "^1.2.5",
     "intl-messageformat": "^2.2.0",
     "intl-relativeformat": "^6.4.3",
-    "is-nan": "^1.3.0",
+    "is-nan": "^1.3.2",
-    "js-yaml": "^3.13.1",
+    "js-yaml": "^4.1.0",
-    "lodash": "^4.17.19",
+    "lodash": "^4.17.21",
     "mark-loader": "^0.1.6",
-    "marky": "^1.2.1",
+    "marky": "^1.2.2",
-    "mini-css-extract-plugin": "^1.3.1",
+    "mini-css-extract-plugin": "^1.6.0",
     "mkdirp": "^1.0.4",
     "npmlog": "^4.1.2",
     "object-assign": "^4.1.1",
     "object-fit-images": "^3.2.3",
-    "object.values": "^1.1.1",
+    "object.values": "^1.1.3",
     "offline-plugin": "^5.0.7",
     "path-complete-extname": "^1.0.0",
-    "pg": "^6.4.0",
+    "pg": "^8.5.0",
     "postcss-loader": "^3.0.0",
     "postcss-object-fit-images": "^1.1.2",
     "promise.prototype.finally": "^3.1.2",
@@ -135,18 +133,18 @@
     "react-masonry-infinite": "^1.2.2",
     "react-motion": "^0.5.2",
     "react-notification": "^6.8.5",
-    "react-overlays": "^0.9.2",
+    "react-overlays": "^0.9.3",
-    "react-redux": "^7.2.2",
+    "react-redux": "^7.2.4",
     "react-redux-loading-bar": "^4.0.8",
     "react-router-dom": "^4.1.1",
     "react-router-scroll-4": "^1.0.0-beta.1",
-    "react-select": "^3.1.0",
+    "react-select": "^4.3.0",
     "react-sparklines": "^1.7.0",
     "react-swipeable-views": "^0.13.9",
-    "react-textarea-autosize": "^8.3.0",
+    "react-textarea-autosize": "^8.3.2",
-    "react-toggle": "^4.1.1",
+    "react-toggle": "^4.1.2",
-    "redis": "^3.0.2",
+    "redis": "^3.1.2",
-    "redux": "^4.0.5",
+    "redux": "^4.1.0",
     "redux-immutable": "^4.0.0",
     "redux-thunk": "^2.2.0",
     "regenerator-runtime": "^0.13.7",
@@ -154,8 +152,8 @@
     "requestidlecallback": "^0.3.0",
     "reselect": "^4.0.0",
     "rimraf": "^3.0.2",
-    "sass": "^1.29.0",
+    "sass": "^1.32.12",
-    "sass-loader": "^10.1.0",
+    "sass-loader": "^10.1.1",
     "stacktrace-js": "^2.0.2",
     "stringz": "^2.1.0",
     "substring-trie": "^1.0.2",
@@ -163,31 +161,37 @@
     "tesseract.js": "^2.1.1",
     "throng": "^4.0.0",
     "tiny-queue": "^0.2.1",
+    "twitter-text": "3.1.0",
     "uuid": "^8.3.1",
-    "webpack": "^4.44.2",
+    "webpack": "^4.46.0",
-    "webpack-assets-manifest": "^3.1.1",
+    "webpack-assets-manifest": "^4.0.6",
-    "webpack-bundle-analyzer": "^4.1.0",
+    "webpack-bundle-analyzer": "^4.4.1",
     "webpack-cli": "^3.3.12",
-    "webpack-merge": "^5.4.0",
+    "webpack-merge": "^5.7.3",
-    "wicg-inert": "^3.1.0",
+    "wicg-inert": "^3.1.1",
+    "ws": "^7.4.5",
     "kind-of": "^6.0.3"
   },
   "devDependencies": {
-    "@testing-library/jest-dom": "^5.11.6",
+    "@testing-library/jest-dom": "^5.12.0",
-    "@testing-library/react": "^11.2.2",
+    "@testing-library/react": "^11.2.6",
     "babel-eslint": "^10.1.0",
     "babel-jest": "^26.6.3",
-    "eslint": "^7.14.0",
+    "eslint": "^7.26.0",
     "eslint-plugin-import": "~2.22.1",
     "eslint-plugin-jsx-a11y": "~6.4.1",
-    "eslint-plugin-promise": "~4.2.1",
+    "eslint-plugin-promise": "~5.1.0",
-    "eslint-plugin-react": "~7.21.5",
+    "eslint-plugin-react": "~7.23.2",
     "jest": "^26.6.3",
     "raf": "^3.4.1",
     "react-intl-translations-manager": "^5.0.3",
     "react-test-renderer": "^16.14.0",
     "sass-lint": "^1.13.1",
-    "webpack-dev-server": "^3.11.0",
+    "webpack-dev-server": "^3.11.2",
-    "yargs": "^16.1.1"
+    "yargs": "^17.0.1"
+  },
+  "optionalDependencies": {
+    "bufferutil": "^4.0.3",
+    "utf-8-validate": "^5.0.5"
   }
 }

pkgs/servers/mastodon/resolutions.patch

@@ -1,31 +1,32 @@
 diff --git a/package.json b/package.json
-index 7b8f49dd8..24cdd3498 100644
+index 5bc1f6bf3..8cc22a403 100644
 --- a/package.json
 +++ b/package.json
 @@ -168,7 +168,8 @@
-     "webpack-bundle-analyzer": "^4.1.0",
      "webpack-cli": "^3.3.12",
-     "webpack-merge": "^5.4.0",
+     "webpack-merge": "^5.7.3",
--    "wicg-inert": "^3.1.0"
+     "wicg-inert": "^3.1.1",
-+    "wicg-inert": "^3.1.0",
+-    "ws": "^7.4.5"
++    "ws": "^7.4.5",
 +    "kind-of": "^6.0.3"
    },
    "devDependencies": {
-     "@testing-library/jest-dom": "^5.11.6",
+     "@testing-library/jest-dom": "^5.12.0",
-@@ -187,8 +188,5 @@
+@@ -188,9 +189,6 @@
-     "sass-lint": "^1.13.1",
+     "webpack-dev-server": "^3.11.2",
-     "webpack-dev-server": "^3.11.0",
+     "yargs": "^17.0.1"
-     "yargs": "^16.1.1"
+   },
--  },
 -  "resolutions": {
 -    "kind-of": "^6.0.3"
-   }
+-  },
- }
+   "optionalDependencies": {
+     "bufferutil": "^4.0.3",
+     "utf-8-validate": "^5.0.5"
 diff --git a/yarn.lock b/yarn.lock
-index 4aa8f6380..68d2fd8b5 100644
+index 6c8bcf549..bda3adbe8 100644
 --- a/yarn.lock
 +++ b/yarn.lock
-@@ -5689,6 +5689,11 @@ is-binary-path@~2.1.0:
+@@ -5833,6 +5833,11 @@ is-binary-path@~2.1.0:
    dependencies:
      binary-extensions "^2.0.0"
  
@@ -37,7 +38,7 @@ index 4aa8f6380..68d2fd8b5 100644
  is-callable@^1.1.4, is-callable@^1.2.2:
    version "1.2.2"
    resolved "https://registry.yarnpkg.com/is-callable/-/is-callable-1.2.2.tgz#c7c6715cd22d4ddb48d3e19970223aceabb080d9"
-@@ -6639,7 +6644,26 @@ killable@^1.0.1:
+@@ -6769,7 +6774,26 @@ killable@^1.0.1:
    resolved "https://registry.yarnpkg.com/killable/-/killable-1.0.1.tgz#4c8ce441187a061c7474fb87ca08e2a638194892"
    integrity sha512-LzqtLKlUwirEUyl/nicirVmNiPvYs7l5n8wOPP7fyJVpUPkvCnW/vuiXGpylGUlnPDnB7311rARzAt3Mhswpjg==
  

pkgs/servers/mastodon/source.nix

@@ -2,8 +2,8 @@
 { fetchgit, applyPatches }: let
   src = fetchgit {
     url = "https://github.com/tootsuite/mastodon.git";
-    rev = "v3.3.0";
+    rev = "v3.4.0";
-    sha256 = "17wvggvy5mmyf3f1i5v1hgvh6wjdhg9hb3wiyfaydx0slsg03qba";
+    sha256 = "0wa1j4iin6nlb1p5lxzgldzgr0vhrmm835gj2zqadw37vpsxdis3";
   };
 in applyPatches {
   inherit src;

pkgs/servers/mastodon/version.nix

@@ -1 +1 @@
-"3.3.0"
+"3.4.0"

pkgs/servers/mastodon/version.patch

@@ -3,7 +3,7 @@ diff -Naur --label a/package.json --label b/package.json a/package.json b/packag
 +++ b/package.json
 @@ -1,4 +1,5 @@
  {
-+  "version": "3.3.0",
++  "version": "3.4.0",
    "name": "@tootsuite/mastodon",
    "license": "AGPL-3.0-or-later",
    "engines": {

pkgs/tools/misc/nix-direnv/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, gnugrep, nixFlakes }:
+{ lib, stdenv, fetchFromGitHub, gnugrep, nixUnstable }:
 
 stdenv.mkDerivation rec {
   pname = "nix-direnv";
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   # Substitute instead of wrapping because the resulting file is
   # getting sourced, not executed:
   postPatch = ''
-    sed -i "1a NIX_BIN_PREFIX=${nixFlakes}/bin/" direnvrc
+    sed -i "1a NIX_BIN_PREFIX=${nixUnstable}/bin/" direnvrc
     substituteInPlace direnvrc --replace "grep" "${gnugrep}/bin/grep"
   '';
 

pkgs/tools/package-management/nix-update/default.nix

@@ -1,7 +1,7 @@
 { lib
 , buildPythonApplication
 , fetchFromGitHub
-, nixFlakes
+, nixUnstable
 , nix-prefetch
 , nixpkgs-fmt
 , nixpkgs-review
@@ -19,7 +19,7 @@ buildPythonApplication rec {
   };
 
   makeWrapperArgs = [
-    "--prefix" "PATH" ":" (lib.makeBinPath [ nixFlakes nix-prefetch nixpkgs-fmt nixpkgs-review ])
+    "--prefix" "PATH" ":" (lib.makeBinPath [ nixUnstable nix-prefetch nixpkgs-fmt nixpkgs-review ])
   ];
 
   checkPhase = ''

pkgs/tools/package-management/nix/default.nix

@@ -227,12 +227,4 @@ in rec {
     ];
   });
 
-  nixExperimental = nixUnstable.overrideAttrs (prev: {
-    patches = (prev.patches or []) ++ [ ./enable-all-experimental.patch ];
-  });
-
-  nixFlakes = nixUnstable.overrideAttrs (prev: {
-    patches = (prev.patches or []) ++ [ ./enable-flakes.patch ];
-  });
-
 }

pkgs/tools/package-management/nix/enable-all-experimental.patch

@@ -1,14 +0,0 @@
-diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
-index d3b27d7be..e7d002e1d 100644
---- a/src/libstore/globals.cc
-+++ b/src/libstore/globals.cc
-@@ -172,8 +172,7 @@ MissingExperimentalFeature::MissingExperimentalFeature(std::string feature)
- 
- void Settings::requireExperimentalFeature(const std::string & name)
- {
--    if (!isExperimentalFeatureEnabled(name))
--        throw MissingExperimentalFeature(name);
-+    return;
- }
- 
- bool Settings::isWSL1()

pkgs/tools/package-management/nix/enable-flakes.patch

@@ -1,14 +0,0 @@
-diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
-index 3e4ead76c..81d407236 100644
---- a/src/libstore/globals.hh
-+++ b/src/libstore/globals.hh
-@@ -923,7 +923,8 @@ public:
-           value.
-           )"};
- 
--    Setting<Strings> experimentalFeatures{this, {}, "experimental-features",
-+    Setting<Strings> experimentalFeatures{
-+        this, {"flakes", "nix-command"}, "experimental-features",
-         "Experimental Nix features to enable."};
- 
-     bool isExperimentalFeatureEnabled(const std::string & name);

pkgs/tools/package-management/nixpkgs-review/default.nix

@@ -1,7 +1,7 @@
 { lib
 , python3
 , fetchFromGitHub
-, nixFlakes
+, nixUnstable
 , git
 }:
 
@@ -17,7 +17,7 @@ python3.pkgs.buildPythonApplication rec {
   };
 
   makeWrapperArgs = [
-    "--prefix" "PATH" ":" (lib.makeBinPath [ nixFlakes git ])
+    "--prefix" "PATH" ":" (lib.makeBinPath [ nixUnstable git ])
   ];
 
   doCheck = false;

pkgs/top-level/aliases.nix

@@ -492,6 +492,7 @@ mapAliases ({
   nginxUnstable = nginxMainline; # added 2018-04-25
   nilfs_utils = nilfs-utils; # added 2018-04-25
   nix-review = nixpkgs-review; # added 2019-12-22
+  nixFlakes = nixUnstable; # added 2021-05-21
   nmap_graphical = nmap-graphical;  # added 2017-01-19
   nologin = shadow; # added 2018-04-25
   nxproxy = nx-libs; # added 2019-02-15

pkgs/top-level/all-packages.nix

@@ -7092,6 +7092,11 @@ in
     inherit (linuxPackages) nvidia_x11;
     nvidiaGpuSupport = config.cudaSupport or false;
   };
+  nomad_1_1 = callPackage ../applications/networking/cluster/nomad/1.1.nix {
+    buildGoPackage = buildGo116Package;
+    inherit (linuxPackages) nvidia_x11;
+    nvidiaGpuSupport = config.cudaSupport or false;
+  };
 
   nomad-driver-podman = callPackage ../applications/networking/cluster/nomad-driver-podman { };
 
@@ -19086,11 +19091,7 @@ in
 
   mailman-web = with python3.pkgs; toPythonApplication mailman-web;
 
-  mastodon = callPackage ../servers/mastodon {
+  mastodon = callPackage ../servers/mastodon { };
-    # With nodejs v14 the streaming endpoint breaks. Need migrate to uWebSockets.js or similar.
-    # https://github.com/tootsuite/mastodon/issues/15184
-    nodejs-slim = nodejs-slim-12_x;
-  };
 
   materialize = callPackage ../servers/sql/materialize {
     inherit (buildPackages.darwin) bootstrap_cmds;
@@ -30420,9 +30421,7 @@ in
       })
     nix
     nixStable
-    nixUnstable
+    nixUnstable;
-    nixFlakes
-    nixExperimental;
 
   nixStatic = pkgsStatic.nix;