Merge master into staging-next

nixos/doc/manual/configuration/x-windows.xml

@@ -150,7 +150,6 @@
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy390" ];
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy340" ];
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy304" ];
-<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy173" ];
 </programlisting>
    You may need to reboot after enabling this driver to prevent a clash with
    other kernel modules.
@@ -159,21 +158,16 @@
  <simplesect xml:id="sec-x11--graphics-cards-amd">
   <title>Proprietary AMD drivers</title>
   <para>
-   AMD provides a proprietary driver for its graphics cards that has better 3D
+   AMD provides a proprietary driver for its graphics cards that is not
-   performance than the X.org drivers. It is not enabled by default because
+   enabled by default because it’s not Free Software, is often broken
-   it’s not free software. You can enable it as follows:
+   in nixpkgs and as of this writing doesn't offer more features or
+   performance. If you still want to use it anyway, you need to explicitly set:
 <programlisting>
-<xref linkend="opt-services.xserver.videoDrivers"/> = [ "ati_unfree" ];
+<xref linkend="opt-services.xserver.videoDrivers"/> = [ "amdgpu-pro" ];
 </programlisting>
    You will need to reboot after enabling this driver to prevent a clash with
    other kernel modules.
   </para>
-  <note>
-  <para>
-   For recent AMD GPUs you most likely want to keep either the defaults
-   or <literal>"amdgpu"</literal> (both free).
-  </para>
-  </note>
  </simplesect>
  <simplesect xml:id="sec-x11-touchpads">
   <title>Touchpads</title>

nixos/doc/manual/release-notes/rl-2105.xml

@@ -39,6 +39,24 @@
      (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#7547</link>).
     </para>
    </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://www.privoxy.org/">Privoxy</link> has been updated
+     to version 3.0.32 (See <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
+     Compared to the previous release, Privoxy has gained support for HTTPS
+     inspection (still experimental), Brotli decompression, several new filters
+     and lots of bug fixes, including security ones. In addition, the package
+     is now built with compression and external filters support, which were
+     previously disabled.
+    </para>
+    <para>
+     Regarding the NixOS module, new options for HTTPS inspection have been added
+     and <option>services.privoxy.extraConfig</option> has been replaced by the new
+     <xref linkend="opt-services.privoxy.settings"/>
+     (See <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>
+     for the motivation).
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -539,6 +557,11 @@ self: super:
      <package>imagemagick6Big</package> if you need the older version.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     <xref linkend="opt-services.xserver.videoDrivers" /> no longer uses the deprecated <literal>cirrus</literal> and <literal>vesa</literal> device dependent X drivers by default. It also enables both <literal>amdgpu</literal> and <literal>nouveau</literal> drivers by default now.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/networking/privoxy.nix

@@ -4,26 +4,46 @@ with lib;
 
 let
 
-  inherit (pkgs) privoxy;
-
   cfg = config.services.privoxy;
 
-  confFile = pkgs.writeText "privoxy.conf" (''
+  serialise = name: val:
-    user-manual ${privoxy}/share/doc/privoxy/user-manual
+         if isList val then concatMapStrings (serialise name) val
-    confdir ${privoxy}/etc/
+    else if isBool val then serialise name (if val then "1" else "0")
-    listen-address  ${cfg.listenAddress}
+    else "${name} ${toString val}\n";
-    enable-edit-actions ${if (cfg.enableEditActions == true) then "1" else "0"}
+
-    ${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
+  configType = with types;
-    ${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
+    let atom = oneOf [ int bool string path ];
-  '' + optionalString cfg.enableTor ''
+    in attrsOf (either atom (listOf atom))
-    forward-socks5t / 127.0.0.1:9063 .
+    // { description = ''
-    toggle 1
+          privoxy configuration type. The format consists of an attribute
-    enable-remote-toggle 0
+          set of settings. Each setting can be either a value (integer, string,
-    enable-edit-actions 0
+          boolean or path) or a list of such values.
-    enable-remote-http-toggle 0
+        '';
-  '' + ''
+       };
-    ${cfg.extraConfig}
+
-  '');
+  ageType = types.str // {
+    check = x:
+      isString x &&
+      (builtins.match "([0-9]+([smhdw]|min|ms|us)*)+" x != null);
+    description = "tmpfiles.d(5) age format";
+  };
+
+  configFile = pkgs.writeText "privoxy.conf"
+    (concatStrings (
+      # Relative paths in some options are relative to confdir. Privoxy seems
+      # to parse the options in order of appearance, so this must come first.
+      # Nix however doesn't preserve the order in attrsets, so we have to
+      # hardcode confdir here.
+      [ "confdir ${pkgs.privoxy}/etc\n" ]
+      ++ mapAttrsToList serialise cfg.settings
+    ));
+
+  inspectAction = pkgs.writeText "inspect-all-https.action"
+    ''
+      # Enable HTTPS inspection for all requests
+      {+https-inspection}
+      /
+    '';
 
 in
 
@@ -31,70 +51,130 @@ in
 
   ###### interface
 
-  options = {
+  options.services.privoxy = {
 
-    services.privoxy = {
+    enable = mkEnableOption "Privoxy, non-caching filtering proxy";
 
-      enable = mkOption {
+    enableTor = mkOption {
-        type = types.bool;
+      type = types.bool;
-        default = false;
+      default = false;
-        description = ''
+      description = ''
-          Whether to enable the Privoxy non-caching filtering proxy.
+        Whether to configure Privoxy to use Tor's faster SOCKS port,
-        '';
+        suitable for HTTP.
-      };
+      '';
-
+    };
-      listenAddress = mkOption {
+
-        type = types.str;
+    inspectHttps = mkOption {
-        default = "127.0.0.1:8118";
+      type = types.bool;
-        description = ''
+      default = false;
-          Address the proxy server is listening to.
+      description = ''
-        '';
+        Whether to configure Privoxy to inspect HTTPS requests, meaning all
-      };
+        encrypted traffic will be filtered as well. This works by decrypting
-
+        and re-encrypting the requests using a per-domain generated certificate.
-      actionsFiles = mkOption {
+
-        type = types.listOf types.str;
+        To issue per-domain certificates, Privoxy must be provided with a CA
-        example = [ "match-all.action" "default.action" "/etc/privoxy/user.action" ];
+        certificate, using the <literal>ca-cert-file</literal>,
-        default = [ "match-all.action" "default.action" ];
+        <literal>ca-key-file</literal> settings.
-        description = ''
+
-          List of paths to Privoxy action files.
+        <warning><para>
-          These paths may either be absolute or relative to the privoxy configuration directory.
+          The CA certificate must also be added to the system trust roots,
-        '';
+          otherwise browsers will reject all Privoxy certificates as invalid.
-      };
+          You can do so by using the option
-
+          <option>security.pki.certificateFiles</option>.
-      filterFiles = mkOption {
+        </para></warning>
-        type = types.listOf types.str;
+      '';
-        example = [ "default.filter" "/etc/privoxy/user.filter" ];
+    };
-        default = [ "default.filter" ];
+
-        description = ''
+    certsLifetime = mkOption {
-          List of paths to Privoxy filter files.
+      type = ageType;
-          These paths may either be absolute or relative to the privoxy configuration directory.
+      default = "10d";
-        '';
+      example = "12h";
-      };
+      description = ''
-
+        If <literal>inspectHttps</literal> is enabled, the time generated HTTPS
-      enableEditActions = mkOption {
+        certificates will be stored in a temporary directory for reuse. Once
-        type = types.bool;
+        the lifetime has expired the directory will cleared and the certificate
-        default = false;
+        will have to be generated again, on-demand.
-        description = ''
+
-          Whether or not the web-based actions file editor may be used.
+        Depending on the traffic, you may want to reduce the lifetime to limit
-        '';
+        the disk usage, since Privoxy itself never deletes the certificates.
-      };
+
-
+        <note><para>The format is that of the <literal>tmpfiles.d(5)</literal>
-      enableTor = mkOption {
+        Age parameter.</para></note>
-        type = types.bool;
+      '';
-        default = false;
+    };
-        description = ''
+
-          Whether to configure Privoxy to use Tor's faster SOCKS port,
+    userActions = mkOption {
-          suitable for HTTP.
+      type = types.lines;
-        '';
+      default = "";
-      };
+      description = ''
-
+        Actions to be included in a <literal>user.action</literal> file. This
-      extraConfig = mkOption {
+        will have a higher priority and can be used to override all other
-        type = types.lines;
+        actions.
-        default = "" ;
+      '';
-        description = ''
+    };
-          Extra configuration. Contents will be added verbatim to the configuration file.
+
-        '';
+    userFilters = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Filters to be included in a <literal>user.filter</literal> file. This
+        will have a higher priority and can be used to override all other
+        filters definitions.
+      '';
+    };
+
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = configType;
+
+        options.listen-address = mkOption {
+          type = types.str;
+          default = "127.0.0.1:8118";
+          description = "Pair of address:port the proxy server is listening to.";
+        };
+
+        options.enable-edit-actions = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Whether the web-based actions file editor may be used.";
+        };
+
+        options.actionsfile = mkOption {
+          type = types.listOf types.str;
+          # This must come after all other entries, in order to override the
+          # other actions/filters installed by Privoxy or the user.
+          apply = x: x ++ optional (cfg.userActions != "")
+            (toString (pkgs.writeText "user.actions" cfg.userActions));
+          default = [ "match-all.action" "default.action" ];
+          description = ''
+            List of paths to Privoxy action files. These paths may either be
+            absolute or relative to the privoxy configuration directory.
+          '';
+        };
+
+        options.filterfile = mkOption {
+          type = types.listOf types.str;
+          default = [ "default.filter" ];
+          apply = x: x ++ optional (cfg.userFilters != "")
+            (toString (pkgs.writeText "user.filter" cfg.userFilters));
+          description = ''
+            List of paths to Privoxy filter files. These paths may either be
+            absolute or relative to the privoxy configuration directory.
+          '';
+        };
       };
+      default = {};
+      example = literalExample ''
+        { listen-address = "[::]:8118";               # listen on IPv6 only
+          forward-socks5 = ".onion localhost:9050 ."; # forward .onion requests to Tor
+        }
+      '';
+      description = ''
+        This option is mapped to the main Privoxy configuration file.
+        Check out the Privoxy user manual at
+        <link xlink:href="file://${pkgs.privoxy}/share/doc/privoxy/user-manual/config.html"/>
+        for available settings and documentation.
+      '';
     };
 
   };
@@ -104,23 +184,34 @@ in
   config = mkIf cfg.enable {
 
     users.users.privoxy = {
+      description = "Privoxy daemon user";
       isSystemUser = true;
-      home = "/var/empty";
       group = "privoxy";
     };
 
     users.groups.privoxy = {};
 
+    systemd.tmpfiles.rules = with cfg.settings; [
+      "d ${certificate-directory} 0770 privoxy privoxy ${cfg.certsLifetime}"
+    ];
+
     systemd.services.privoxy = {
       description = "Filtering web proxy";
       after = [ "network.target" "nss-lookup.target" ];
       wantedBy = [ "multi-user.target" ];
-      serviceConfig.ExecStart = "${privoxy}/bin/privoxy --no-daemon --user privoxy ${confFile}";
+      serviceConfig = {
-
+        User = "privoxy";
-      serviceConfig.PrivateDevices = true;
+        Group = "privoxy";
-      serviceConfig.PrivateTmp = true;
+        ExecStart = "${pkgs.privoxy}/bin/privoxy --no-daemon ${configFile}";
-      serviceConfig.ProtectHome = true;
+        PrivateDevices = true;
-      serviceConfig.ProtectSystem = "full";
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+      };
+      unitConfig =  mkIf cfg.inspectHttps {
+        ConditionPathExists = with cfg.settings;
+          [ ca-cert-file ca-key-file ];
+      };
     };
 
     services.tor.settings.SOCKSPort = mkIf cfg.enableTor [
@@ -128,8 +219,48 @@ in
       { addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; }
     ];
 
+    services.privoxy.settings = {
+      user-manual = "${pkgs.privoxy}/share/doc/privoxy/user-manual";
+      # This is needed for external filters
+      temporary-directory = "/tmp";
+      filterfile = [ "default.filter" ];
+      actionsfile =
+        [ "match-all.action"
+          "default.action"
+        ] ++ optional cfg.inspectHttps (toString inspectAction);
+    } // (optionalAttrs cfg.enableTor {
+      forward-socks5 = "127.0.0.1:9063 .";
+      toggle = true;
+      enable-remote-toggle = false;
+      enable-edit-actions = false;
+      enable-remote-http-toggle = false;
+    }) // (optionalAttrs cfg.inspectHttps {
+      # This allows setting absolute key/crt paths
+      ca-directory = "/var/empty";
+      certificate-directory = "/run/privoxy/certs";
+      trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt";
+    });
+
   };
 
+  imports =
+    let
+      top = x: [ "services" "privoxy" x ];
+      setting = x: [ "services" "privoxy" "settings" x ];
+    in
+    [ (mkRenamedOptionModule (top "enableEditActions") (setting "enable-edit-actions"))
+      (mkRenamedOptionModule (top "listenAddress") (setting "listen-address"))
+      (mkRenamedOptionModule (top "actionsFiles") (setting "actionsfile"))
+      (mkRenamedOptionModule (top "filterFiles") (setting "filterfile"))
+      (mkRemovedOptionModule (top "extraConfig")
+      ''
+        Use services.privoxy.settings instead.
+        This is part of the general move to use structured settings instead of raw
+        text for config as introduced by RFC0042:
+        https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
+      '')
+    ];
+
   meta.maintainers = with lib.maintainers; [ rnhmjoj ];
 
 }

nixos/modules/services/x11/xserver.nix

@@ -251,11 +251,10 @@ in
 
       videoDrivers = mkOption {
         type = types.listOf types.str;
-        # !!! We'd like "nv" here, but it segfaults the X server.
+        default = [ "amdgpu" "radeon" "nouveau" "modesetting" "fbdev" ];
-        default = [ "radeon" "cirrus" "vesa" "modesetting" ];
         example = [
-          "ati_unfree" "amdgpu" "amdgpu-pro"
+          "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304"
-          "nv" "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304"
+          "amdgpu-pro"
         ];
         # TODO(@oxij): think how to easily add the rest, like those nvidia things
         relatedPackages = concatLists

nixos/tests/all-tests.nix

@@ -326,6 +326,7 @@ in
   predictable-interface-names = handleTest ./predictable-interface-names.nix {};
   printing = handleTest ./printing.nix {};
   privacyidea = handleTest ./privacyidea.nix {};
+  privoxy = handleTest ./privoxy.nix {};
   prometheus = handleTest ./prometheus.nix {};
   prometheus-exporters = handleTest ./prometheus-exporters.nix {};
   prosody = handleTest ./xmpp/prosody.nix {};

nixos/tests/privoxy.nix

@@ -0,0 +1,113 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+
+let
+  # Note: For some reason Privoxy can't issue valid
+  # certificates if the CA is generated using gnutls :(
+  certs = pkgs.runCommand "example-certs"
+    { buildInputs = [ pkgs.openssl ]; }
+    ''
+      mkdir $out
+
+      # generate CA keypair
+      openssl req -new -nodes -x509 \
+        -extensions v3_ca -keyout $out/ca.key \
+        -out $out/ca.crt -days 365 \
+        -subj "/O=Privoxy CA/CN=Privoxy CA"
+
+      # generate server key/signing request
+      openssl genrsa -out $out/server.key 3072
+      openssl req -new -key $out/server.key \
+        -out server.csr -sha256 \
+        -subj "/O=An unhappy server./CN=example.com"
+
+      # sign the request/generate the certificate
+      openssl x509 -req -in server.csr -CA $out/ca.crt \
+      -CAkey $out/ca.key -CAcreateserial -out $out/server.crt \
+      -days 500 -sha256
+    '';
+in
+
+{
+  name = "privoxy";
+  meta = with lib.maintainers; {
+    maintainers = [ rnhmjoj ];
+  };
+
+  machine = { ... }: {
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."example.com" = {
+      addSSL = true;
+      sslCertificate = "${certs}/server.crt";
+      sslCertificateKey = "${certs}/server.key";
+      locations."/".root = pkgs.writeTextFile
+        { name = "bad-day";
+          destination = "/how-are-you/index.html";
+          text = "I've had a bad day!\n";
+        };
+      locations."/ads".extraConfig = ''
+        return 200 "Hot Nixpkgs PRs in your area. Click here!\n";
+      '';
+    };
+
+    services.privoxy = {
+      enable = true;
+      inspectHttps = true;
+      settings = {
+        ca-cert-file = "${certs}/ca.crt";
+        ca-key-file  = "${certs}/ca.key";
+        debug = 65536;
+      };
+      userActions = ''
+        {+filter{positive}}
+        example.com
+
+        {+block{Fake ads}}
+        example.com/ads
+      '';
+      userFilters = ''
+        FILTER: positive This is a filter example.
+        s/bad/great/ig
+      '';
+    };
+
+    security.pki.certificateFiles = [ "${certs}/ca.crt" ];
+
+    networking.hosts."::1" = [ "example.com" ];
+    networking.proxy.httpProxy = "http://localhost:8118";
+    networking.proxy.httpsProxy = "http://localhost:8118";
+  };
+
+  testScript =
+    ''
+      with subtest("Privoxy is running"):
+          machine.wait_for_unit("privoxy")
+          machine.wait_for_open_port("8118")
+          machine.succeed("curl -f http://config.privoxy.org")
+
+      with subtest("Privoxy can filter http requests"):
+          machine.wait_for_open_port("80")
+          assert "great day" in machine.succeed(
+              "curl -sfL http://example.com/how-are-you? | tee /dev/stderr"
+          )
+
+      with subtest("Privoxy can filter https requests"):
+          machine.wait_for_open_port("443")
+          assert "great day" in machine.succeed(
+              "curl -sfL https://example.com/how-are-you? | tee /dev/stderr"
+          )
+
+      with subtest("Blocks are working"):
+          machine.wait_for_open_port("443")
+          machine.fail("curl -f https://example.com/ads 1>&2")
+          machine.succeed("curl -f https://example.com/PRIVOXY-FORCE/ads 1>&2")
+
+      with subtest("Temporary certificates are cleaned"):
+          # Count current certificates
+          machine.succeed("test $(ls /run/privoxy/certs | wc -l) -gt 0")
+          # Forward in time 12 days, trigger the timer..
+          machine.succeed("date -s \"$(date --date '12 days')\"")
+          machine.systemctl("start systemd-tmpfiles-clean")
+          # ...and count again
+          machine.succeed("test $(ls /run/privoxy/certs | wc -l) -eq 0")
+    '';
+})

pkgs/applications/misc/foxtrotgps/default.nix

@@ -6,8 +6,8 @@ let
   srcs = {
     foxtrot = fetchbzr {
       url = "lp:foxtrotgps";
-      rev = "326";
+      rev = "329";
-      sha256 = "191pgcy5rng8djy22a5z9s8gssc73f9p5hm4ig52ra189cb48d8k";
+      sha256 = "0fwgnsrah63h1xdgm5xdi5ancrz89shdp5sdzw1qc1m7i9a03rid";
     };
     screenshots = fetchbzr {
       url = "lp:foxtrotgps/screenshots";
@@ -17,23 +17,21 @@ let
   };
 in stdenv.mkDerivation rec {
   pname = "foxtrotgps";
-  version = "1.2.2+326";
+  version = "1.2.2+329";
 
   # Pull directly from bzr because gpsd API version 9 is not supported on latest release
   src = srcs.foxtrot;
 
-  patches = [
+  nativeBuildInputs = [
-    ./gps-status-fix.patch
+    pkg-config autoreconfHook texinfo help2man
+    imagemagick wrapGAppsHook intltool
   ];
 
-  nativeBuildInputs = [ pkg-config autoreconfHook texinfo help2man imagemagick wrapGAppsHook ];
-
   buildInputs = [
     curl.dev
     gnome2.libglade.dev
     gpsd
     gtk2.dev
-    intltool
     libexif
     sqlite.dev
     (python3Packages.python.withPackages (pythonPackages: with python3Packages;
@@ -58,7 +56,7 @@ in stdenv.mkDerivation rec {
       innovation.
     '';
     homepage = "https://www.foxtrotgps.org/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     platforms = platforms.unix;
     maintainers = with maintainers; [ wucke13 ];
   };

pkgs/applications/misc/foxtrotgps/gps-status-fix.patch

@@ -1,14 +0,0 @@
---- foxtrot/src/gps_functions.c.orig	2020-12-04 15:02:22.290163204 -0600
-+++ foxtrot/src/gps_functions.c	2020-12-04 15:04:54.470648534 -0600
-@@ -762,7 +762,11 @@
- 		{
- 			gpsdata->fix.time = (time_t) 0;
- 		}
-+#if GPSD_API_MAJOR_VERSION >= 9
-+      gpsdata->valid = (libgps_gpsdata.fix.status != STATUS_NO_FIX);
-+#else
- 		gpsdata->valid = (libgps_gpsdata.status != STATUS_NO_FIX);
-+#endif
- 		if (gpsdata->valid)
- 		{
- 			gpsdata->seen_valid = TRUE;

pkgs/applications/networking/irc/qweechat/default.nix

@@ -1,31 +0,0 @@
-{ lib, fetchFromGitHub, python27Packages }:
-
-python27Packages.buildPythonApplication rec {
-  version = "2016-07-29";
-  name = "qweechat-unstable-${version}";
-  namePrefix = "";
-
- src = fetchFromGitHub {
-    owner = "weechat";
-    repo = "qweechat";
-    rev = "f5e54d01691adb3abef47e051a6412186c33313c";
-    sha256 = "0dhlriwvkrsn7jj01p2wqhf2p63n9qd173jsgccgxlacm2zzvhaz";
-  };
-
-  prePatch = ''
-    substituteInPlace setup.py \
-      --replace 'qweechat = qweechat.qweechat' 'qweechat = qweechat.qweechat:main'
-  '';
-
-  propagatedBuildInputs = with python27Packages; [
-     pyside setuptools
-  ];
-
-  meta = with lib; {
-    homepage = "https://github.com/weechat/qweechat";
-    description = "Qt remote GUI for WeeChat";
-    license = licenses.gpl3;
-    maintainers = with maintainers; [ ramkromberg ];
-    platforms = with platforms; linux;
-  };
-}

pkgs/applications/office/zotero/default.nix

@@ -36,11 +36,11 @@
 
 stdenv.mkDerivation rec {
   pname = "zotero";
-  version = "5.0.95";
+  version = "5.0.96";
 
   src = fetchurl {
     url = "https://download.zotero.org/client/release/${version}/Zotero-${version}_linux-x86_64.tar.bz2";
-    sha256 = "16rahl14clgnl7gzpw7rxx23yxbw1nbrz219q051zkjkkw5ai8lv";
+    sha256 = "sha256-W8Iu8UoTqC3aK7lB4bq1L7cNmjaEvjEK+ODcZ9kk3f8=";
   };
 
   nativeBuildInputs = [ wrapGAppsHook ];

pkgs/applications/video/minitube/default.nix

@@ -1,16 +1,15 @@
 { mkDerivation, lib, fetchFromGitHub, phonon, phonon-backend-vlc, qtbase, qmake
 , qtdeclarative, qttools, qtx11extras, mpv
 
-# "Free" key generated by nckx <github@tobias.gr>. I no longer have a Google
+# "Free" key generated by pasqui23
-# account. You'll need to generate (and please share :-) a new one if it breaks.
+, withAPIKey ? "AIzaSyBQvZXseEVvgu5Ega_DI-AIJ55v0OsHmVY" }:
-, withAPIKey ? "AIzaSyBtFgbln3bu1swQC-naMxMtKh384D3xJZE" }:
 
 mkDerivation rec {
   pname = "minitube";
-  version = "3.6";
+  version = "3.8.1";
 
   src = fetchFromGitHub {
-    sha256 = "6IaBPYL/yGWKUHxPe1FnAR1gDHImXYGItYWq7VNjwEU=";
+    sha256 = "3lpZyPwo4NnxZJKfmCFsH4WdakV4KB5BtCr5xsleeIQ=";
     rev = version;
     repo = "minitube";
     owner = "flaviotordini";

pkgs/build-support/docker/default.nix

@@ -518,9 +518,9 @@ rec {
         };
       result = runCommand "docker-image-${baseName}.tar.gz" {
         nativeBuildInputs = [ jshon pigz coreutils findutils jq moreutils ];
-        # Image name and tag must be lowercase
+        # Image name must be lowercase
         imageName = lib.toLower name;
-        imageTag = if tag == null then "" else lib.toLower tag;
+        imageTag = if tag == null then "" else tag;
         inherit fromImage baseJson;
         layerClosure = writeReferencesToFile layer;
         passthru.buildArgs = args;

pkgs/development/compilers/gambit/build.nix

@@ -25,10 +25,11 @@ gccStdenv.mkDerivation rec {
   inherit src version git-version;
   bootstrap = gambit-support.gambit-bootstrap;
 
+  nativeBuildInputs = [ git autoconf ];
   # TODO: if/when we can get all the library packages we depend on to have static versions,
   # we could use something like (makeStaticLibraries openssl) to enable creation
   # of statically linked binaries by gsc.
-  buildInputs = [ git autoconf bootstrap openssl ];
+  buildInputs = [ openssl ];
 
   # TODO: patch gambit's source so it has the full path to sed, grep, fgrep? Is there more?
   # Or wrap relevant programs to add a suitable PATH ?
@@ -62,11 +63,11 @@ gccStdenv.mkDerivation rec {
     lib.optional (!gccStdenv.isDarwin) "--enable-poll";
 
   configurePhase = ''
-    export CC=${gcc}/bin/gcc \
+    export CC=${gccStdenv.cc.targetPrefix}gcc \
-           CXX=${gcc}/bin/g++ \
+           CXX=${gccStdenv.cc.targetPrefix}g++ \
-           CPP=${gcc}/bin/cpp \
+           CPP=${gccStdenv.cc.targetPrefix}cpp \
-           CXXCPP=${gcc}/bin/cpp \
+           CXXCPP=${gccStdenv.cc.targetPrefix}cpp \
-           LD=${gcc}/bin/ld \
+           LD=${gccStdenv.cc.targetPrefix}ld \
            XMKMF=${coreutils}/bin/false
     unset CFLAGS LDFLAGS LIBS CPPFLAGS CXXFLAGS
 
@@ -76,22 +77,23 @@ gccStdenv.mkDerivation rec {
 
     # OS-specific paths are hardcoded in ./configure
     substituteInPlace config.status \
-      --replace /usr/local/opt/openssl/lib "${openssl.out}/lib" \
+      --replace "/usr/local/opt/openssl@1.1" "${openssl.out}" \
-      --replace /usr/local/opt/openssl@1.1/lib "${openssl.out}/lib"
+      --replace "/usr/local/opt/openssl" "${openssl.out}"
+
     ./config.status
   '';
 
   buildPhase = ''
     # Make bootstrap compiler, from release bootstrap
-    mkdir -p boot &&
+    mkdir -p boot
-    cp -rp ${bootstrap}/gambit/. boot/. &&
+    cp -rp ${bootstrap}/gambit/. boot/.
-    chmod -R u+w boot &&
+    chmod -R u+w boot
-    cd boot &&
+    cd boot
-    cp ../gsc/makefile.in ../gsc/*.scm gsc/ && # */
+    cp ../gsc/makefile.in ../gsc/*.scm gsc/
-    ./configure &&
+    ./configure
-    for i in lib gsi gsc ; do (cd $i ; make -j$NIX_BUILD_CORES) ; done &&
+    for i in lib gsi gsc ; do (cd $i ; make -j$NIX_BUILD_CORES) ; done
-    cd .. &&
+    cd ..
-    cp boot/gsc/gsc gsc-boot &&
+    cp boot/gsc/gsc gsc-boot
 
     # Now use the bootstrap compiler to build the real thing!
     make -j$NIX_BUILD_CORES from-scratch

pkgs/development/compilers/gerbil/build.nix

@@ -1,4 +1,4 @@
-{ pkgs, gccStdenv, lib, coreutils, bash, # makeStaticLibraries,
+{ pkgs, gccStdenv, lib, coreutils,
   openssl, zlib, sqlite, libxml2, libyaml, libmysqlclient, lmdb, leveldb, postgresql,
   version, git-version,
   gambit-support,

pkgs/development/libraries/librsb/default.nix

@@ -0,0 +1,86 @@
+{ lib, stdenv, fetchurl
+, gfortran
+, pkg-config, libtool
+, m4, gnum4
+, file
+# Memory Hierarchy (End-user can provide this.)
+, memHierarchy ? ""
+# Headers/Libraries
+, blas, zlib
+# RPC headers (rpc/xdr.h)
+, openmpi
+, help2man
+, doxygen
+, octave
+}:
+
+stdenv.mkDerivation rec {
+  pname = "librsb";
+  version = "1.2.0.9";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "1ynrsgnvv1jfm8dv3jwjrip9x9icxv7w3qrk149025j6fbaza8gl";
+  };
+
+  # The default configure flags are still present when building
+  # --disable-static --disable-dependency-tracking
+  # Along with the --prefix=... flag (but we want that one).
+  configureFlags = [
+    "--enable-static"
+    "--enable-doc-build"
+    "--enable-octave-testing"
+    "--enable-sparse-blas-interface"
+    "--enable-fortran-module-install"
+    "--enable-pkg-config-install"
+    "--enable-matrix-types=all"
+    "--with-zlib=${zlib}/lib/libz.so"
+    "--with-memhinfo=${memHierarchy}"
+  ];
+
+  # Ensure C/Fortran code is position-independent.
+  NIX_CFLAGS_COMPILE = [ "-fPIC" "-Ofast" ];
+  FCFLAGS = [ "-fPIC" "-Ofast" ];
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    gfortran
+    pkg-config libtool
+    m4 gnum4
+    file
+    blas zlib
+    openmpi
+    octave
+    help2man # Turn "--help" into a man-page
+    doxygen # Build documentation
+  ];
+
+  # Need to run cleanall target to remove any previously-generated files.
+  preBuild = ''
+    make cleanall
+  '';
+
+  checkInputs = [
+    octave
+  ];
+  checkTarget = "tests";
+
+  meta = with lib; {
+    homepage = "http://librsb.sourceforge.net/";
+    description = "Shared memory parallel sparse matrix and sparse BLAS library";
+    longDescription = ''
+      Library for sparse matrix computations featuring the Recursive Sparse
+      Blocks (RSB) matrix format. This format allows cache efficient and
+      multi-threaded (that is, shared memory parallel) operations on large
+      sparse matrices.
+      librsb implements the Sparse BLAS standard, as specified in the BLAS
+      Forum documents.
+      Contains libraries and header files for developing applications that
+      want to make use of librsb.
+    '';
+    license = with licenses; [ lgpl3Plus ];
+    maintainers = with maintainers; [ KarlJoad ];
+    platforms = platforms.all;
+  };
+}

pkgs/development/ocaml-modules/batteries/default.nix

@@ -1,13 +1,13 @@
 { stdenv, lib, fetchurl, ocaml, findlib, ocamlbuild, qtest, num }:
 
-let version = "3.2.0"; in
+let version = "3.3.0"; in
 
 stdenv.mkDerivation {
   name = "ocaml${ocaml.version}-batteries-${version}";
 
   src = fetchurl {
     url = "https://github.com/ocaml-batteries-team/batteries-included/releases/download/v${version}/batteries-${version}.tar.gz";
-    sha256 = "0a77njgc6c6kz4rpwqgmnii7f1na6hzsa55nqqm3dndhq9xh628w";
+    sha256 = "002pqkcg18zx59hsf172wg6s7lwsiagp5sfvf5yssp7xxal5jdgx";
   };
 
   buildInputs = [ ocaml findlib ocamlbuild ];

pkgs/development/php-packages/apcu/default.nix

@@ -3,8 +3,8 @@
 buildPecl {
   pname = "apcu";
 
-  version = "5.1.19";
+  version = "5.1.20";
-  sha256 = "1q3c4y9jqh1yz5vps2iiz2x04vn0y1g5ibxg1x8zp7n7sncvqzw3";
+  sha256 = "sha256-uZ1A+v7Ab00TL87lPnUm3b/B0EHqbgThc4nfrSj5w5A=";
 
   buildInputs = [ pcre' ];
   doCheck = true;

pkgs/development/php-packages/smbclient/default.nix

@@ -1,8 +1,8 @@
 { buildPecl, lib, samba, pkg-config }:
 buildPecl {
   pname = "smbclient";
-  version = "1.0.5";
+  version = "1.0.6";
-  sha256 = "sha256-cNvTa1qzYrlhuX4oNehXt+XKqmqfonyomW/usQdQQO0=";
+  sha256 = "sha256-ZsQzdDt6NLRWBsA75om9zkxSvB6zBsvvPhXJZrX/KNc=";
 
   # TODO: remove this when upstream merges a fix - https://github.com/eduardok/libsmbclient-php/pull/66
   LIBSMBCLIENT_INCDIR = "${samba.dev}/include/samba-4.0";

pkgs/development/python-modules/buildbot/default.nix

@@ -25,11 +25,11 @@ let
 
   package = buildPythonPackage rec {
     pname = "buildbot";
-    version = "2.10.1";
+    version = "3.0.0";
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0jmgpvgn36kfc1sa27a1l1g26dawhl99a1wl8gn4ajbcbcvc2pkh";
+      sha256 = "0li47fpm398dk69q6g2zjaxx46w00g3n0jszz88kf57sakri553y";
     };
 
     propagatedBuildInputs = [

pkgs/development/python-modules/buildbot/pkg.nix

@@ -6,7 +6,7 @@ buildPythonPackage rec {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0ymqkjz1zk4gs0hkxjh07napc4k24xxb8f3pganw27fca60xcii0";
+    sha256 = "0ihcxdkbm1lq79fdjmcrj316zh6sjlc3162yynww8nggv2mlnz6v";
   };
 
   postPatch = ''

pkgs/development/python-modules/buildbot/plugins.nix

@@ -7,7 +7,7 @@
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0x2k95lwx2gz2zj2ys646qiylhyqzlbiqf1k3q1l8w1wlggwv3xp";
+      sha256 = "0pk7h5wwvmdn74ngj5rspz7z9y80ryzgqd2z2qy7kf9chpz7qczk";
     };
 
     # Remove unneccessary circular dependency on buildbot
@@ -34,7 +34,7 @@
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0fpam6x8x207la1xrr8m45yx35r646iizrs4gsaghlysmr95jb3i";
+      sha256 = "1y9dpxi7r5r2ya5y0i28b4g5fvla6wrbjz9rffqaqldf4h316jx2";
     };
 
     buildInputs = [ buildbot-pkg ];
@@ -56,7 +56,7 @@
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0ari338hmi1bb1pln3mxv4k9aclbcby6z3km61wg3va511qhrrbq";
+      sha256 = "0vhnqqxl693b2d14ayifpjz8zlg3dngl127svr08amzmbad7irh1";
     };
 
     buildInputs = [ buildbot-pkg ];
@@ -78,7 +78,7 @@
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0a5nrklyzfasaa119y4ivr7449rvsgifpkyravinacrl1g9phlls";
+      sha256 = "1dgs33z3sjr3s8ymqyxjkx2g6iah3p91ng9hxllmyyp4xpxaxyhk";
     };
 
     buildInputs = [ buildbot-pkg ];
@@ -100,7 +100,7 @@
 
     src = fetchPypi {
       inherit pname version;
-      sha256 = "0rris2p7ic9p9ms3qcczia4nn5mb1yx2gv5mlnmg2yligjad2jaf";
+      sha256 = "06j6f2k0r8nyh8swh689cy4zq50lmy5glx0pa3zdpnk02k4x3q72";
     };
 
     buildInputs = [ buildbot-pkg ];

pkgs/development/python-modules/buildbot/worker.nix

@@ -7,7 +7,7 @@ buildPythonPackage (rec {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "10ap7jlxs9vcmnyafr62mxlgsp709165nw55xmv9sw18r7m8wsm6";
+    sha256 = "0zrd9h9i7fnmh81zvscxzq3rspyvjvidzbgcziq2m0z522krs8qq";
   };
 
   propagatedBuildInputs = [ twisted future ];

pkgs/development/python-modules/docker/default.nix

@@ -1,8 +1,11 @@
-{ lib, stdenv, buildPythonPackage, fetchPypi, isPy27
+{ lib
+, stdenv
+, buildPythonPackage
+, fetchPypi
+, isPy27
 , backports_ssl_match_hostname
 , mock
 , paramiko
-, pytest
 , pytestCheckHook
 , requests
 , six
@@ -11,11 +14,11 @@
 
 buildPythonPackage rec {
   pname = "docker";
-  version = "4.4.3";
+  version = "4.4.4";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "de5753b7f6486dd541a98393e423e387579b8974a5068748b83f852cc76a89d6";
+    sha256 = "d3393c878f575d3a9ca3b94471a3c89a6d960b35feb92f033c0de36cc9d934db";
   };
 
   nativeBuildInputs = lib.optional isPy27 mock;
@@ -32,8 +35,9 @@ buildPythonPackage rec {
   ];
 
   pytestFlagsArray = [ "tests/unit" ];
+
   # Deselect socket tests on Darwin because it hits the path length limit for a Unix domain socket
-  disabledTests = lib.optionals stdenv.isDarwin [ "stream_response" "socket_file" ];
+  disabledTests = lib.optionals stdenv.isDarwin [ "api_test" "stream_response" "socket_file" ];
 
   dontUseSetuptoolsCheck = true;
 

pkgs/development/tools/kustomize/default.nix

@@ -2,9 +2,9 @@
 
 buildGoModule rec {
   pname = "kustomize";
-  version = "3.10.0";
+  version = "4.0.5";
-  # rev is the 3.9.3 commit, mainly for kustomize version command output
+  # rev is the commit of the tag, mainly for kustomize version command output
-  rev = "602ad8aa98e2e17f6c9119e027a09757e63c8bec";
+  rev = "9e8e7a7fe99ec9fbf801463e8607928322fc5245";
 
   buildFlagsArray = let t = "sigs.k8s.io/kustomize/api/provenance"; in
     ''
@@ -17,13 +17,16 @@ buildGoModule rec {
     owner = "kubernetes-sigs";
     repo = pname;
     rev = "kustomize/v${version}";
-    sha256 = "1qr0mi83df8d9qd2svyr1h26pg97qi67nnygrkydnp8an28k48hi";
+    sha256 = "sha256-rv65sDr6V6hEYgIRxS1OSu9txmW75F7/YGAy/zRXGyY=";
   };
 
+  # TODO: Remove once https://github.com/kubernetes-sigs/kustomize/pull/3708 got merged.
+  doCheck = false;
+
   # avoid finding test and development commands
   sourceRoot = "source/kustomize";
 
-  vendorSha256 = "0p2j8mm7jpladpm6v3451g38n5bax0g368dk5h5r5gmkr6srxdy4";
+  vendorSha256 = "sha256-lLUi0vD7uyfDR4HjDiosoTU0NbfQTY7ewZGm38ZT9nU=";
 
   meta = with lib; {
     description = "Customization of kubernetes YAML configurations";

pkgs/development/tools/ocaml/dune/2.nix

@@ -6,11 +6,11 @@ else
 
 stdenv.mkDerivation rec {
   pname = "dune";
-  version = "2.8.2";
+  version = "2.8.4";
 
   src = fetchurl {
     url = "https://github.com/ocaml/dune/releases/download/${version}/dune-${version}.tbz";
-    sha256 = "07mf6pnmv1a6wh4la45zf6cn6qy2vcmz4xgx0djj75kw1wiyii72";
+    sha256 = "1b78f8gk53m68i9igvfpylmvi55h4qqfwymknz1vval4flbj0r2f";
   };
 
   buildInputs = [ ocaml findlib ];

pkgs/tools/filesystems/unionfs-fuse/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, fuse }:
+{ lib, stdenv, fetchFromGitHub, cmake, fuse, osxfuse }:
 
 stdenv.mkDerivation rec {
   pname = "unionfs-fuse";
@@ -11,16 +11,23 @@ stdenv.mkDerivation rec {
     sha256 = "0bwx70x834qgqh53vqp18bhbxbsny80hz922rbgj8k9wj7cbfilm";
   };
 
-  patches =
+  patches = [
-    [ # Prevent the unionfs daemon from being killed during
+    # Prevent the unionfs daemon from being killed during
-      # shutdown. See
+    # shutdown. See
-      # http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/
+    # http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/
-      # for details.
+    # for details.
-      ./prevent-kill-on-shutdown.patch
+    ./prevent-kill-on-shutdown.patch
-    ];
+  ];
+
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    substituteInPlace CMakeLists.txt \
+      --replace '/usr/local/include/osxfuse/fuse' '${osxfuse}/include/osxfuse/fuse'
+    substituteInPlace src/CMakeLists.txt \
+      --replace 'target_link_libraries(unionfs fuse pthread)' 'target_link_libraries(unionfs osxfuse pthread)'
+  '';
 
   nativeBuildInputs = [ cmake ];
-  buildInputs = [ fuse ];
+  buildInputs = [ (if stdenv.isDarwin then osxfuse else fuse) ];
 
   # Put the unionfs mount helper in place as mount.unionfs-fuse. This makes it
   # possible to do:
@@ -28,7 +35,7 @@ stdenv.mkDerivation rec {
   #
   # This must be done in preConfigure because the build process removes
   # helper from the source directory during the build.
-  preConfigure = ''
+  preConfigure = lib.optionalString (!stdenv.isDarwin) ''
     mkdir -p $out/sbin
     cp -a mount.unionfs $out/sbin/mount.unionfs-fuse
     substituteInPlace $out/sbin/mount.unionfs-fuse --replace mount.fuse ${fuse}/sbin/mount.fuse
@@ -39,7 +46,7 @@ stdenv.mkDerivation rec {
     description = "FUSE UnionFS implementation";
     homepage = "https://github.com/rpodgorny/unionfs-fuse";
     license = licenses.bsd3;
-    platforms = platforms.linux;
+    platforms = platforms.unix;
     maintainers = with maintainers; [ orivej ];
   };
 }

pkgs/tools/networking/privoxy/default.nix

@@ -1,4 +1,9 @@
-{ lib, stdenv, fetchurl, autoreconfHook, zlib, pcre, w3m, man }:
+{ lib, stdenv
+, nixosTests
+, fetchurl, autoreconfHook
+, zlib, pcre, w3m, man
+, mbedtls, brotli
+}:
 
 stdenv.mkDerivation rec {
 
@@ -13,18 +18,28 @@ stdenv.mkDerivation rec {
   hardeningEnable = [ "pie" ];
 
   nativeBuildInputs = [ autoreconfHook w3m man ];
-  buildInputs = [ zlib pcre ];
+  buildInputs = [ zlib pcre mbedtls brotli ];
 
-  makeFlags = [ "STRIP="];
+  makeFlags = [ "STRIP=" ];
+  configureFlags = [
+    "--with-mbedtls"
+    "--with-brotli"
+    "--enable-external-filters"
+    "--enable-compression"
+  ];
 
   postInstall = ''
-    rm -rf $out/var
+    rm -r $out/var
   '';
 
+  passthru.tests.privoxy = nixosTests.privoxy;
+
   meta = with lib; {
     homepage = "https://www.privoxy.org/";
     description = "Non-caching web proxy with advanced filtering capabilities";
-    license = licenses.gpl2Plus;
+    # When linked with mbedtls, the license becomes GPLv3 (or later), otherwise
+    # GPLv2 (or later). See https://www.privoxy.org/user-manual/copyright.html
+    license = licenses.gpl3Plus;
     platforms = platforms.all;
     maintainers = [ maintainers.phreedom ];
   };

pkgs/top-level/aliases.nix

@@ -564,6 +564,7 @@ mapAliases ({
   qr-filetransfer = throw ''"qr-filetransfer" has been renamed to "qrcp"''; # added 2020-12-02
   quake3game = ioquake3; # added 2016-01-14
   qvim = throw "qvim has been removed."; # added 2020-08-31
+  qweechat = throw "qweechat has been removed because it was broken"; # added 2021-03-08
   qwt6 = libsForQt5.qwt;  # added 2015-12-19
   qtcurve = libsForQt5.qtcurve;  # added 2020-11-07
   qtpfsgui = throw "qtpfsgui is now luminanceHDR"; # added 2019-06-26

pkgs/top-level/all-packages.nix

@@ -15337,6 +15337,11 @@ in
 
   librime = callPackage ../development/libraries/librime {};
 
+  librsb = callPackage ../development/libraries/librsb {
+    # Taken from https://build.opensuse.org/package/view_file/science/librsb/librsb.spec
+    memHierarchy = "L3:16/64/8192K,L2:16/64/2048K,L1:8/64/16K";
+  };
+
   librtprocess = callPackage ../development/libraries/librtprocess { };
 
   libsamplerate = callPackage ../development/libraries/libsamplerate {
@@ -27311,8 +27316,6 @@ in
 
   pysolfc = python3Packages.callPackage ../games/pysolfc { };
 
-  qweechat = callPackage ../applications/networking/irc/qweechat { };
-
   qqwing = callPackage ../games/qqwing { };
 
   quake3wrapper = callPackage ../games/quake3/wrapper { };