Merge master into staging-next

maintainers/maintainer-list.nix

@@ -4967,6 +4967,11 @@
     github = "ctheune";
     name = "Christian Theune";
   };
+  thiagokokada = {
+    email = "thiagokokada@gmail.com";
+    github = "thiagokokada";
+    name = "Thiago K. Okada";
+  };
   ThomasMader = {
     email = "thomas.mader@gmail.com";
     github = "ThomasMader";

nixos/modules/config/malloc.nix

@@ -54,9 +54,7 @@ in
       default = "libc";
       description = ''
         The system-wide memory allocator.
-        </para>
 
-        <para>
         Briefly, the system-wide memory allocator providers are:
         <itemizedlist>
         <listitem><para><literal>libc</literal>: the standard allocator provided by libc</para></listitem>
@@ -64,7 +62,6 @@ in
             (name: value: "<listitem><para><literal>${name}</literal>: ${value.description}</para></listitem>")
             providers)}
         </itemizedlist>
-        </para>
 
         <warning>
         <para>
@@ -79,8 +76,6 @@ in
         Changing this option does not affect the current session.
         </para>
         </note>
-
-        <para>
       '';
     };
   };

nixos/modules/rename.nix

@@ -234,6 +234,9 @@ with lib;
     (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ])
     (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ])
 
+    # binfmt
+    (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
+
   ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
                    "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
                    "snmpExporter" "unifiExporter" "varnishExporter" ]

nixos/modules/security/misc.nix

@@ -13,23 +13,17 @@ with lib;
       default = true;
       description = ''
         Whether to allow creation of user namespaces.
-        </para>
 
-        <para>
         The motivation for disabling user namespaces is the potential
         presence of code paths where the kernel's permission checking
         logic fails to account for namespacing, instead permitting a
         namespaced process to act outside the namespace with the same
         privileges as it would have inside it.  This is particularly
         damaging in the common case of running as root within the namespace.
-        </para>
 
-        <para>
         When user namespace creation is disallowed, attempting to create a
         user namespace fails with "no space left on device" (ENOSPC).
         root may re-enable user namespace creation at runtime.
-        </para>
-        <para>
       '';
     };
 
@@ -48,21 +42,15 @@ with lib;
         Whether to allow SMT/hyperthreading.  Disabling SMT means that only
         physical CPU cores will be usable at runtime, potentially at
         significant performance cost.
-        </para>
 
-        <para>
         The primary motivation for disabling SMT is to mitigate the risk of
         leaking data between threads running on the same CPU core (due to
         e.g., shared caches).  This attack vector is unproven.
-        </para>
 
-        <para>
         Disabling SMT is a supplement to the L1 data cache flushing mitigation
         (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
         versus malicious VM guests (SMT could "bring back" previously flushed
         data).
-        </para>
-        <para>
       '';
     };
 
@@ -73,9 +61,7 @@ with lib;
         Whether the hypervisor should flush the L1 data cache before
         entering guests.
         See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
-        </para>
 
-        <para>
         <variablelist>
           <varlistentry>
             <term><literal>null</literal></term>

nixos/modules/services/backup/znapzend.nix

@@ -7,28 +7,23 @@ let
 
   planDescription = ''
       The znapzend backup plan to use for the source.
-    </para>
+
-    <para>
       The plan specifies how often to backup and for how long to keep the
       backups. It consists of a series of retention periodes to interval
       associations:
-    </para>
+
-    <para>
       <literal>
         retA=>intA,retB=>intB,...
       </literal>
-    </para>
+
-    <para>
       Both intervals and retention periods are expressed in standard units
       of time or multiples of them. You can use both the full name or a
       shortcut according to the following listing:
-    </para>
+
-    <para>
       <literal>
         second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y
       </literal>
-    </para>
+
-    <para>
       See <citerefentry><refentrytitle>znapzendzetup</refentrytitle><manvolnum>1</manvolnum></citerefentry> for more info.
   '';
   planExample = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
@@ -139,12 +134,10 @@ let
           type = nullOr ints.u16;
           description = ''
               Port to use for <command>mbuffer</command>.
-            </para>
+
-            <para>
               If this is null, it will run <command>mbuffer</command> through
               ssh.
-            </para>
+
-            <para>
               If this is not null, it will run <command>mbuffer</command>
               directly through TCP, which is not encrypted but faster. In that
               case the given port needs to be open on the destination host.

nixos/modules/services/security/fprintd.nix

@@ -38,15 +38,7 @@ in
 
     environment.systemPackages = [ pkgs.fprintd ];
 
-    systemd.services.fprintd = {
+    systemd.packages = [ pkgs.fprintd ];
-      description = "Fingerprint Authentication Daemon";
-
-      serviceConfig = {
-        Type = "dbus";
-        BusName = "net.reactivated.Fprint";
-        ExecStart = "${pkgs.fprintd}/libexec/fprintd";
-      };
-    };
 
   };
 

nixos/modules/system/boot/binfmt.nix

@@ -1,8 +1,8 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   inherit (lib) mkOption types optionalString;
 
-  cfg = config.boot.binfmtMiscRegistrations;
+  cfg = config.boot.binfmt;
 
   makeBinfmtLine = name: { recognitionType, offset, magicOrExtension
                          , mask, preserveArgvZero, openBinary
@@ -13,25 +13,122 @@ let
     mask' = toString mask;
     interpreter = "/run/binfmt/${name}";
     flags = if !(matchCredentials -> openBinary)
-              then throw "boot.binfmtMiscRegistrations.${name}: you can't specify openBinary = false when matchCredentials = true."
+              then throw "boot.binfmt.registrations.${name}: you can't specify openBinary = false when matchCredentials = true."
             else optionalString preserveArgvZero "P" +
                  optionalString (openBinary && !matchCredentials) "O" +
                  optionalString matchCredentials "C" +
                  optionalString fixBinary "F";
   in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}";
 
-  binfmtFile = builtins.toFile "binfmt_nixos.conf"
-    (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine cfg));
-
   activationSnippet = name: { interpreter, ... }:
     "ln -sf ${interpreter} /run/binfmt/${name}";
-  activationScript = ''
+
-    mkdir -p -m 0755 /run/binfmt
+  getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs;
-    ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet cfg)}
+
-  '';
+  # Mapping of systems to “magicOrExtension” and “mask”. Mostly taken from:
+  # - https://github.com/cleverca22/nixos-configs/blob/master/qemu.nix
+  # and
+  # - https://github.com/qemu/qemu/blob/master/scripts/qemu-binfmt-conf.sh
+  # TODO: maybe put these in a JSON file?
+  magics = {
+    armv6l-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+    };
+    armv7l-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+    };
+    aarch64-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+    };
+    aarch64_be-linux = {
+      magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    i386-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    i486-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    i586-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    i686-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    x86_64-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    alpha-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90'';
+      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    sparc64-linux = {
+      magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    sparc-linux = {
+      magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    powerpc-linux = {
+      magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    powerpc64-linux = {
+      magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    powerpc64le-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\x00'';
+    };
+    mips-linux = {
+      magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    mipsel-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    mips64-linux = {
+      magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+    };
+    mips64el-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    riscv32-linux = {
+      magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    riscv64-linux = {
+      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00'';
+      mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+    };
+    x86_64-windows = {
+      magicOrExtension = ".exe";
+      recognitionType = "extension";
+    };
+    i686-windows = {
+      magicOrExtension = ".exe";
+      recognitionType = "extension";
+    };
+  };
+
 in {
   options = {
-    boot.binfmtMiscRegistrations = mkOption {
+    boot.binfmt = {
+      registrations = mkOption {
         default = {};
 
         description = ''
@@ -126,12 +223,39 @@ in {
           };
         }));
       };
+
+      emulatedSystems = mkOption {
+        default = [];
+        description = ''
+          List of systems to emulate. Will also configure Nix to
+          support your new systems.
+        '';
+        type = types.listOf types.string;
+      };
+    };
   };
 
-  config = lib.mkIf (cfg != {}) {
+  config = {
-    environment.etc."binfmt.d/nixos.conf".source = binfmtFile;
+    boot.binfmt.registrations = builtins.listToAttrs (map (system: {
-    system.activationScripts.binfmt = activationScript;
+      name = system;
-    systemd.additionalUpstreamSystemUnits =
+      value = {
+        interpreter = getEmulator system;
+      } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"));
+    }) cfg.emulatedSystems);
+    # TODO: add a nix.extraPlatforms option to NixOS!
+    nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) ''
+      extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")}
+    '';
+    nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != [])
+      ([ "/run/binfmt" ] ++ (map (system: dirOf (dirOf (getEmulator system))) cfg.emulatedSystems));
+
+    environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf"
+      (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations));
+    system.activationScripts.binfmt = ''
+      mkdir -p -m 0755 /run/binfmt
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)}
+    '';
+    systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {})
       [ "proc-sys-fs-binfmt_misc.automount"
         "proc-sys-fs-binfmt_misc.mount"
       ];

nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

@@ -62,8 +62,7 @@ in {
 
       description = ''
         The resolution of the console. The following values are valid:
-        </para>
+
-        <para>
         <itemizedlist>
           <listitem><para>
             <literal>"0"</literal>: Standard UEFI 80x25 mode

nixos/modules/system/boot/luksroot.nix

@@ -76,6 +76,33 @@ let
         fi
         return 0
     }
+
+    wait_gpgcard() {
+        local secs="''${1:-10}"
+
+        gpg --card-status > /dev/null 2> /dev/null
+        if [ $? != 0 ]; then
+            echo -n "Waiting $secs seconds for GPG Card to appear"
+            local success=false
+            for try in $(seq $secs); do
+                echo -n .
+                sleep 1
+                gpg --card-status > /dev/null 2> /dev/null
+                if [ $? == 0 ]; then
+                    success=true
+                    break
+                fi
+            done
+            if [ $success == true ]; then
+                echo " - success";
+                return 0
+            else
+                echo " - failure";
+                return 1
+            fi
+        fi
+        return 0
+    }
   '';
 
   preCommands = ''
@@ -93,6 +120,13 @@ let
     # For Yubikey salt storage
     mkdir -p /crypt-storage
 
+    ${optionalString luks.gpgSupport ''
+    export GPG_TTY=$(tty)
+    export GNUPGHOME=/crypt-ramfs/.gnupg
+
+    gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null
+    ''}
+        
     # Disable all input echo for the whole stage. We could use read -s
     # instead but that would ocasionally leak characters between read
     # invocations.
@@ -105,7 +139,7 @@ let
     umount /crypt-ramfs 2>/dev/null
   '';
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name;
+  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fallbackToPassword, ... }: assert name' == name;
   let
     csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
     cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@@ -182,7 +216,7 @@ let
         ''}
     }
 
-    ${if luks.yubikeySupport && (yubikey != null) then ''
+    ${optionalString (luks.yubikeySupport && (yubikey != null)) ''
     # Yubikey
     rbtohex() {
         ( od -An -vtx1 | tr -d ' \n' )
@@ -278,7 +312,7 @@ let
         umount /crypt-storage
     }
 
-    open_yubikey() {
+    open_with_hardware() {
         if wait_yubikey ${toString yubikey.gracePeriod}; then
             do_open_yubikey
         else
@@ -286,8 +320,75 @@ let
             open_normally
         fi
     }
+    ''}
 
-    open_yubikey
+    ${optionalString (luks.gpgSupport && (gpgCard != null)) ''
+
+    do_open_gpg_card() {
+        # Make all of these local to this function
+        # to prevent their values being leaked
+        local pin
+        local opened
+
+        gpg --import /gpg-keys/${device}/pubkey.asc > /dev/null 2> /dev/null
+
+        gpg --card-status > /dev/null 2> /dev/null
+
+        for try in $(seq 3); do
+            echo -n "PIN for GPG Card associated with device ${device}: "
+            pin=
+            while true; do
+                if [ -e /crypt-ramfs/passphrase ]; then
+                    echo "reused"
+                    pin=$(cat /crypt-ramfs/passphrase)
+                    break
+                else
+                    # and try reading it from /dev/console with a timeout
+                    IFS= read -t 1 -r pin
+                    if [ -n "$pin" ]; then
+                       ${if luks.reusePassphrases then ''
+                         # remember it for the next device
+                         echo -n "$pin" > /crypt-ramfs/passphrase
+                       '' else ''
+                         # Don't save it to ramfs. We are very paranoid
+                       ''}
+                       echo
+                       break
+                    fi
+                fi
+            done
+            echo -n "Verifying passphrase for ${device}..."
+            echo -n "$pin" | gpg -q --batch --passphrase-fd 0 --pinentry-mode loopback -d /gpg-keys/${device}/cryptkey.gpg 2> /dev/null | ${csopen} --key-file=- > /dev/null 2> /dev/null
+            if [ $? == 0 ]; then
+                echo " - success"
+                ${if luks.reusePassphrases then ''
+                  # we don't rm here because we might reuse it for the next device
+                '' else ''
+                  rm -f /crypt-ramfs/passphrase
+                ''}
+                break
+            else
+                echo " - failure"
+                # ask for a different one
+                rm -f /crypt-ramfs/passphrase
+            fi
+        done
+
+        [ "$opened" == false ] && die "Maximum authentication errors reached"
+    }
+
+    open_with_hardware() {
+        if wait_gpgcard ${toString gpgCard.gracePeriod}; then
+            do_open_gpg_card
+        else
+            echo "No GPG Card found, falling back to normal open procedure"
+            open_normally
+        fi
+    }
+    ''}
+
+    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) then ''
+    open_with_hardware
     '' else ''
     open_normally
     ''}
@@ -473,6 +574,36 @@ in
             '';
           };
 
+          gpgCard = mkOption {
+            default = null;
+            description = ''
+              The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard.
+              If null (the default), GPG-Smartcard will be disabled for this device.
+            '';
+
+            type = with types; nullOr (submodule {
+              options = {
+                gracePeriod = mkOption {
+                  default = 10;
+                  type = types.int;
+                  description = "Time in seconds to wait for the GPG Smartcard.";
+                };
+
+                encryptedPass = mkOption {
+                  default = "";
+                  type = types.path;
+                  description = "Path to the GPG encrypted passphrase.";
+                };
+
+                publicKey = mkOption {
+                  default = "";
+                  type = types.path;
+                  description = "Path to the Public Key.";
+                };
+              };
+            });
+          };
+
           yubikey = mkOption {
             default = null;
             description = ''
@@ -554,6 +685,14 @@ in
       }));
     };
 
+    boot.initrd.luks.gpgSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for authenticating with a GPG encrypted password.
+      '';
+    };
+
     boot.initrd.luks.yubikeySupport = mkOption {
       default = false;
       type = types.bool;
@@ -567,6 +706,12 @@ in
 
   config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
 
+    assertions =
+      [ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
+          message = "Yubikey and GPG Card may not be used at the same time.";
+        }
+      ];
+
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
     boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
       ["firewire_ohci" "firewire_core" "firewire_sbp2"];
@@ -603,6 +748,23 @@ in
         EOF
         chmod +x $out/bin/openssl-wrap
       ''}
+
+      ${optionalString luks.gpgSupport ''
+        copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
+        copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
+        copy_bin_and_libs ${pkgs.gnupg}/libexec/scdaemon
+
+        ${concatMapStringsSep "\n" (x:
+          if x.gpgCard != null then
+            ''
+              mkdir -p $out/secrets/gpg-keys/${x.device}
+              cp -a ${x.gpgCard.encryptedPass} $out/secrets/gpg-keys/${x.device}/cryptkey.gpg
+              cp -a ${x.gpgCard.publicKey} $out/secrets/gpg-keys/${x.device}/pubkey.asc
+            ''
+          else ""
+          ) (attrValues luks.devices)
+        }
+      ''}
     '';
 
     boot.initrd.extraUtilsCommandsTest = ''
@@ -612,6 +774,11 @@ in
         $out/bin/ykinfo -V
         $out/bin/openssl-wrap version
       ''}
+      ${optionalString luks.gpgSupport ''
+        $out/bin/gpg --version
+        $out/bin/gpg-agent --version
+        $out/bin/scdaemon --version
+      ''}
     '';
 
     boot.initrd.preFailCommands = postCommands;

nixos/modules/system/boot/resolved.nix

@@ -35,7 +35,7 @@ in
         when resolving single-label host names (domain names which
         contain no dot), in order to qualify them into fully-qualified
         domain names (FQDNs).
-        </para><para>
+
         For compatibility reasons, if this setting is not specified,
         the search domains listed in
         <filename>/etc/resolv.conf</filename> are used instead, if
@@ -50,8 +50,9 @@ in
       description = ''
         Controls Link-Local Multicast Name Resolution support
         (RFC 4795) on the local host.
-        </para><para>
+
         If set to
+
         <variablelist>
         <varlistentry>
           <term><literal>"true"</literal></term>

nixos/modules/virtualisation/docker-containers.nix

@@ -65,10 +65,9 @@ let
           default = [];
           description = ''
             Network ports to publish from the container to the outer host.
-            </para>
+
-            <para>
             Valid formats:
-            </para>
+
             <itemizedlist>
               <listitem>
                 <para>
@@ -91,21 +90,19 @@ let
                 </para>
               </listitem>
             </itemizedlist>
-            <para>
+
             Both <literal>hostPort</literal> and
             <literal>containerPort</literal> can be specified as a range of
             ports.  When specifying ranges for both, the number of container
             ports in the range must match the number of host ports in the
             range.  Example: <literal>1234-1236:1234-1236/tcp</literal>
-            </para>
+
-            <para>
             When specifying a range for <literal>hostPort</literal> only, the
             <literal>containerPort</literal> must <emphasis>not</emphasis> be a
             range.  In this case, the container port is published somewhere
             within the specified <literal>hostPort</literal> range.  Example:
             <literal>1234-1236:1234/tcp</literal>
-            </para>
+
-            <para>
             Refer to the
             <link xlink:href="https://docs.docker.com/engine/reference/run/#expose-incoming-ports">
             Docker engine documentation</link> for full details.

nixos/tests/docker-tools.nix

@@ -67,5 +67,12 @@ import ./make-test.nix ({ pkgs, ... }: {
       # Ensure building an image on top of a layered Docker images work
       $docker->succeed("docker load --input='${pkgs.dockerTools.examples.layered-on-top}'");
       $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.layered-on-top.imageName}");
+
+      # Ensure order of layers is correct
+      $docker->succeed("docker load --input='${pkgs.dockerTools.examples.layersOrder}'");
+      $docker->succeed("docker run --rm  ${pkgs.dockerTools.examples.layersOrder.imageName} cat /tmp/layer1 | grep -q layer1");
+      # This is to be sure the order of layers of the parent image is preserved
+      $docker->succeed("docker run --rm  ${pkgs.dockerTools.examples.layersOrder.imageName} cat /tmp/layer2 | grep -q layer2");
+      $docker->succeed("docker run --rm  ${pkgs.dockerTools.examples.layersOrder.imageName} cat /tmp/layer3 | grep -q layer3");
     '';
 })

pkgs/applications/audio/qmmp/default.nix

@@ -29,17 +29,17 @@
 # handle that.
 
 stdenv.mkDerivation rec {
-  name = "qmmp-1.3.1";
+  name = "qmmp-1.3.2";
 
   src = fetchurl {
     url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
-    sha256 = "1dmybzibpr6hpr2iv1wvrjgww842mng2x0rh1mr8gs8j191xvlhw";
+    sha256 = "1rh063kcyg7gs9yj2r4v5irpnq4pjaxaxsgrw30mdr21xhhc15cz";
   };
 
+  nativeBuildInputs = [ cmake pkgconfig ];
   buildInputs =
     [ # basic requirements
-      cmake pkgconfig xlibsWrapper
+      qtbase qttools qtmultimedia qtx11extras xlibsWrapper
-      qtbase qttools qtmultimedia qtx11extras
       # transports
       curl libmms
       # input plugins

pkgs/applications/audio/vcv-rack/default.nix

@@ -72,8 +72,9 @@ with stdenv.lib; stdenv.mkDerivation rec {
   meta = with stdenv.lib; {
     description = "Open-source virtual modular synthesizer";
     homepage = http://vcvrack.com/;
-    # The source is BSD-3 licensed, some of the art is CC-BY-NC 4.0 or unfree
+    # The source is BSD-3 licensed, some of the art is CC-BY-NC 4.0 or under a
-    license = [ licenses.bsd3 licenses.cc-by-nc-40 licenses.unfree ];
+    # no-derivatives clause
+    license = with licenses; [ bsd3 cc-by-nc-40 unfreeRedistributable ];
     maintainers = with maintainers; [ moredread ];
     platforms = platforms.linux;
   };

pkgs/applications/graphics/openscad/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, qt5, libsForQt5
 , bison, flex, eigen, boost, libGLU_combined, glew, opencsg, cgal
-, mpfr, gmp, glib, pkgconfig, harfbuzz, gettext
+, mpfr, gmp, glib, pkgconfig, harfbuzz, gettext, freetype, fontconfig
 }:
 
 stdenv.mkDerivation rec {
@@ -18,11 +18,13 @@ stdenv.mkDerivation rec {
     sha256 = "1y63yqyd0v255liik4ff5ak6mj86d8d76w436x76hs5dk6jgpmfb";
   };
 
+  nativeBuildInputs = [ bison flex pkgconfig ];
+
   buildInputs = [
-    bison flex eigen boost libGLU_combined glew opencsg cgal mpfr gmp glib
+    eigen boost glew opencsg cgal mpfr gmp glib
-    pkgconfig harfbuzz gettext
+    harfbuzz gettext freetype fontconfig
-  ]
+  ] ++ stdenv.lib.optional stdenv.isLinux libGLU_combined
-    ++ (with qt5; [qtbase qmake])
+    ++ (with qt5; [qtbase qmake] ++ stdenv.lib.optional stdenv.isDarwin qtmacextras)
     ++ (with libsForQt5; [qscintilla])
   ;
 
@@ -33,6 +35,17 @@ stdenv.mkDerivation rec {
 
   doCheck = false;
 
+  postInstall = stdenv.lib.optionalString stdenv.isDarwin ''
+    mkdir $out/Applications
+    mv $out/bin/*.app $out/Applications
+    rmdir $out/bin || true
+
+    mv --target-directory=$out/Applications/OpenSCAD.app/Contents/Resources \
+      $out/share/openscad/{examples,color-schemes,locale,libraries,fonts}
+
+    rmdir $out/share/openscad
+  '';
+
   meta = {
     description = "3D parametric model compiler";
     longDescription = ''
@@ -48,7 +61,7 @@ stdenv.mkDerivation rec {
     '';
     homepage = http://openscad.org/;
     license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    platforms = stdenv.lib.platforms.unix;
     maintainers = with stdenv.lib.maintainers;
       [ bjornfor raskin the-kenny ];
   };

pkgs/applications/kde/kgpg.nix

@@ -1,7 +1,7 @@
 {
   mkDerivation, lib,
   extra-cmake-modules, kdoctools, ki18n, makeWrapper,
-  akonadi-contacts, gnupg1, karchive, kcodecs, kcontacts, kcoreaddons,
+  akonadi-contacts, gnupg, karchive, kcodecs, kcontacts, kcoreaddons,
   kcrash, kdbusaddons, kiconthemes, kjobwidgets, kio, knotifications, kservice,
   ktextwidgets, kxmlgui, kwidgetsaddons, kwindowsystem, qgpgme,
 }:
@@ -10,12 +10,12 @@ mkDerivation {
   name = "kgpg";
   nativeBuildInputs = [ extra-cmake-modules kdoctools makeWrapper ];
   buildInputs = [
-    akonadi-contacts gnupg1 karchive kcodecs kcontacts kcoreaddons kcrash
+    akonadi-contacts gnupg karchive kcodecs kcontacts kcoreaddons kcrash
     kdbusaddons ki18n kiconthemes kjobwidgets kio knotifications kservice
     ktextwidgets kxmlgui kwidgetsaddons kwindowsystem qgpgme
   ];
   postFixup = ''
-    wrapProgram "$out/bin/kgpg" --prefix PATH : "${lib.makeBinPath [ gnupg1 ]}"
+    wrapProgram "$out/bin/kgpg" --prefix PATH : "${lib.makeBinPath [ gnupg ]}"
   '';
   meta = {
     license = [ lib.licenses.gpl2 ];

pkgs/applications/misc/bemenu/default.nix

@@ -0,0 +1,45 @@
+{ stdenv, fetchFromGitHub, cairo, cmake, libxkbcommon
+, pango, fribidi, harfbuzz, pcre, pkgconfig
+, ncursesSupport ? true, ncurses ? null
+, waylandSupport ? true, wayland ? null
+, x11Support ? true, xlibs ? null, xorg ? null
+}:
+
+assert ncursesSupport -> ncurses != null;
+assert waylandSupport -> wayland != null;
+assert x11Support -> xlibs != null && xorg != null;
+
+stdenv.mkDerivation rec {
+  pname = "bemenu";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "Cloudef";
+    repo = "bemenu";
+    rev = "33e540a2b04ce78f5c7ab4a60b899c67f586cc32";
+    sha256 = "11h55m9dx6ai12pqij52ydjm36dvrcc856pa834njihrp626pl4w";
+  };
+
+  nativeBuildInputs = [ cmake pkgconfig pcre ];
+
+  buildInputs = with stdenv.lib; [
+    cairo
+    fribidi
+    harfbuzz
+    libxkbcommon
+    pango
+  ] ++ optionals ncursesSupport [ ncurses ]
+    ++ optionals waylandSupport [ wayland ]
+    ++ optionals x11Support [
+      xlibs.libX11 xlibs.libXinerama xlibs.libXft
+      xorg.libXdmcp xorg.libpthreadstubs xorg.libxcb
+    ];
+
+  meta = with stdenv.lib; {
+    homepage = "https://github.com/Cloudef/bemenu";
+    description = "Dynamic menu library and client program inspired by dmenu";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ thiagokokada ];
+    platforms = with platforms; linux;
+  };
+}

pkgs/applications/misc/electrum/default.nix

@@ -3,16 +3,6 @@
 let
   version = "3.3.5";
 
-  qdarkstyle = python3Packages.buildPythonPackage rec {
-    pname = "QDarkStyle";
-    version = "2.5.4";
-    src = python3Packages.fetchPypi {
-      inherit pname version;
-      sha256 = "1w715m1i5pycfqcpkrggpn0rs9cakx6cm5v8rggcxnf4p0i0kdiy";
-    };
-    doCheck = false; # no tests
-  };
-
   # Not provided in official source releases, which are what upstream signs.
   tests = fetchFromGitHub {
     owner = "spesmilo";

pkgs/applications/misc/k2pdfopt/default.nix

@@ -57,7 +57,28 @@ stdenv.mkDerivation rec {
       prePatch = ''
         cp ${src}/leptonica_mod/{allheaders.h,dewarp2.c,leptwin.c} src/
       '';
-      patches = [];
+      patches = [
+        # stripped down copy of upstream commit b88c821f8d347bce0aea86d606c710303919f3d2
+        ./leptonica-CVE-2018-3836.patch
+        (fetchpatch {
+          # CVE-2018-7186
+          url = "https://github.com/DanBloomberg/leptonica/commit/"
+              + "ee301cb2029db8a6289c5295daa42bba7715e99a.patch";
+          sha256 = "0cgb7mvz2px1rg5i80wk1wxxjvzjga617d8q6j7qygkp7jm6495d";
+        })
+        (fetchpatch {
+          # CVE-2018-7247
+          url = "https://github.com/DanBloomberg/leptonica/commit/"
+              + "c1079bb8e77cdd426759e466729917ca37a3ed9f.patch";
+          sha256 = "1z4iac5gwqggh7aa8cvyp6nl9fwd1v7wif26caxc9y5qr3jj34qf";
+        })
+        (fetchpatch {
+          # CVE-2018-7440
+          url = "https://github.com/DanBloomberg/leptonica/commit/"
+              + "49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b.patch";
+          sha256 = "1hjmva98iaw9xj7prg7aimykyayikcwnk4hk0380007hqb35lqmy";
+        })
+      ];
     });
     tesseract_modded = tesseract4.override {
       tesseractBase = tesseract4.tesseractBase.overrideAttrs (_: {

pkgs/applications/misc/k2pdfopt/leptonica-CVE-2018-3836.patch

@@ -0,0 +1,95 @@
+--- a/src/allheaders.h
++++ b/src/allheaders.h
+@@ -2600,6 +2600,7 @@
+ LEPT_DLL extern char * stringReverse ( const char *src );
+ LEPT_DLL extern char * strtokSafe ( char *cstr, const char *seps, char **psaveptr );
+ LEPT_DLL extern l_int32 stringSplitOnToken ( char *cstr, const char *seps, char **phead, char **ptail );
++LEPT_DLL extern l_int32 stringCheckForChars ( const char *src, const char *chars, l_int32 *pfound );
+ LEPT_DLL extern char * stringRemoveChars ( const char *src, const char *remchars );
+ LEPT_DLL extern l_int32 stringFindSubstr ( const char *src, const char *sub, l_int32 *ploc );
+ LEPT_DLL extern char * stringReplaceSubstr ( const char *src, const char *sub1, const char *sub2, l_int32 *pfound, l_int32 *ploc );
+--- a/src/gplot.c
++++ b/src/gplot.c
+@@ -141,9 +141,10 @@
+             const char  *xlabel,
+             const char  *ylabel)
+ {
+-char   *newroot;
+-char    buf[L_BUF_SIZE];
+-GPLOT  *gplot;
++char    *newroot;
++char     buf[L_BUF_SIZE];
++l_int32  badchar;
++GPLOT   *gplot;
+ 
+     PROCNAME("gplotCreate");
+ 
+@@ -152,6 +153,9 @@
+     if (outformat != GPLOT_PNG && outformat != GPLOT_PS &&
+         outformat != GPLOT_EPS && outformat != GPLOT_LATEX)
+         return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
++    stringCheckForChars(rootname, "`;&|><\"?*", &badchar);
++    if (badchar)  /* danger of command injection */
++        return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
+ 
+     if ((gplot = (GPLOT *)LEPT_CALLOC(1, sizeof(GPLOT))) == NULL)
+         return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL);
+--- a/src/utils2.c
++++ b/src/utils2.c
+@@ -42,6 +42,7 @@
+  *           l_int32    stringSplitOnToken()
+  *
+  *       Find and replace string and array procs
++ *           l_int32    stringCheckForChars()
+  *           char      *stringRemoveChars()
+  *           l_int32    stringFindSubstr()
+  *           char      *stringReplaceSubstr()
+@@ -701,6 +702,48 @@
+ /*--------------------------------------------------------------------*
+  *                       Find and replace procs                       *
+  *--------------------------------------------------------------------*/
++/*!
++ * \brief   stringCheckForChars()
++ *
++ * \param[in]    src      input string; can be of zero length
++ * \param[in]    chars    string of chars to be searched for in %src
++ * \param[out]   pfound   1 if any characters are found; 0 otherwise
++ * \return  0 if OK, 1 on error
++ *
++ * <pre>
++ * Notes:
++ *      (1) This can be used to sanitize an operation by checking for
++ *          special characters that don't belong in a string.
++ * </pre>
++ */
++l_int32
++stringCheckForChars(const char  *src,
++                    const char  *chars,
++                    l_int32     *pfound)
++{
++char     ch;
++l_int32  i, n;
++
++    PROCNAME("stringCheckForChars");
++
++    if (!pfound)
++        return ERROR_INT("&found not defined", procName, 1);
++    *pfound = FALSE;
++    if (!src || !chars)
++        return ERROR_INT("src and chars not both defined", procName, 1);
++
++    n = strlen(src);
++    for (i = 0; i < n; i++) {
++        ch = src[i];
++        if (strchr(chars, ch)) {
++            *pfound = TRUE;
++            break;
++        }
++    }
++    return 0;
++}
++
++
+ /*!
+  * \brief   stringRemoveChars()
+  *

pkgs/applications/misc/kitty/default.nix

@@ -2,7 +2,7 @@
   harfbuzz, fontconfig, pkgconfig, ncurses, imagemagick, xsel,
   libstartup_notification, libX11, libXrandr, libXinerama, libXcursor,
   libxkbcommon, libXi, libXext, wayland-protocols, wayland,
-  which, dbus,
+  which, dbus, fetchpatch,
   Cocoa,
   CoreGraphics,
   Foundation,
@@ -67,6 +67,17 @@ buildPythonApplication rec {
       libstartup_notification = "${libstartup_notification}/lib/libstartup-notification-1.so";
     })
   ] ++ stdenv.lib.optionals stdenv.isDarwin [
+    (fetchpatch {
+      name = "macos-symlink-1";
+      url = https://github.com/kovidgoyal/kitty/commit/bdeec612667f6976109247fe1750b10dda9c24c0.patch;
+      sha256 = "1d18x260w059qag80kgb2cgi2h4rricvqhwpbrw79s8yxzs7jhxk";
+    })
+    (fetchpatch {
+      # fixup of previous patch
+      name = "macos-symlink-2";
+      url = https://github.com/kovidgoyal/kitty/commit/af2c9a49b1ad31e94242295d88598591623fbf11.patch;
+      sha256 = "0k3dmgbvmh66j8k3h8dw6la6ma6f20fng6jjypy982kxvracsnl5";
+    })
     ./macos-10.11.patch
     ./no-lto.patch
     ./no-werror.patch
@@ -84,7 +95,7 @@ buildPythonApplication rec {
     mkdir -p $out
     ${if stdenv.isDarwin then ''
     mkdir "$out/bin"
-    ln -s ../Applications/kitty.app/Contents/MacOS/kitty "$out/bin/kitty"
+    ln -s ../Applications/kitty.app/Contents/MacOS/kitty-deref-symlink "$out/bin/kitty"
     mkdir "$out/Applications"
     cp -r kitty.app "$out/Applications/kitty.app"
     '' else ''

pkgs/applications/misc/octoprint/default.nix

@@ -15,13 +15,26 @@ let
     packageOverrides = lib.foldr lib.composeExtensions (self: super: { }) ([
       (mkOverride "flask"       "0.10.1" "0wrkavjdjndknhp8ya8j850jq7a1cli4g5a93mg8nh1xz2gq50sc")
       (mkOverride "flask_login" "0.2.11" "1rg3rsjs1gwi2pw6vr9jmhaqm9b3vc9c4hfcsvp4y8agbh7g3mc3")
-      (mkOverride "jinja2"      "2.8.1"  "14aqmhkc9rw5w0v311jhixdm6ym8vsm29dhyxyrjfqxljwx1yd1m")
       (mkOverride "pylru"       "1.0.9"  "0b0pq0l7xv83dfsajsc49jcxzc99kb9jfx1a1dlx22hzcy962dvi")
       (mkOverride "sarge"       "0.1.4"  "08s8896973bz1gg0pkr592w6g4p6v47bkfvws5i91p9xf8b35yar")
       (mkOverride "tornado"     "4.5.3"  "02jzd23l4r6fswmwxaica9ldlyc2p6q8dk6dyff7j58fmdzf853d")
 
       # https://github.com/NixOS/nixpkgs/pull/58179#issuecomment-478605134
       (mkOverride "werkzeug"    "0.14.1" "c3fd7a7d41976d9f44db327260e263132466836cef6f91512889ed60ad26557c")
+
+      # Octoprint holds back jinja2 to 2.8.1 due to breaking changes.
+      # This old version does not have updated test config for pytest 4,
+      # and pypi tarball doesn't contain tests dir anyways.
+      (pself: psuper: {
+        jinja2 = psuper.jinja2.overridePythonAttrs (oldAttrs: rec {
+          version = "2.8.1";
+          src = oldAttrs.src.override {
+            inherit version;
+            sha256 = "14aqmhkc9rw5w0v311jhixdm6ym8vsm29dhyxyrjfqxljwx1yd1m";
+          };
+          doCheck = false;
+        });
+      })
     ]);
   };
 
@@ -69,7 +82,7 @@ in py.pkgs.buildPythonApplication rec {
     pylru pyyaml sarge feedparser netifaces click websocket_client
     scandir chainmap future dateutil futures wrapt monotonic emoji
     frozendict
-  ];
+  ] ++ lib.optionals stdenv.isDarwin [ py.pkgs.appdirs ];
 
   checkInputs = with py.pkgs; [ nose mock ddt ];
 
@@ -82,7 +95,7 @@ in py.pkgs.buildPythonApplication rec {
   '';
 
   checkPhase = ''
-    HOME=$(mktemp -d) nosetests
+    HOME=$(mktemp -d) nosetests ${lib.optionalString stdenv.isDarwin "--exclude=test_set_external_modification"}
   '';
 
   meta = with stdenv.lib; {

pkgs/applications/misc/playonlinux/default.nix

@@ -4,7 +4,7 @@
 , cabextract
 , gettext
 , glxinfo
-, gnupg1compat
+, gnupg
 , icoutils
 , imagemagick
 , netcat-gnu
@@ -32,7 +32,7 @@ let
       python2Packages.python
       gettext
       glxinfo
-      gnupg1compat
+      gnupg
       icoutils
       imagemagick
       netcat-gnu

pkgs/applications/misc/tilix/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "tilix";
-  version = "1.9.0";
+  version = "1.9.3";
 
   src = fetchFromGitHub {
     owner = "gnunn1";
     repo = "tilix";
     rev = version;
-    sha256 = "1k8hqpq6bzmn06b4s8c257n37ghgp3fl7l9g6fy0giwk1x0ix735";
+    sha256 = "0mg9y4xd2pnv0smibg7dyy733jarvx6qpdqap3sj7fpyni0jvpph";
   };
 
   nativeBuildInputs = [

pkgs/applications/misc/tzupdate/default.nix

@@ -5,11 +5,11 @@ let
 in
 buildPythonApplication rec {
   pname = "tzupdate";
-  version = "1.3.1";
+  version = "1.4.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "085kp4v9ijhkfvr0r5rzn4z7nrkb2qig05j0bajb0gkgynwf8wnz";
+    sha256 = "1sc3z2bx2nhnxg82x0jy19pr8lw56chbr90c2lr11w495csqwhz7";
   };
 
   propagatedBuildInputs = [ requests ];

pkgs/applications/misc/zathura/core/default.nix

@@ -32,15 +32,15 @@ stdenv.mkDerivation rec {
   ] ++ optional synctexSupport "-Dsynctex=enabled";
 
   nativeBuildInputs = [
-    meson ninja pkgconfig appstream-glib desktop-file-utils python3.pkgs.sphinx
+    meson ninja pkgconfig desktop-file-utils python3.pkgs.sphinx
     gettext makeWrapper libxml2
-  ];
+  ] ++ optional stdenv.isLinux appstream-glib;
 
   buildInputs = [
-    gtk girara libintl libseccomp
+    gtk girara libintl sqlite glib file librsvg
-    sqlite glib file librsvg
   ] ++ optional synctexSupport texlive.bin.core
-    ++ optional stdenv.isDarwin [ gtk-mac-integration ];
+    ++ optional stdenv.isLinux libseccomp
+    ++ optional stdenv.isDarwin gtk-mac-integration;
 
   meta = {
     homepage = https://pwmt.org/projects/zathura/;

pkgs/applications/misc/zathura/default.nix

@@ -1,5 +1,6 @@
 { config, pkgs
-, useMupdf ? config.zathura.useMupdf or true
+# zathura_pdf_mupdf fails to load _opj_create_decompress at runtime on Darwin (https://github.com/NixOS/nixpkgs/pull/61295#issue-277982980)
+, useMupdf ? config.zathura.useMupdf or (!pkgs.stdenv.isDarwin)
 , synctexSupport ? true }:
 
 let

pkgs/applications/misc/zathura/pdf-mupdf/default.nix

@@ -21,9 +21,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     zathura_core girara mupdf cairo
-  ] ++ stdenv.lib.optional stdenv.isDarwin [
+  ] ++ lib.optional stdenv.isDarwin gtk-mac-integration;
-    gtk-mac-integration
-  ];
 
   PKG_CONFIG_ZATHURA_PLUGINDIR= "lib/zathura";
 

pkgs/applications/networking/p2p/qbittorrent/default.nix

@@ -10,13 +10,13 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "qbittorrent-${version}";
-  version = "4.1.5";
+  version = "4.1.6";
 
   src = fetchFromGitHub {
     owner = "qbittorrent";
     repo = "qbittorrent";
     rev = "release-${version}";
-    sha256 = "09zcygaxfv9g6av0vsvlyzv4v65wvj766xyfx31yz5ig3xan6ak1";
+    sha256 = "1y9kv84sy5fg64wbl4xpm8qh0hjba7ibk045cazp0m736rjmxk8c";
   };
 
   # NOTE: 2018-05-31: CMake is working but it is not officially supported

pkgs/applications/networking/p2p/tixati/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "tixati-${version}";
-  version = "2.59";
+  version = "2.61";
 
   src = fetchurl {
     url = "https://download2.tixati.com/download/tixati-${version}-1.x86_64.manualinstall.tar.gz";
-    sha256 = "0vf5y9kj2g7psgdzv2r46jdh5krdps838ca4wwwxi0dd1mwa65my";
+    sha256 = "05f8lcsac2mr90bhk999qkj8wwd6igdl07389bqrd1ydjasacl2k";
   };
 
   installPhase = ''

pkgs/applications/networking/sniffers/wireshark/default.nix

@@ -14,7 +14,8 @@ let
   variant = if withQt then "qt" else "cli";
 
 in stdenv.mkDerivation {
-  name = "wireshark-${variant}-${version}";
+  pname = "wireshark-${variant}";
+  inherit version;
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
@@ -24,7 +25,6 @@ in stdenv.mkDerivation {
 
   cmakeFlags = [
     "-DBUILD_wireshark=${if withQt then "ON" else "OFF"}"
-    "-DENABLE_QT5=${if withQt then "ON" else "OFF"}"
     "-DENABLE_APPLICATION_BUNDLE=${if withQt && stdenv.isDarwin then "ON" else "OFF"}"
   ];
 
@@ -95,6 +95,8 @@ in stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  dontFixCmake = true;
+
   shellHook = ''
     # to be able to run the resulting binary
     export WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1

pkgs/applications/networking/syncthing/default.nix

@@ -3,14 +3,14 @@
 let
   common = { stname, target, postInstall ? "" }:
     buildGoPackage rec {
-      version = "1.1.1";
+      version = "1.1.3";
       name = "${stname}-${version}";
 
       src = fetchFromGitHub {
         owner  = "syncthing";
         repo   = "syncthing";
         rev    = "v${version}";
-        sha256 = "1nkc4ivc8mg9c1njqlkhb9i5f4c1via1rdqfbhwgkj86s6cnxrg7";
+        sha256 = "00jshqa0nkwj06bfq16p359ss6nl6h49s31hag79wl9gwkca38va";
       };
 
       goPackagePath = "github.com/syncthing/syncthing";

pkgs/applications/science/biology/eggnog-mapper/default.nix

@@ -12,8 +12,8 @@ python27Packages.buildPythonApplication rec {
   };
 
   patches = (fetchpatch {
-    url = https://github.com/eggnogdb/eggnog-mapper/pull/125/commits/b7828e4c8c1c453e391aef050f06ff3f84ff9faf.patch;
+    url = "https://github.com/eggnogdb/eggnog-mapper/commit/6972f601ade85b65090efca747d2302acb58507f.patch";
-    sha256 = "0nz1a7ybm4j5c7vdm3annnxz9036iam2044hia341a0am9wydmzk";
+    sha256 = "0abnmn0bh11jihf5d3cggiild1ykawzv5f5fhb4cyyi8fvy4hcxf";
   });
 
   buildInputs = [ makeWrapper ];

pkgs/applications/science/logic/symbiyosys/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, yosys, python3 }:
+{ stdenv, fetchFromGitHub, yosys, bash, python3 }:
 
 stdenv.mkDerivation rec {
   name = "symbiyosys-${version}";
@@ -26,6 +26,9 @@ stdenv.mkDerivation rec {
     substituteInPlace $out/bin/sby \
       --replace "##yosys-sys-path##" \
                 "sys.path += [p + \"/share/yosys/python3/\" for p in [\"$out\", \"${yosys}\"]]"
+    substituteInPlace $out/share/yosys/python3/sby_core.py \
+      --replace "/bin/bash" \
+                "${bash}/bin/bash"
   '';
   meta = {
     description = "Tooling for Yosys-based verification flows";

pkgs/applications/science/math/cbc/default.nix

@@ -1,11 +1,12 @@
 { lib, stdenv, fetchurl, zlib, bzip2 }:
 
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
-  name = "cbc-2.9.9";
+  pname = "cbc";
+  version = "2.10.2";
 
   src = fetchurl {
-    url = "https://www.coin-or.org/download/source/Cbc/Cbc-2.9.9.tgz";
+    url = "https://www.coin-or.org/download/source/Cbc/Cbc-${version}.tgz";
-    sha256 = "1w8axdzm05xf5y13c31w7rc5z6ywxqxiwafnxcq3p195kgj0915a";
+    sha256 = "0frbxkh6nbh46kaxsx5bmzridgip3v7aq75l8yak5npiiq4jlwv3";
   };
 
   configureFlags = [ "-C" ];
@@ -23,6 +24,7 @@ stdenv.mkDerivation {
     license = lib.licenses.epl10;
     maintainers = [ lib.maintainers.eelco ];
     platforms = lib.platforms.linux ++ lib.platforms.darwin;
+    broken = stdenv.isAarch64; # Missing <immintrin.h> after 2.10.0
     description = "A mixed integer programming solver";
   };
 }

pkgs/applications/science/math/pynac/default.nix

@@ -9,14 +9,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "0.7.24";
+  version = "0.7.25";
   pname = "pynac";
 
   src = fetchFromGitHub {
     owner = "pynac";
     repo = "pynac";
     rev = "pynac-${version}";
-    sha256 = "0i3qxww28576jim0abgkqy9mi2k0lfllgyx8xpfqsqb75ai970ik";
+    sha256 = "0nnifvg6kzx0lq6gz7znind8g30v3d2pjfwgsdiks3vv9kv9nbj3";
   };
 
   buildInputs = [

pkgs/applications/version-management/git-and-tools/fast-export/default.nix

@@ -1,41 +1,42 @@
-{stdenv, fetchgit, mercurial, makeWrapper, subversion}:
+{stdenv, fetchgit, mercurial, makeWrapper}:
 
-with stdenv.lib;
+stdenv.mkDerivation rec {
-stdenv.mkDerivation {
+  pname = "fast-export";
-  name = "fast-export";
+  version = "190107";
 
   src = fetchgit {
     url = git://repo.or.cz/fast-export.git;
-    rev = "d202200fd9daa75cdb37d4cf067d4ca00e269535";
+    rev = "v${version}";
-    sha256 = "0m4llsg9rx4sza1kf39kxsdvhi6y87a18wm5k19c5r2h3vpylwcc";
+    sha256 = "14azfps9jd5anivcvfwflgsvqdyy6gm9jy284kzx2ng9f7871d14";
   };
 
-  buildInputs = [mercurial.python mercurial makeWrapper subversion];
+  buildInputs = [mercurial.python mercurial makeWrapper];
 
-  dontBuild = true; # skip svn for now
-
-  # TODO also support svn stuff
-  # moving .py files into lib directory so that you can't pick the wrong file from PATH.
-  # This requires redefining ROOT
   installPhase = ''
-    sed -i "s@/usr/bin/env.*@$(type -p python)@" *.py
+    binPath=$out/bin
-    l=$out/libexec/git-fast-export
+    libexecPath=$out/libexec/${pname}
-    mkdir -p $out/{bin,doc/git-fast-export} $l
+    sitepackagesPath=$out/${mercurial.python.sitePackages}
-    sed -i "s@ROOT=.*@ROOT=$l@" *.sh
+    mkdir -p $binPath $libexecPath $sitepackagesPath
-    mv *.sh $out/bin
+
-    mv *.py $l
+    # Patch shell scripts so they can execute the Python scripts
-    for p in $out/bin/*.sh; do
+    sed -i "s|ROOT=.*|ROOT=$libexecPath|" *.sh
-      wrapProgram $p \
+
-        --prefix PYTHONPATH : "$(echo ${mercurial}/lib/python*/site-packages):$(echo ${mercurial.python}/lib/python*/site-packages)${stdenv.lib.concatMapStrings (x: ":$(echo ${x}/lib/python*/site-packages)") mercurial.pythonPackages or []}" \
+    mv hg-fast-export.sh hg-reset.sh $binPath
-        --prefix PATH : "$(dirname $(type -p python))":$l
+    mv hg-fast-export.py hg-reset.py $libexecPath
+    mv hg2git.py pluginloader plugins $sitepackagesPath
+
+    for script in $out/bin/*.sh; do
+      wrapProgram $script \
+        --prefix PATH : "${mercurial.python}/bin":$libexec \
+        --prefix PYTHONPATH : "${mercurial}/${mercurial.python.sitePackages}":$sitepackagesPath
     done
   '';
 
-  meta = {
+  meta = with stdenv.lib; {
-    description = "Import svn, mercurial into git";
+    description = "Import mercurial into git";
     homepage = https://repo.or.cz/w/fast-export.git;
     license = licenses.gpl2;
     maintainers = [ maintainers.koral ];
-    platforms = stdenv.lib.platforms.unix;
+    platforms = platforms.unix;
   };
 }

pkgs/applications/version-management/git-and-tools/git-crypt/default.nix

@@ -1,4 +1,4 @@
-{ fetchFromGitHub, git, gnupg1compat, makeWrapper, openssl, stdenv }:
+{ fetchFromGitHub, git, gnupg, makeWrapper, openssl, stdenv }:
 
 stdenv.mkDerivation rec {
   name = "git-crypt-${version}";
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
 
   installPhase = ''
     make install PREFIX=$out
-    wrapProgram $out/bin/* --prefix PATH : $out/bin:${git}/bin:${gnupg1compat}/bin
+    wrapProgram $out/bin/* --prefix PATH : $out/bin:${git}/bin:${gnupg}/bin
   '';
 
   meta = with stdenv.lib; {

pkgs/applications/version-management/git-and-tools/git-remote-gcrypt/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, docutils, makeWrapper
-, gnupg1compat, curl, rsync, coreutils
+, gnupg, curl, rsync, coreutils
 , gawk, gnused, gnugrep
 }:
 
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
   installPhase = ''
     prefix="$out" ./install.sh
     wrapProgram "$out/bin/git-remote-gcrypt" \
-      --prefix PATH ":" "${stdenv.lib.makeBinPath [ gnupg1compat curl rsync coreutils
+      --prefix PATH ":" "${stdenv.lib.makeBinPath [ gnupg curl rsync coreutils
                                                     gawk gnused gnugrep ]}"
   '';
 

pkgs/applications/version-management/git-and-tools/svn-all-fast-export/default.nix

@@ -1,7 +1,7 @@
 { stdenv, fetchFromGitHub, qmake, qtbase, qttools, subversion, apr }:
 
 let
-  version = "1.0.13";
+  version = "1.0.16";
 in
 stdenv.mkDerivation {
   name = "svn-all-fast-export-${version}";
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
     owner = "svn-all-fast-export";
     repo = "svn2git";
     rev = version;
-    sha256 = "0f1qj0c4cdq46mz54wcy17g7rq1fy2q0bq3sswhr7r5a2s433x4f";
+    sha256 = "1xs3gngjkna458liaqjsc8ryld03mdmvycnkzwsgyzfxsgjx1i3l";
   };
 
   nativeBuildInputs = [ qmake qttools ];

pkgs/applications/version-management/src/default.nix

@@ -2,20 +2,21 @@
 
 stdenv.mkDerivation rec {
   name = "src-${version}";
-  version = "1.24";
+  version = "1.25";
 
   src = fetchurl {
     url = "http://www.catb.org/~esr/src/${name}.tar.gz";
-    sha256 = "0n9j2mywbm8c7mc5b3m7dvn6gff88wwwaygk4y1jivpg1f6s3k3l";
+    sha256 = "0qd10w8fwbrgaj8sx49q6cfhqq3ylhwn7nl9v6kxi1yjlw2p098p";
   };
 
-  buildInputs = [ python rcs git makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ python rcs git ];
 
   preConfigure = ''
     patchShebangs .
   '';
 
-  makeFlags = [ "prefix=$(out)" ];
+  makeFlags = [ "prefix=${placeholder "out"}" ];
 
   postInstall = ''
     wrapProgram $out/bin/src \
@@ -32,8 +33,9 @@ stdenv.mkDerivation rec {
       will seem familiar to Subversion/Git/hg users, and no binary blobs
       anywhere.
     '';
-    homepage = http://www.catb.org/esr/src/;
+    homepage = "http://www.catb.org/esr/src/";
-    license = licenses.bsd3;
+    changelog = "https://gitlab.com/esr/src/raw/${version}/NEWS";
+    license = licenses.bsd2;
     platforms = platforms.all;
     maintainers = with maintainers; [ calvertvl AndersonTorres ];
   };

pkgs/applications/video/mkclean/default.nix

@@ -0,0 +1,37 @@
+{ dos2unix, fetchurl, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "mkclean";
+  version = "0.8.10";
+
+  hardeningDisable = [ "format" ];
+  nativeBuildInputs = [ dos2unix ];
+
+  src = fetchurl {
+    url = "mirror://sourceforge/matroska/${pname}-${version}.tar.bz2";
+    sha256 = "0zbpi4sm68zb20d53kbss93fv4aafhcmz7dsd0zdf01vj1r3wxwn";
+  };
+
+  configurePhase = ''
+    dos2unix ./mkclean/configure.compiled
+    ./mkclean/configure.compiled
+  '';
+
+  buildPhase = ''
+    make -C mkclean
+  '';
+
+  installPhase = ''
+    mkdir -p $out/{bin,lib}
+    mv release/gcc_linux_*/*.* $out/lib
+    mv release/gcc_linux_*/* $out/bin
+  '';
+
+  meta = with stdenv.lib; {
+    description = "mkclean is a command line tool to clean and optimize Matroska (.mkv / .mka / .mks / .mk3d) and WebM (.webm / .weba) files that have already been muxed.";
+    homepage = "https://www.matroska.org";
+    license = licenses.bsdOriginal;
+    maintainers = with maintainers; [ chrisaw ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}

pkgs/applications/virtualization/rkt/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, lib, autoreconfHook, acl, go, file, git, wget, gnupg1, trousers, squashfsTools,
+{ stdenv, lib, autoreconfHook, acl, go, file, git, wget, gnupg, trousers, squashfsTools,
   cpio, fetchurl, fetchFromGitHub, iptables, systemd, makeWrapper, glibc }:
 
 let
@@ -30,7 +30,7 @@ in stdenv.mkDerivation rec {
 
   buildInputs = [
     glibc.out glibc.static
-    autoreconfHook go file git wget gnupg1 trousers squashfsTools cpio acl systemd
+    autoreconfHook go file git wget gnupg trousers squashfsTools cpio acl systemd
     makeWrapper
   ];
 

pkgs/applications/window-managers/i3/wk-switch.nix

@@ -1,18 +1,17 @@
-{ stdenv, fetchFromGitHub, python2Packages }:
+{ stdenv, fetchFromGitHub, python3Packages }:
 
-python2Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication rec {
   pname = "i3-wk-switch";
-  version = "2017-08-21";
+  version = "2019-05-10";
 
-  # https://github.com/tmfink/i3-wk-switch/commit/484f840bc4c28ddc60fa3be81e2098f7689e78fb
   src = fetchFromGitHub {
     owner = "tmfink";
     repo = pname;
-    rev = "484f840";
+    rev = "05a2d5d35e9841d2a26630f1866fc0a0e8e708eb";
-    sha256 = "0nrc13ld5bx07wrgnpzgpbaixb4rpi93xiapvyb8srd49fj9pcmb";
+    sha256 = "0ln192abdqrrs7rdazp9acbji2y6pf68z2d1by4nf2q529dh24dc";
   };
 
-  propagatedBuildInputs = with python2Packages; [ i3-py ];
+  propagatedBuildInputs = with python3Packages; [ i3ipc ];
 
   dontBuild = true;
   doCheck = false;
@@ -23,7 +22,7 @@ python2Packages.buildPythonApplication rec {
   '';
 
   meta = with stdenv.lib; {
-    description = "XMonad-like workspace switching for i3";
+    description = "XMonad-like workspace switching for i3 and sway";
     maintainers = with maintainers; [ synthetica ];
     platforms = platforms.linux;
     license = licenses.mit;

pkgs/build-support/docker/default.nix

@@ -216,7 +216,7 @@ rec {
         find image/$extractionID/layer -name ".wh.*" -exec bash -c 'name="$(basename {}|sed "s/^.wh.//")"; mknod "$(dirname {})/$name" c 0 0; rm {}' \;
 
         # Get the next lower directory and continue the loop.
-        lowerdir=$lowerdir''${lowerdir:+:}image/$extractionID/layer
+        lowerdir=image/$extractionID/layer''${lowerdir:+:}$lowerdir
       done
 
       mkdir work
@@ -585,9 +585,9 @@ rec {
           layerID=$(sha256sum "$layer/json" | cut -d ' ' -f 1)
           ln -s "$layer" "./image/$layerID"
 
-          manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= [\"$layerID/layer.tar\"] + .")
+          manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= . + [\"$layerID/layer.tar\"]")
-          imageJson=$(echo "$imageJson" | jq ".history |= [{\"created\": \"$(jq -r .created ${configJson})\"}] + .")
+          imageJson=$(echo "$imageJson" | jq ".history |= . + [{\"created\": \"$(jq -r .created ${configJson})\"}]")
-          imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= [\"sha256:$layerChecksum\"] + .")
+          imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= . + [\"sha256:$layerChecksum\"]")
         done
         imageJsonChecksum=$(echo "$imageJson" | sha256sum | cut -d ' ' -f1)
         echo "$imageJson" > "image/$imageJsonChecksum.json"
@@ -779,23 +779,24 @@ rec {
         # Use the temp folder we've been working on to create a new image.
         mv temp image/$layerID
 
-        # Add the new layer ID to the beginning of the layer list
+        # Add the new layer ID to the end of the layer list
         (
+          cat layer-list
           # originally this used `sed -i "1i$layerID" layer-list`, but
           # would fail if layer-list was completely empty.
           echo "$layerID/layer.tar"
-          cat layer-list
         ) | ${pkgs.moreutils}/bin/sponge layer-list
 
         # Create image json and image manifest
         imageJson=$(cat ${baseJson} | jq ". + {\"rootfs\": {\"diff_ids\": [], \"type\": \"layers\"}}")
         manifestJson=$(jq -n "[{\"RepoTags\":[\"$imageName:$imageTag\"]}]")
 
-        for layerTar in $(tac ./layer-list); do
+        for layerTar in $(cat ./layer-list); do
           layerChecksum=$(sha256sum image/$layerTar | cut -d ' ' -f1)
-          imageJson=$(echo "$imageJson" | jq ".history |= [{\"created\": \"$(jq -r .created ${baseJson})\"}] + .")
+          imageJson=$(echo "$imageJson" | jq ".history |= . + [{\"created\": \"$(jq -r .created ${baseJson})\"}]")
-          imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= [\"sha256:$layerChecksum\"] + .")
+          # diff_ids order is from the bottom-most to top-most layer
-          manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= [\"$layerTar\"] + .")
+          imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= . + [\"sha256:$layerChecksum\"]")
+          manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= . + [\"$layerTar\"]")
         done
 
         imageJsonChecksum=$(echo "$imageJson" | sha256sum | cut -d ' ' -f1)

pkgs/build-support/docker/examples.nix

@@ -187,4 +187,43 @@ rec {
     runAsRoot = "touch /example-file";
     fromImage = bash;
   };
+
+  # 13. example of 3 layers images This image is used to verify the
+  # order of layers is correct.
+  # It allows to validate
+  # - the layer of parent are below
+  # - the order of parent layer is preserved at image build time
+  #   (this is why there are 3 images)
+  layersOrder = let
+    l1 = pkgs.dockerTools.buildImage {
+      name = "l1";
+      tag = "latest";
+      extraCommands = ''
+        mkdir -p tmp
+        echo layer1 > tmp/layer1
+        echo layer1 > tmp/layer2
+        echo layer1 > tmp/layer3
+      '';
+    };
+    l2 = pkgs.dockerTools.buildImage {
+      name = "l2";
+      fromImage = l1;
+      tag = "latest";
+      extraCommands = ''
+        mkdir -p tmp
+        echo layer2 > tmp/layer2
+        echo layer2 > tmp/layer3
+      '';
+    };
+  in pkgs.dockerTools.buildImage {
+    name = "l3";
+    fromImage = l2;
+    tag = "latest";
+    contents = [ pkgs.coreutils ];
+    extraCommands = ''
+      mkdir -p tmp
+      echo layer3 > tmp/layer3
+    '';
+  };
+
 }

pkgs/data/fonts/agave/default.nix

@@ -1,24 +1,21 @@
-{ stdenv, fetchurl }:
+{ lib, fetchurl }:
 
-stdenv.mkDerivation rec {
+let
   pname = "agave";
   version = "009";
-
+in fetchurl {
-  src = fetchurl {
+  name = "${pname}-${version}";
   url = "https://github.com/agarick/agave/releases/download/v${version}/agave-r.ttf";
-    sha256 = "05766gp2glm1p2vknk1nncxigq28hg8s58kjwsbn8zpwy8ivywpk";
-  };
 
-  sourceRoot = ".";
+  downloadToTemp = true;
-
+  recursiveHash = true;
-  unpackPhase = ":";
+  postFetch = ''
-  dontBuild = true;
+    install -D $downloadedFile $out/share/fonts/truetype/agave-r.ttf
-  installPhase = ''
-    mkdir -p $out/share/fonts/truetype
-    cp $src $out/share/fonts/truetype/
   '';
 
-  meta = with stdenv.lib; {
+  sha256 = "16qvz3zpwiq2nw0gxygva5pssswcia5xp0q6ir5jfkackvqf3fql";
+
+  meta = with lib; {
     description = "truetype monospaced typeface designed for X environments";
     homepage = https://b.agaric.net/page/agave;
     license = licenses.mit;

pkgs/data/fonts/aileron/default.nix

@@ -1,4 +1,4 @@
-{ stdenv,  fetchzip }:
+{ lib, fetchzip }:
 
 let
   majorVersion = "0";
@@ -17,7 +17,7 @@ fetchzip rec {
     unzip -j $downloadedFile \*.otf  -d $out/share/fonts/opentype/${pname}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://dotcolon.net/font/${pname}/";
     description = "A helvetica font in nine weights";
     platforms = platforms.all;

pkgs/data/fonts/andagii/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "1.0.2";
@@ -17,7 +17,7 @@ in fetchzip {
   # There are multiple claims that the font is GPL, so I include the
   # package; but I cannot find the original source, so use it on your
   # own risk Debian claims it is GPL - good enough for me.
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://www.i18nguy.com/unicode/unicode-font.html;
     description = "Unicode Plane 1 Osmanya script font";
     maintainers = with maintainers; [ raskin rycee ];

pkgs/data/fonts/andika/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "5.000";
@@ -16,7 +16,7 @@ in
 
     sha256 = "1jy9vpcprpd1k48p20wh6jhyn909ibia8lr5i747p41l0s8a7lqy";
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = https://software.sil.org/andika;
       description = "A family designed especially for literacy use taking into account the needs of beginning readers";
       longDescription = ''

pkgs/data/fonts/ankacoder/condensed.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let version = "1.100"; in
 fetchzip rec {
@@ -13,7 +13,7 @@ fetchzip rec {
 
   sha256 = "0i80zpr2y9368rg2i6x8jv0g7d03kdyr5h7w9yz7pjd7i9xd8439";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Anka/Coder Condensed font";
     homepage = https://code.google.com/archive/p/anka-coder-fonts;
     license = licenses.ofl;

pkgs/data/fonts/ankacoder/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let version = "1.100"; in
 fetchzip rec {
@@ -13,7 +13,7 @@ fetchzip rec {
 
   sha256 = "1jqx9micfmiarqh9xp330gl96v3vxbwzz9cmg2vi845n9md4im85";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Anka/Coder fonts";
     homepage = https://code.google.com/archive/p/anka-coder-fonts;
     license = licenses.ofl;

pkgs/data/fonts/anonymous-pro/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "1.002";
@@ -13,7 +13,7 @@ in fetchzip rec {
   '';
   sha256 = "05rgzag38qc77b31sm5i2vwwrxbrvwzfsqh3slv11skx36pz337f";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://www.marksimonson.com/fonts/view/anonymous-pro;
     description = "TrueType font set intended for source code";
     longDescription = ''

pkgs/data/fonts/arkpandora/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, fetchurl }:
 
 let
   version = "2.04";
@@ -21,6 +21,5 @@ in fetchurl {
 
   meta = {
     description = "Font, metrically identical to Arial and Times New Roman";
-    platforms = stdenv.lib.platforms.unix;
   };
 }

pkgs/data/fonts/arphic/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip, mkfontscale, mkfontdir }:
+{ lib, fetchzip, mkfontscale, mkfontdir }:
 
 let
   version = "0.2.20080216.2";
@@ -18,7 +18,7 @@ in {
 
     sha256 = "0xi5ycm7ydzpn7cqxv1kcj9vd70nr9wn8v27hmibyjc25y2qdmzl";
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       description = "CJK Unicode font Kai style";
       homepage = https://www.freedesktop.org/wiki/Software/CJKUnifonts/;
 
@@ -43,7 +43,7 @@ in {
 
     sha256 = "16jybvj1cxamm682caj6nsm6l5c60x9mgchp1l2izrw2rvc8x38d";
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       description = "CJK Unicode font Ming style";
       homepage = https://www.freedesktop.org/wiki/Software/CJKUnifonts/;
 

pkgs/data/fonts/aurulent-sans/default.nix

@@ -1,12 +1,13 @@
-{stdenv, fetchzip}:
+{ lib, fetchFromGitHub }:
 
-fetchzip rec {
+fetchFromGitHub rec {
   name = "aurulent-sans-0.1";
-
+  owner = "deepfire";
-  url = "https://github.com/deepfire/hartke-aurulent-sans/archive/${name}.zip";
+  repo = "hartke-aurulent-sans";
+  rev = name;
   postFetch = ''
     mkdir -p $out/share/fonts
-    unzip -j $downloadedFile \*.otf -d $out/share/fonts/opentype
+    tar xf $downloadedFile -C $out/share/fonts --strip=1
   '';
   sha256 = "1l60psfv9x0x9qx9vp1qnhmck7a7kks385m5ycrd3d91irz1j5li";
 
@@ -14,8 +15,8 @@ fetchzip rec {
     description = "Aurulent Sans";
     longDescription = "Aurulent Sans is a humanist sans serif intended to be used as an interface font.";
     homepage = http://delubrum.org/;
-    maintainers = with stdenv.lib.maintainers; [ deepfire ];
+    maintainers = with lib.maintainers; [ deepfire ];
-    license = stdenv.lib.licenses.ofl;
+    license = lib.licenses.ofl;
-    platforms = stdenv.lib.platforms.all;
+    platforms = lib.platforms.all;
   };
 }

pkgs/data/fonts/b612/default.nix

@@ -1,20 +1,21 @@
-{ stdenv, fetchzip, lib }:
+{ lib, fetchFromGitHub }:
 
 let
   version = "1.008";
   pname = "b612";
-in
+in fetchFromGitHub {
-
-fetchzip rec {
   name = "${pname}-font-${version}";
-  url = "https://github.com/polarsys/b612/archive/${version}.zip";
+  owner = "polarsys";
-  sha256 = "0r3lana1q9w3siv8czb3p9rrb5d9svp628yfbvvmnj7qvjrmfsiq";
+  repo = "b612";
+  rev = version;
   postFetch = ''
+    tar xf $downloadedFile --strip=1
     mkdir -p $out/share/fonts/truetype/${pname}
-    unzip -j $downloadedFile \*.ttf -d $out/share/fonts/truetype/${pname}
+    cp fonts/ttf/*.ttf $out/share/fonts/truetype/${pname}
   '';
+  sha256 = "0r3lana1q9w3siv8czb3p9rrb5d9svp628yfbvvmnj7qvjrmfsiq";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://b612-font.com/;
     description = "Highly legible font family for use on aircraft cockpit screens";
     longDescription = ''

pkgs/data/fonts/babelstone-han/default.nix

@@ -1,7 +1,7 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
-  version = "11.0.3";
+  version = "12.1.4";
 in fetchzip {
   name = "babelstone-han-${version}";
 
@@ -10,9 +10,9 @@ in fetchzip {
     mkdir -p $out/share/fonts/truetype
     unzip $downloadedFile '*.ttf' -d $out/share/fonts/truetype
   '';
-  sha256 = "0c8s21kllyilwivrb8gywq818y67w3zpann34hz36vy0wyiswn1c";
+  sha256 = "1fypwk2i87jfrckvxg9wz4x84z7c6ifgzrjb8fylhac50lzi6kni";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Unicode CJK font with over 36000 Han characters";
     homepage = http://www.babelstone.co.uk/Fonts/Han.html;
 

pkgs/data/fonts/baekmuk-ttf/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 fetchzip rec {
   name = "baekmuk-ttf-2.2";
@@ -6,9 +6,8 @@ fetchzip rec {
   url = "http://kldp.net/baekmuk/release/865-${name}.tar.gz";
   postFetch = ''
     tar -xzvf $downloadedFile --strip-components=1
-    mkdir -p $out/share/fonts $out/share/doc/${name}
+    install -m444 -Dt $out/share/fonts        ttf/*.ttf
-    cp ttf/*.ttf  $out/share/fonts
+    install -m444 -Dt $out/share/doc/${name}  COPYRIGHT*
-    cp COPYRIGHT* $out/share/doc/${name}
   '';
   sha256 = "1jgsvack1l14q8lbcv4qhgbswi30mf045k37rl772hzcmx0r206g";
 
@@ -16,7 +15,6 @@ fetchzip rec {
     description = "Korean font";
     homepage = http://kldp.net/projects/baekmuk/;
     license = "BSD-like";
-    platforms = stdenv.lib.platforms.linux;
   };
 }
 

pkgs/data/fonts/bakoma-ttf/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 fetchzip {
   name = "bakoma-ttf";
@@ -16,6 +16,5 @@ fetchzip {
   meta = {
     description = "TrueType versions of the Computer Modern and AMS TeX Fonts";
     homepage = http://www.ctan.org/tex-archive/fonts/cm/ps-type1/bakoma/ttf/;
-    platforms = stdenv.lib.platforms.unix;
   };
 }

pkgs/data/fonts/behdad-fonts/default.nix

@@ -1,22 +1,21 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, fetchFromGitHub }:
 
-stdenv.mkDerivation rec {
+let
   pname = "behdad-fonts";
   version = "0.0.3";
-
+in fetchFromGitHub rec {
-  src = fetchFromGitHub {
+  name = "${pname}-${version}";
   owner = "font-store";
   repo = "BehdadFont";
   rev = "v${version}";
-    sha256 = "0rlmyv82qmyy90zvkjnlva44ia7dyhiyk7axbq526v7zip3g79w0";
-  };
 
-  installPhase = ''
+  postFetch = ''
-    mkdir -p $out/share/fonts/behdad-fonts
+    tar xf $downloadedFile --strip=1
-    cp -v $( find . -name '*.ttf') $out/share/fonts/behdad-fonts
+    find . -name '*.ttf' -exec install -m444 -Dt $out/share/fonts/behrad-fonts {} \;
   '';
+  sha256 = "0c57232462cv1jrfn0m2bl7jzcfkacirrdd2qimrc8iqhkz0ajfz";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://github.com/font-store/BehdadFont;
     description = "A Persian/Arabic Open Source Font";
     license = licenses.ofl;

pkgs/data/fonts/cabin/default.nix

@@ -1,19 +1,21 @@
-{ stdenv, fetchzip }:
+{ lib, fetchFromGitHub }:
 
-fetchzip rec {
+fetchFromGitHub rec {
   name = "cabin-1.005";
 
-  url = https://github.com/impallari/Cabin/archive/982839c790e9dc57c343972aa34c51ed3b3677fd.zip;
+  owner = "impallari";
+  repo = "Cabin";
+  rev = "982839c790e9dc57c343972aa34c51ed3b3677fd";
 
   postFetch = ''
-    mkdir -p $out/share/{doc,fonts}
+    tar xf $downloadedFile --strip=1
-    unzip -j $downloadedFile \*.otf                    -d $out/share/fonts/opentype
+    install -m444 -Dt $out/share/fonts/opentype fonts/OTF/*.otf
-    unzip -j $downloadedFile \*README.md \*FONTLOG.txt -d "$out/share/doc/${name}"
+    install -m444 -Dt $out/share/doc/${name}    README.md FONTLOG.txt
   '';
 
-  sha256 = "1ax5c2iab48qsk9zn3gjvqaib2lnlm25f1wr0aysf5ngw0y0jkrd";
+  sha256 = "1bl7h217m695jn4rbniialfk573aa44fslp2rjxnhkicakpcm44h";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A humanist sans with 4 weights and true italics";
     longDescription = ''
       The Cabin font family is a humanist sans with 4 weights and true italics,

pkgs/data/fonts/caladea/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "20130214";
@@ -15,7 +15,7 @@ in fetchzip rec {
   '';
   sha256 = "0kwm42ggr8kvcn3554cpmv90xzam1sdncx7x3zs3bzp88mxrnv1z";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     # This font doesn't appear to have any official web site but this
     # one provides some good information and samples.
     homepage = http://openfontlibrary.org/en/font/caladea;

pkgs/data/fonts/camingo-code/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "1.0";
@@ -8,14 +8,12 @@ in fetchzip rec {
   url = https://github.com/chrissimpkins/codeface/releases/download/font-collection/codeface-fonts.zip;
   postFetch = ''
     unzip $downloadedFile
-    mkdir -p $out/share/fonts/truetype
+    install -m444 -Dt $out/share/fonts/truetype fonts/camingo-code/*.ttf
-    mkdir -p $out/share/doc/${name}
+    install -m444 -Dt $out/share/doc/${name}    fonts/camingo-code/*.txt
-    cp -v fonts/camingo-code/*.ttf $out/share/fonts/truetype/
-    cp -v fonts/camingo-code/*.txt $out/share/doc/${name}/
   '';
-  sha256 = "035z2k6lwwy2bysw27pirn3vjxnj2h23nyx8jr213rb2bl0m21x1";
+  sha256 = "16iqjwwa7pnswvcc4w8nglkd0m0fz50qsz96i1kcpqip3nwwvw7y";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://www.myfonts.com/fonts/jan-fromm/camingo-code/;
     description = "A monospaced typeface designed for source-code editors";
     platforms = platforms.all;

pkgs/data/fonts/carlito/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "20130920";
@@ -17,7 +17,7 @@ in fetchzip rec {
 
   sha256 = "0d72zy6kdmxgpi63r3yvi3jh1hb7lvlgv8hgd4ag0x10dz18mbzv";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     # This font doesn't appear to have any official web site but this
     # one provides some good information and samples.
     homepage = http://openfontlibrary.org/en/font/carlito;

pkgs/data/fonts/charis-sil/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "5.000";
@@ -16,7 +16,7 @@ in
 
     sha256 = "1a220s8n0flvcdkazqf5g10v6r55s2an308slvvarynpj6l7x27n";
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = https://software.sil.org/charis;
       description = "A family of highly readable fonts for broad multilingual use";
       longDescription = ''

pkgs/data/fonts/clearlyU/default.nix

@@ -10,8 +10,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ mkfontdir mkfontscale ];
 
-  installPhase =
+  installPhase = ''
-    ''
     mkdir -p $out/share/fonts
     cp *.bdf $out/share/fonts
     cd $out/share/fonts
@@ -26,6 +25,5 @@ stdenv.mkDerivation {
   meta = {
     description = "A Unicode font";
     maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.unix;
   };
 }

pkgs/data/fonts/cm-unicode/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "0.7.0";
@@ -9,15 +9,13 @@ in fetchzip rec {
 
   postFetch = ''
     tar -xJvf $downloadedFile --strip-components=1
-    mkdir -p $out/share/fonts/opentype
+    install -m444 -Dt $out/share/fonts/opentype *.otf
-    mkdir -p $out/share/doc/${name}
+    install -m444 -Dt $out/share/doc/${name}    README FontLog.txt
-    cp -v *.otf $out/share/fonts/opentype/
-    cp -v README FontLog.txt $out/share/doc/${name}
   '';
 
   sha256 = "1rzz7yhqq3lljyqxbg46jfzfd09qgpgx865lijr4sgc94riy1ypn";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://canopus.iacp.dvo.ru/~panov/cm-unicode/;
     description = "Computer Modern Unicode fonts";
     maintainers = with maintainers; [ raskin rycee ];

pkgs/data/fonts/comfortaa/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "3.001";
@@ -8,13 +8,12 @@ in fetchzip rec {
   url = "https://orig00.deviantart.net/40a3/f/2017/093/d/4/comfortaa___font_by_aajohan-d1qr019.zip";
   postFetch = ''
     mkdir -p $out/share/fonts $out/share/doc
-    unzip -l $downloadedFile
     unzip -j $downloadedFile \*.ttf                        -d $out/share/fonts/truetype
     unzip -j $downloadedFile \*/FONTLOG.txt \*/donate.html -d $out/share/doc/${name}
   '';
   sha256 = "0z7xr0cnn6ghwivrm5b5awq9bzhnay3y99qq6dkdgfkfdsaz0n9h";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://aajohan.deviantart.com/art/Comfortaa-font-105395949;
     description = "A clean and modern font suitable for headings and logos";
     license = licenses.ofl;

pkgs/data/fonts/comic-neue/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "2.2";
@@ -19,7 +19,7 @@ in fetchzip rec {
 
   sha256 = "1yypq5aqqzv3q1c6vx5130mi2iwihzzvrawhwqpwsfjl0p25sq9q";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://comicneue.com/;
     description = "A casual type face: Make your lemonade stand look like a fortune 500 company";
     longDescription = ''

pkgs/data/fonts/comic-relief/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "1.1";
@@ -18,7 +18,7 @@ in fetchzip rec {
 
   sha256 = "0dz0y7w6mq4hcmmxv6fn4mp6jkln9mzr4s96vsg68wrl5b7k9yff";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://loudifier.com/comic-relief/;
     description = "A font metric-compatible with Microsoft Comic Sans";
     longDescription = ''

pkgs/data/fonts/cooper-hewitt/default.nix

@@ -1,6 +1,6 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
-fetchzip rec {
+fetchzip {
   name = "cooper-hewitt-2014-06-09";
 
   url = https://www.cooperhewitt.org/wp-content/uploads/fonts/CooperHewitt-OTF-public.zip;
@@ -12,7 +12,7 @@ fetchzip rec {
 
   sha256 = "01iwqmjvqkc6fmc2r0486vk06s6f51n9wxzl1pf9z48n0igj4gqd";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://www.cooperhewitt.org/open-source-at-cooper-hewitt/cooper-hewitt-the-typeface-by-chester-jenkins/;
     description = "A contemporary sans serif, with characters composed of modified-geometric curves and arches";
     license = licenses.ofl;

pkgs/data/fonts/corefonts/default.nix

@@ -41,12 +41,10 @@ stdenv.mkDerivation {
 
     cabextract --lowercase viewer1.cab
 
-    fontDir=$out/share/fonts/truetype
+    install -m444 -Dt $out/share/fonts/truetype *.ttf
-    mkdir -p $fontDir
-    cp *.ttf $fontDir
 
     # Also put the EULA there to be on the safe side.
-    cp ${eula} $fontDir/eula.html
+    cp ${eula} $out/share/fonts/truetype/eula.html
 
     # Set up no-op font configs to override any aliases set up by
     # other packages.

pkgs/data/fonts/crimson/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "2014.10";
@@ -9,16 +9,13 @@ in fetchzip rec {
 
   postFetch = ''
     tar -xzvf $downloadedFile --strip-components=1
-
+    install -m444 -Dt $out/share/fonts/opentype "Desktop Fonts/OTF/"*.otf
-    mkdir -p $out/share/fonts/opentype
+    install -m444 -Dt $out/share/doc/${name}    README.md
-    mkdir -p $out/share/doc/${name}
-    cp -v "Desktop Fonts/OTF/"*.otf $out/share/fonts/opentype
-    cp -v README.md $out/share/doc/${name}
   '';
 
   sha256 = "0mg65f0ydyfmb43jqr1f34njpd10w8npw15cbb7z0nxmy4nkl842";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://aldusleaf.org/crimson.html;
     description = "A font family inspired by beautiful oldstyle typefaces";
     license = licenses.ofl;

pkgs/data/fonts/culmus/default.nix

@@ -1,16 +1,12 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "0.133";
-in stdenv.mkDerivation {
+in fetchzip {
   name = "culmus-${version}";
-
-  src = fetchzip {
   url = "mirror://sourceforge/culmus/culmus/${version}/culmus-${version}.tar.gz";
-    sha256 = "0q80j3vixn364sc23hcy6098rkgy0kb4p91lky6224am1dwn2qmr";
+  postFetch = ''
-  };
+    tar xf $downloadedFile --strip=1
-
-  installPhase = ''
     mkdir -p $out/share/fonts/{truetype,type1}
     cp -v *.pfa $out/share/fonts/type1/
     cp -v *.afm $out/share/fonts/type1/
@@ -19,12 +15,13 @@ in stdenv.mkDerivation {
     cp -v *.otf $out/share/fonts/truetype/
     cp -v fonts.scale-ttf $out/share/fonts/truetype/fonts.scale
   '';
+  sha256 = "0zqqjcrqmbd4389hqz2dwymkkcxjrq9ylyriiv3gbmzl6l1ffk3g";
 
   meta = {
     description = "Culmus Hebrew fonts";
     longDescription = "The Culmus project aims at providing the Hebrew-speaking GNU/Linux and Unix community with a basic collection of Hebrew fonts for X Windows.";
-    platforms = stdenv.lib.platforms.all;
+    platforms = lib.platforms.all;
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
     homepage = http://culmus.sourceforge.net/;
     downloadPage = http://culmus.sourceforge.net/download.html;
   };

pkgs/data/fonts/d2coding/default.nix

@@ -1,10 +1,10 @@
-{ stdenv, fetchzip, unzip }:
+{ lib, fetchzip, unzip }:
 
 let
   version = "1.3.2";
   pname = "d2codingfont";
 
-in fetchzip rec {
+in fetchzip {
   name = "${pname}-${version}";
   url = "https://github.com/naver/${pname}/releases/download/VER${version}/D2Coding-Ver${version}-20180524.zip";
 
@@ -15,7 +15,7 @@ in fetchzip rec {
 
   sha256 = "1812r82530wzfki7k9cm35fy6k2lvis7j6w0w8svc784949m1wwj";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Monospace font with support for Korean and latin characters";
     longDescription = ''
       D2Coding is a monospace font developed by a Korean IT Company called Naver.

pkgs/data/fonts/dina-pcf/default.nix

@@ -60,6 +60,5 @@ stdenv.mkDerivation rec {
     downloadPage = https://www.donationcoder.com/Software/Jibz/Dina/;
     license = licenses.free;
     maintainers = [ maintainers.prikhi ];
-    platforms = platforms.unix;
   };
 }

pkgs/data/fonts/dina/default.nix

@@ -5,11 +5,13 @@ let
 in fetchzip rec {
   name = "dina-font-${version}";
 
-  url = "http://www.donationcoder.com/Software/Jibz/Dina/downloads/Dina.zip";
+  # `meta.homepage` has no direct download link
+  url = "https://github.com/ProgrammingFonts/ProgrammingFonts/archive/b15ef365146be7eef4a46979cfe157c5aeefb7c0.zip";
 
   postFetch = ''
     mkdir -p $out/share/fonts
-    unzip -j $downloadedFile \*.bdf -d $out/share/fonts
+    unzip -j $downloadedFile '*/Dina/*.bdf' -d $out/share/fonts
+    chmod u-x $out/share/fonts/*
   '';
 
   sha256 = "02a6hqbq18sw69npylfskriqhvj1nsk65hjjyd05nl913ycc6jl7";
@@ -25,6 +27,5 @@ in fetchzip rec {
     downloadPage = https://www.donationcoder.com/Software/Jibz/Dina/;
     license = licenses.free;
     maintainers = [ maintainers.prikhi ];
-    platforms = platforms.unix;
   };
 }

pkgs/data/fonts/dosemu-fonts/default.nix

@@ -31,6 +31,5 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "Various fonts from the DOSEmu project";
-    platforms = stdenv.lib.platforms.linux;
   };
 }

pkgs/data/fonts/dosis/default.nix

@@ -1,19 +1,21 @@
-{ stdenv, fetchzip}:
+{ lib, fetchFromGitHub }:
 
-fetchzip rec {
+fetchFromGitHub rec {
   name = "dosis-1.007";
 
-  url = https://github.com/impallari/Dosis/archive/12df1e13e58768f20e0d48ff15651b703f9dd9dc.zip;
+  owner = "impallari";
+  repo = "Dosis";
+  rev = "12df1e13e58768f20e0d48ff15651b703f9dd9dc";
 
   postFetch = ''
-    mkdir -p $out/share/{doc,fonts}
+    tar xf $downloadedFile --strip=1
-    unzip -j $downloadedFile \*.otf                    -d $out/share/fonts/opentype
+    find . -name '*.otf' -exec install -m444 -Dt $out/share/fonts/opentype {} \;
-    unzip -j $downloadedFile \*README.md \*FONTLOG.txt -d "$out/share/doc/${name}"
+    install -m444 -Dt $out/share/doc/${name} README.md FONTLOG.txt
   '';
 
-  sha256 = "11a8jmgaly14l7rm3jxkwwv3ngr8fdlkp70nicjk2rg0nny2cvfq";
+  sha256 = "0vz25w45i8flfvppymr5h83pa2n1r37da20v7691p44018fdsdny";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A very simple, rounded, sans serif family";
     longDescription = ''
       Dosis is a very simple, rounded, sans serif family.

pkgs/data/fonts/doulos-sil/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 let
   version = "5.000";
@@ -16,7 +16,7 @@ in
 
     sha256 = "04a9cr7jbw7d8llcj8xsqp9rp8w6gcgbd9sdwvi02kz7jhqa0vad";
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = https://software.sil.org/doulos;
       description = "A font that provides complete support for the International Phonetic Alphabet";
       longDescription = ''

pkgs/data/fonts/eb-garamond/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "0.016";
@@ -15,7 +15,7 @@ in fetchzip rec {
 
   sha256 = "04jq4mpln85zzbla8ybsjw7vn9qr3r0snmk5zykrm24imq7ripv3";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://www.georgduffner.at/ebgaramond/;
     description = "Digitization of the Garamond shown on the Egenolff-Berner specimen";
     maintainers = with maintainers; [ relrod rycee ];

pkgs/data/fonts/emacs-all-the-icons-fonts/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "3.2.0";
@@ -14,7 +14,7 @@ in fetchzip {
 
   sha256 = "0ps8q9nkx67ivgn8na4s012360v36jwr0951rsg7j6dyyw9g41jq";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Icon fonts for emacs all-the-icons";
     longDescription = ''
       The emacs package all-the-icons provides icons to improve

pkgs/data/fonts/emojione/default.nix

@@ -29,7 +29,6 @@ stdenv.mkDerivation rec {
     description = "Open source emoji set";
     homepage = http://emojione.com/;
     license = licenses.cc-by-40;
-    platforms = platforms.linux;
     maintainers = with maintainers; [ abbradar ];
   };
 }

pkgs/data/fonts/encode-sans/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 fetchzip rec {
   name = "encode-sans-1.002";
@@ -13,7 +13,7 @@ fetchzip rec {
 
   sha256 = "16mx894zqlwrhnp4rflgayxhxppmsj6k7haxdngajhb30rlwf08p";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A versatile sans serif font family";
     longDescription = ''
       The Encode Sans family is a versatile workhorse. Featuring a huge range of

pkgs/data/fonts/eunomia/default.nix

@@ -1,4 +1,4 @@
-{ stdenv,  fetchzip }:
+{ lib, fetchzip }:
 
 let
   majorVersion = "0";
@@ -17,7 +17,7 @@ fetchzip rec {
     unzip -j $downloadedFile \*.otf  -d $out/share/fonts/opentype/${pname}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = http://dotcolon.net/font/eunomia/;
     description = "A futuristic decorative font.";
     platforms = platforms.all;

pkgs/data/fonts/f5_6/default.nix

@@ -1,4 +1,4 @@
-{ stdenv,  fetchzip }:
+{ lib, fetchzip }:
 
 let
   majorVersion = "0";
@@ -17,7 +17,7 @@ fetchzip rec {
     unzip -j $downloadedFile \*.otf  -d $out/share/fonts/opentype/${pname}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://dotcolon.net/font/${pname}/";
     description = "A weighted decorative font.";
     platforms = platforms.all;

pkgs/data/fonts/fantasque-sans-mono/default.nix

@@ -1,9 +1,7 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
-
   version = "1.7.2";
-
 in
 
 fetchzip rec {
@@ -19,7 +17,7 @@ fetchzip rec {
 
   sha256 = "1fwvbqfrgb539xybwdawvwa8cg4f215kw905rgl9a6p0iwa1nxqk";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://github.com/belluzj/fantasque-sans;
     description = "A font family with a great monospaced variant for programmers";
     license = licenses.ofl;

pkgs/data/fonts/ferrum/default.nix

@@ -1,4 +1,4 @@
-{ stdenv,  fetchzip }:
+{ lib, fetchzip }:
 
 let
   majorVersion = "0";
@@ -17,7 +17,7 @@ fetchzip rec {
     unzip -j $downloadedFile \*.otf  -d $out/share/fonts/opentype/${pname}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://dotcolon.net/font/${pname}/";
     description = "A decorative font.";
     platforms = platforms.all;

pkgs/data/fonts/fira/default.nix

@@ -1,18 +1,23 @@
-{ stdenv, fetchzip }:
+{ lib, fetchFromGitHub }:
 
-fetchzip rec {
+let
-  name = "fira-4.106";
+  version = "4.106";
+in fetchFromGitHub {
+  name = "fira-${version}";
 
-  url = https://github.com/mozilla/Fira/archive/4.106.zip;
+  owner = "mozilla";
+  repo = "Fira";
+  rev = version;
 
   postFetch = ''
-    mkdir -p $out/share/fonts
+    tar xf $downloadedFile --strip=1
-    unzip -j $downloadedFile Fira-4.106/otf/FiraSans\*.otf -d $out/share/fonts/opentype
+    mkdir -p $out/share/fonts/opentype
+    cp otf/*.otf $out/share/fonts/opentype
   '';
 
   sha256 = "0c97nmihcq0ki7ywj8zn048a2bgrszc61lb9p0djfi65ar52jab4";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://mozilla.github.io/Fira/;
     description = "Sans-serif font for Firefox OS";
     longDescription = ''

pkgs/data/fonts/fixedsys-excelsior/default.nix

@@ -4,29 +4,21 @@ let
   major = "3";
   minor = "00";
   version = "${major}.${minor}";
-
+in fetchurl rec {
-in
-
-stdenv.mkDerivation rec {
   name = "fixedsys-excelsior-${version}";
 
-  src = fetchurl {
+  urls = [
-    url = http://www.fixedsysexcelsior.com/fonts/FSEX300.ttf;
+    http://www.fixedsysexcelsior.com/fonts/FSEX300.ttf
-    sha256 = "6ee0f3573bc5e33e93b616ef6282f49bc0e227a31aa753ac76ed2e3f3d02056d";
+    https://raw.githubusercontent.com/chrissimpkins/codeface/master/fonts/fixed-sys-excelsior/FSEX300.ttf
-  };
+    http://tarballs.nixos.org/sha256/6ee0f3573bc5e33e93b616ef6282f49bc0e227a31aa753ac76ed2e3f3d02056d
-
+  ];
-  phases = [ "installPhase" ];
+  downloadToTemp = true;
-
+  recursiveHash = true;
-  installPhase = ''
+  postFetch = ''
-    mkdir -p $out/share/fonts/truetype/
+    install -m444 -D $downloadedFile $out/share/fonts/truetype/${name}.ttf
-    cp $src $out/share/fonts/truetype/${name}.ttf
   '';
 
-  outputHashMode = "recursive";
+  sha256 = "32d6f07f1ff08c764357f8478892b2ba5ade23427af99759f34a0ba24bcd2e37";
-
-  outputHashAlgo = "sha256";
-
-  outputHash = "32d6f07f1ff08c764357f8478892b2ba5ade23427af99759f34a0ba24bcd2e37";
 
   meta = {
     description = "Pan-unicode version of Fixedsys, a classic DOS font.";

pkgs/data/fonts/font-awesome-5/default.nix

@@ -1,20 +1,22 @@
-{ stdenv, fetchzip }:
+{ lib, fetchFromGitHub }:
 
 let
   version = "5.8.2";
-in fetchzip rec {
+in fetchFromGitHub rec {
   name = "font-awesome-${version}";
 
-  url = "https://github.com/FortAwesome/Font-Awesome/archive/${version}.zip";
+  owner = "FortAwesome";
+  repo = "Font-Awesome";
+  rev = version;
 
   postFetch = ''
-    mkdir -p $out/share/fonts
+    tar xf $downloadedFile --strip=1
-    unzip -j $downloadedFile "Font-Awesome-${version}/otfs/*.otf" -d $out/share/fonts/opentype
+    install -m444 -Dt $out/share/fonts/opentype otfs/*.otf
   '';
 
   sha256 = "1h0qhvkfyfs4579jvrk3gwc7dp4i9s46bkj406b493dvmxxhv986";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Font Awesome - OTF font";
     longDescription = ''
       Font Awesome gives you scalable vector icons that can instantly be customized.

pkgs/data/fonts/fontconfig-penultimate/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip
+{ lib, fetchzip
 , version ? "0.3.5"
 , sha256 ? "1gfgl7qimp76q4z0nv55vv57yfs4kscdr329np701k0xnhncwvrk"
 }:
@@ -14,7 +14,7 @@ fetchzip {
     unzip -j $downloadedFile \*.conf -d $out/etc/fonts/conf.d
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://github.com/ttuegel/fontconfig-penultimate;
     description = "Sensible defaults for Fontconfig";
     license = licenses.asl20;

pkgs/data/fonts/freefont-ttf/default.nix

@@ -1,4 +1,4 @@
-{stdenv, fetchzip}:
+{ lib, fetchzip }:
 
 fetchzip rec {
   name = "freefont-ttf-20120503";
@@ -20,8 +20,8 @@ fetchzip rec {
       10646/Unicode UCS (Universal Character Set).
     '';
     homepage = https://www.gnu.org/software/freefont/;
-    license = stdenv.lib.licenses.gpl3Plus;
+    license = lib.licenses.gpl3Plus;
-    platforms = stdenv.lib.platforms.all;
+    platforms = lib.platforms.all;
     maintainers = [];
   };
 }

pkgs/data/fonts/gandom-fonts/default.nix

@@ -1,22 +1,21 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, fetchFromGitHub }:
 
-stdenv.mkDerivation rec {
+let
   pname = "gandom-fonts";
   version = "0.6";
-
+in fetchFromGitHub {
-  src = fetchFromGitHub {
+  name = "${pname}-${version}";
   owner = "rastikerdar";
   repo = "gandom-font";
   rev = "v${version}";
-    sha256 = "1pdbqhvcsz6aq3qgarhfd05ip0wmh7bxqkmxrwa0kgxsly6zxz9x";
-  };
 
-  installPhase = ''
+  postFetch = ''
-    mkdir -p $out/share/fonts/gandom-fonts
+    tar xf $downloadedFile --strip=1
-    cp -v $( find . -name '*.ttf') $out/share/fonts/gandom-fonts
+    find . -name '*.ttf' -exec install -m444 -Dt $out/share/fonts/gandom-fonts {} \;
   '';
+  sha256 = "0zsq6s9ziyb5jz0v8aj00dlxd1aly0ibxgszd05dfvykmgz051lc";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://github.com/rastikerdar/gandom-font;
     description = "A Persian (Farsi) Font - فونت (قلم) فارسی گندم";
     license = licenses.ofl;

pkgs/data/fonts/gdouros/default.nix

@@ -1,29 +1,16 @@
-{stdenv, fetchzip, lib}:
+{ fetchzip, lib }:
 
 let
   fonts = {
-    symbola = { version = "9.17"; file = "Symbola.zip"; sha256 = "13z18lxx0py54nns61ihgxacpf1lg9s7g2sbpbnxpllqw7j73iq2";
+    aegan     = { version = "10.00"; file = "Aegean.zip";       sha256 = "0k47nhzw4vx771ch3xx8mf6xx5vx0hg0cif5jdlmdaz4h2c3rawz"; description = "Aegean"; };
-                description = "Basic Latin, Greek, Cyrillic and many Symbol blocks of Unicode"; };
+    aegyptus  = { version =  "8.00"; file = "Aegyptus.zip";     sha256 = "13h2pi641k9vxgqi9l11mjya10ym9ln54wrkwxx6gxq63zy7y5mj"; description = "Egyptian Hieroglyphs, Coptic, Meroitic"; };
-    aegyptus = { version = "6.17"; file = "Aegyptus.zip"; sha256 = "19rkf89msqb076qjdfa75pqrx35c3slj64vxw08zqdvyavq7jc79";
+    akkadian  = { version =  "7.18"; file = "Akkadian.zip";     sha256 = "1bplcvszbdrk85kqipn9lzhr62647wjibz1p8crzjvsw6f9ymxy3"; description = "Sumero-Akkadian Cuneiform"; };
-                 description = "Egyptian Hieroglyphs, Coptic, Meroitic"; };
+    assyrian  = { version =  "2.00"; file = "AssyrianFont.zip"; sha256 = "0vdvb24vsnmwzd6bw14akqg0hbvsk8avgnbwk9fkybn1f801475k"; description = "Neo-Assyrian in Unicode with OpenType"; };
-    akkadian = { version = "7.17"; file = "AkkadianAssyrian.zip"; sha256 = "1xw2flrwb5r89sk7jd195v3svsb21brf1li2i3pdjcfqxfp5m0g7";
+    eemusic   = { version =  "2.00"; file = "EEMusic.zip";      sha256 = "1y9jf105a2b689m7hdjmhhr7z5j0qd2w6dmb3iic9bwaczlrjy7j"; description = "Byzantine Musical Notation in Unicode with OpenType"; };
-                 description = "Sumero-Akkadian Cuneiform"; };
+    maya      = { version =  "4.18"; file = "Maya.zip";         sha256 = "08z2ch0z2c43fjfg5m4yp3l1dp0cbk7lv5i7wzsr3cr9kr59wpi9"; description = "Maya Hieroglyphs"; };
-    anatolian = { version = "5.17"; file = "Anatolian.zip"; sha256 = "0dqcyjakc4fy076pjplm6psl8drpwxiwyq97xrf6a3qa098gc0qc";
+    symbola   = { version = "12.00"; file = "Symbola.zip";      sha256 = "1i3xra33xkj32vxs55xs2afrqyc822nk25669x78px5g5qd8gypm"; description = "Basic Latin, Greek, Cyrillic and many Symbol blocks of Unicode"; };
-                  description = "Anatolian Hieroglyphs"; };
+    textfonts = { version =  "9.00"; file = "Textfonts.zip";    sha256 = "0wzxz4j4fgk81b88d58715n1wvq2mqmpjpk4g5hi3vk77y2zxc4d"; description = "Aroania, Anaktoria, Alexander, Avdira and Asea"; };
-    maya = { version = "4.17"; file = "Maya.zip"; sha256 = "17s5c23wpqrcq5h6pgssbmzxiv4jvhdh2ssr99j9q6j32a51h9gh";
+    unidings  = { version =  "9.19"; file = "Unidings.zip";     sha256 = "1bybzgdqhmq75hb12n3pjrsdcpw1a6sgryx464s68jlq4zi44g78"; description = "Glyphs and Icons for blocks of The Unicode Standard"; };
-             description = "Maya Hieroglyphs"; };
-    unidings = { version = "9.17"; file = "Unidings.zip"; sha256 = "0nzw8mrhk0hbjnl2cgi31b00vmi785win86kiz9d2yzdfz1is6sk";
-                 description = "Glyphs and Icons for blocks of The Unicode Standard"; };
-    musica = { version = "3.17"; file = "Musica.zip"; sha256 = "0mnv61dxzs2npvxgs5l9q81q19xzzi1sn53x5qwpiirkmi6bg5y6";
-               description = "Musical Notation"; };
-    analecta = { version = "5.17"; file = "Analecta.zip"; sha256 = "13npnfscd9mz6vf89qxxbj383njf53a1smqjh0c1w2lvijgak3aj";
-                 description = "Coptic, Gothic, Deseret"; };
-    textfonts = { version = "7.17"; file = "TextfontsFonts.zip"; sha256 = "1ggflqnslp81v8pzmzx6iwi2sa38l9bpivjjci7nvx3y5xynm6wl";
-                 description = "Aroania, Anaktoria, Alexander, Avdira and Asea"; };
-    aegan = { version = "9.17"; file = "AegeanFonts.zip"; sha256 = "0dm2ck3p11bc9izrh7xz3blqfqg1mgsvy4jsgmz9rcs4m74xrhsf";
-              description = "Aegean"; };
-    abydos = { version = "1.23"; file = "AbydosFont.zip"; sha256 = "04r7ysnjjq0nrr3m8lbz8ssyx6xaikqybjqxzl3ziywl9h6nxdj8";
-               description = "AbydosFont"; };
   };
 
   mkpkg = name_: {version, file, sha256, description}: fetchzip rec {
@@ -42,9 +29,8 @@ let
       # In lieu of a license:
       # Fonts in this site are offered free for any use;
       # they may be installed, embedded, opened, edited, modified, regenerated, posted, packaged and redistributed.
-      license = stdenv.lib.licenses.free;
+      license = lib.licenses.free;
       homepage = http://users.teilar.gr/~g1951d/;
-      platforms = stdenv.lib.platforms.unix;
     };
   };
 in

pkgs/data/fonts/gentium-book-basic/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   major = "1";
@@ -11,14 +11,13 @@ in fetchzip rec {
 
   postFetch = ''
     mkdir -p $out/share/{doc,fonts}
-    unzip -l $downloadedFile
     unzip -j $downloadedFile \*.ttf                            -d $out/share/fonts/truetype
     unzip -j $downloadedFile \*/FONTLOG.txt \*/GENTIUM-FAQ.txt -d $out/share/doc/${name}
   '';
 
   sha256 = "0598zr5f7d6ll48pbfbmmkrybhhdks9b2g3m2g67wm40070ffzmd";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://software.sil.org/gentium/;
     description = "A high-quality typeface family for Latin, Cyrillic, and Greek";
     maintainers = with maintainers; [ ];

pkgs/data/fonts/gentium/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   version = "5.000";
@@ -17,7 +17,7 @@ in fetchzip rec {
 
   sha256 = "1qr2wjdmm93167b0w9cidlf3wwsyjx4838ja9jmm4jkyian5whhp";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = https://software.sil.org/gentium/;
     description = "A high-quality typeface family for Latin, Cyrillic, and Greek";
     longDescription = ''

pkgs/data/fonts/go-font/default.nix

@@ -1,26 +1,22 @@
 { stdenv, fetchgit }:
 
-stdenv.mkDerivation rec {
+let
-  name = "go-font-${version}";
   version = "2017-03-30";
-
+in (fetchgit {
-  src = fetchgit {
+  name = "go-font-${version}";
   url = "https://go.googlesource.com/image";
   rev = "f03a046406d4d7fbfd4ed29f554da8f6114049fc";
-    sha256 = "1aq6mnjayks55gd9ahavk6jfydlq5lm4xm0xk4pd5sqa74p5p74d";
-  };
 
-  installPhase = ''
+  postFetch = ''
+    mv $out/* .
     mkdir -p $out/share/fonts/truetype
     mkdir -p $out/share/doc/go-font
     cp font/gofont/ttfs/* $out/share/fonts/truetype
     mv $out/share/fonts/truetype/README $out/share/doc/go-font/LICENSE
   '';
 
-  outputHashAlgo = "sha256";
+  sha256 = "1488426ya2nzmwjas947fx9h5wzxrp9wasn8nkjqf0y0mpd4f1xz";
-  outputHashMode = "recursive";
+}) // {
-  outputHash = "10hfm2cpxlx1ng7r2mbvykjhmy131qlgzpdzj7ibg9kr293bcjc0";
-
   meta = with stdenv.lib; {
     homepage = https://blog.golang.org/go-fonts;
     description = "The Go font family";

pkgs/data/fonts/gohufont/default.nix

@@ -67,6 +67,5 @@ stdenv.mkDerivation rec {
     homepage    = http://font.gohu.org/;
     license     = licenses.wtfpl;
     maintainers = with maintainers; [ epitrochoid rnhmjoj ];
-    platforms   = platforms.unix;
   };
 }