Merge master into staging-next

lib/default.nix

@@ -141,7 +141,7 @@ let
       mergeAttrsWithFunc mergeAttrsConcatenateValues
       mergeAttrsNoOverride mergeAttrByFunc mergeAttrsByFuncDefaults
       mergeAttrsByFuncDefaultsClean mergeAttrBy
-      fakeSri fakeSha256 fakeSha512
+      fakeHash fakeSha256 fakeSha512
       nixType imap;
     inherit (versions)
       splitVersion;

lib/deprecated.nix

@@ -272,7 +272,7 @@ rec {
   imap = imap1;
 
   # Fake hashes. Can be used as hash placeholders, when computing hash ahead isn't trivial
-  fakeSri = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+  fakeHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
   fakeSha256 = "0000000000000000000000000000000000000000000000000000000000000000";
   fakeSha512 = "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
 }

maintainers/maintainer-list.nix

@@ -2044,6 +2044,12 @@
     githubId = 108501;
     name = "David Pflug";
   };
+  dramaturg = {
+    email = "seb@ds.ag";
+    github = "dramaturg";
+    githubId = 472846;
+    name = "Sebastian Krohn";
+  };
   drets = {
     email = "dmitryrets@gmail.com";
     github = "drets";
@@ -2482,7 +2488,7 @@
   };
   evils = {
     email = "evils.devils@protonmail.com";
-    github = "evils-devils";
+    github = "evils";
     githubId = 30512529;
     name = "Evils";
   };
@@ -4609,6 +4615,12 @@
     githubId = 2057309;
     name = "Sergey Sofeychuk";
   };
+  lynty = {
+    email = "ltdong93+nix@gmail.com";
+    github = "lynty";
+    githubId = 39707188;
+    name = "Lynn Dong";
+  };
   lyt = {
     email = "wheatdoge@gmail.com";
     name = "Tim Liou";
@@ -7130,6 +7142,12 @@
     githubId = 1505617;
     name = "Sean Lee";
   };
+  SlothOfAnarchy = {
+    email = "slothofanarchy1@gmail.com";
+    github = "SlothOfAnarchy";
+    githubId = 12828415;
+    name = "Michel Weitbrecht";
+  };
   smakarov = {
     email = "setser200018@gmail.com";
     github = "setser";

nixos/doc/manual/release-notes/rl-2009.xml

@@ -235,7 +235,16 @@ php.override {
        Be aware that backwards state migrations are not supported by Deluge.
      </para>
    </listitem>
-
+   <listitem>
+     <para>
+       Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options.
+       By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
+       use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
+       <programlisting>
+systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
+       </programlisting>
+     </para>
+   </listitem>
    <listitem>
     <para>
       The NixOS options <literal>nesting.clone</literal> and
@@ -335,6 +344,15 @@ php.override {
       your configuration simply remove the quotes around the numbers.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      When using <literal>buildBazelPackage</literal> from Nixpkgs,
+      <literal>flat</literal> hash mode is now used for dependencies
+      instead of <literal>recursive</literal>. This is to better allow
+      using hashed mirrors where needed. As a result, these hashes
+      will have changed.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/hardware/video/nvidia.nix

@@ -52,6 +52,15 @@ in
     ];
 
   options = {
+    hardware.nvidia.powerManagement.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Experimental power management through systemd. For more information, see
+        the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
+      '';
+    };
+
     hardware.nvidia.modesetting.enable = mkOption {
       type = types.bool;
       default = false;
@@ -226,12 +235,34 @@ in
     environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ]
       ++ filter (p: p != null) [ nvidia_x11.persistenced ];
 
-    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
+    systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
-        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
-      ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
-        "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
 
-    systemd.services."nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
+    systemd.services = let
+      baseNvidiaService = state: {
+        description = "NVIDIA system ${state} actions";
+
+        path = with pkgs; [ kbd ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
+        };
+      };
+
+      nvidiaService = sleepState: (baseNvidiaService sleepState) // {
+        before = [ "systemd-${sleepState}.service" ];
+        requiredBy = [ "systemd-${sleepState}.service" ];
+      };
+
+      services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
+        // {
+          nvidia-resume = (baseNvidiaService "resume") // {
+            after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
+            requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
+          };
+        };
+    in optionalAttrs cfg.powerManagement.enable services
+      // optionalAttrs nvidiaPersistencedEnabled {
+        "nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
           description = "NVIDIA Persistence Daemon";
           wantedBy = [ "multi-user.target" ];
           serviceConfig = {
@@ -242,6 +273,12 @@ in
             ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
           };
         };
+      };
+
+    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
+        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
+      ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
+        "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
 
     boot.extraModulePackages = [ nvidia_x11.bin ];
 
@@ -250,7 +287,8 @@ in
       optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
 
     # If requested enable modesetting via kernel parameter.
-    boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1";
+    boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
+      ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
 
     # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
     services.udev.extraRules =

nixos/modules/module-list.nix

@@ -792,6 +792,7 @@
   ./services/security/nginx-sso.nix
   ./services/security/oauth2_proxy.nix
   ./services/security/oauth2_proxy_nginx.nix
+  ./services/security/privacyidea.nix
   ./services/security/physlock.nix
   ./services/security/shibboleth-sp.nix
   ./services/security/sks.nix

nixos/modules/security/doas.nix

@@ -223,7 +223,7 @@ in
 
   config = mkIf cfg.enable {
 
-    security.doas.extraRules = [
+    security.doas.extraRules = mkOrder 600 [
       {
         groups = [ "wheel" ];
         noPass = !cfg.wheelNeedsPassword;

nixos/modules/security/pam.nix

@@ -54,7 +54,7 @@ let
         description = ''
           If set, users listed in
           <filename>~/.yubico/authorized_yubikeys</filename>
-          are able to log in with the asociated Yubikey tokens.
+          are able to log in with the associated Yubikey tokens.
         '';
       };
 

nixos/modules/services/backup/znapzend.nix

@@ -268,7 +268,8 @@ let
 
   mkSrcAttrs = srcCfg: with srcCfg; {
     enabled = onOff enable;
-    mbuffer = with mbuffer; if enable then "${pkgs.mbuffer}/bin/mbuffer"
+    # mbuffer is not referenced by its full path to accomodate non-NixOS systems or differing mbuffer versions between source and target
+    mbuffer = with mbuffer; if enable then "mbuffer"
         + optionalString (port != null) ":${toString port}" else "off";
     mbuffer_size = mbuffer.size;
     post_znap_cmd = nullOff postsnap;
@@ -357,6 +358,12 @@ in
         default = false;
       };
 
+      features.oracleMode = mkEnableOption ''
+        Destroy snapshots one by one instead of using one long argument list.
+        If source and destination are out of sync for a long time, you may have
+        so many snapshots to destroy that the argument gets is too long and the
+        command fails.
+      '';
       features.recvu = mkEnableOption ''
         recvu feature which uses <literal>-u</literal> on the receiving end to keep the destination
         filesystem unmounted.
@@ -458,5 +465,5 @@ in
     };
   };
 
-  meta.maintainers = with maintainers; [ infinisil ];
+  meta.maintainers = with maintainers; [ infinisil SlothOfAnarchy ];
 }

nixos/modules/services/databases/postgresql.nix

@@ -17,6 +17,7 @@ let
       hba_file = '${pkgs.writeText "pg_hba.conf" cfg.authentication}'
       ident_file = '${pkgs.writeText "pg_ident.conf" cfg.identMap}'
       log_destination = 'stderr'
+      log_line_prefix = '${cfg.logLinePrefix}'
       listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
       port = ${toString cfg.port}
       ${cfg.extraConfig}
@@ -186,6 +187,17 @@ in
         '';
       };
 
+      logLinePrefix = mkOption {
+        type = types.str;
+        default = "[%p] ";
+        example = "%m [%p] ";
+        description = ''
+          A printf-style string that is output at the beginning of each log line.
+          Upstream default is <literal>'%m [%p] '</literal>, i.e. it includes the timestamp. We do
+          not include the timestamp, because journal has it anyway.
+        '';
+      };
+
       extraPlugins = mkOption {
         type = types.listOf types.path;
         default = [];

nixos/modules/services/network-filesystems/ipfs.nix

@@ -217,6 +217,9 @@ in {
         createHome = false;
         uid = config.ids.uids.ipfs;
         description = "IPFS daemon user";
+        packages = [
+          pkgs.ipfs-migrator
+        ];
       };
     };
 

nixos/modules/services/networking/pixiecore.nix

@@ -115,7 +115,7 @@ in
               if cfg.mode == "boot"
               then [ "boot" cfg.kernel ]
                    ++ optional (cfg.initrd != "") cfg.initrd
-                   ++ optional (cfg.cmdLine != "") "--cmdline=${lib.escapeShellArg cfg.cmdLine}"
+                   ++ optionals (cfg.cmdLine != "") [ "--cmdline" cfg.cmdLine ]
               else [ "api" cfg.apiServer ];
           in
             ''

nixos/modules/services/security/privacyidea.nix

@@ -0,0 +1,279 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.privacyidea;
+
+  uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; };
+  python = uwsgi.python3;
+  penv = python.withPackages (ps: [ ps.privacyidea ]);
+  logCfg = pkgs.writeText "privacyidea-log.cfg" ''
+    [formatters]
+    keys=detail
+
+    [handlers]
+    keys=stream
+
+    [formatter_detail]
+    class=privacyidea.lib.log.SecureFormatter
+    format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s
+
+    [handler_stream]
+    class=StreamHandler
+    level=NOTSET
+    formatter=detail
+    args=(sys.stdout,)
+
+    [loggers]
+    keys=root,privacyidea
+
+    [logger_privacyidea]
+    handlers=stream
+    qualname=privacyidea
+    level=INFO
+
+    [logger_root]
+    handlers=stream
+    level=ERROR
+  '';
+
+  piCfgFile = pkgs.writeText "privacyidea.cfg" ''
+    SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ]
+    SQLALCHEMY_DATABASE_URI = 'postgresql:///privacyidea'
+    SECRET_KEY = '${cfg.secretKey}'
+    PI_PEPPER = '${cfg.pepper}'
+    PI_ENCFILE = '${cfg.encFile}'
+    PI_AUDIT_KEY_PRIVATE = '${cfg.auditKeyPrivate}'
+    PI_AUDIT_KEY_PUBLIC = '${cfg.auditKeyPublic}'
+    PI_LOGCONFIG = '${logCfg}'
+    ${cfg.extraConfig}
+  '';
+
+in
+
+{
+  options = {
+    services.privacyidea = {
+      enable = mkEnableOption "PrivacyIDEA";
+
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/lib/privacyidea";
+        description = ''
+          Directory where all PrivacyIDEA files will be placed by default.
+        '';
+      };
+
+      superuserRealm = mkOption {
+        type = types.listOf types.str;
+        default = [ "super" "administrators" ];
+        description = ''
+          The realm where users are allowed to login as administrators.
+        '';
+      };
+
+      secretKey = mkOption {
+        type = types.str;
+        example = "t0p s3cr3t";
+        description = ''
+          This is used to encrypt the auth_token.
+        '';
+      };
+
+      pepper = mkOption {
+        type = types.str;
+        example = "Never know...";
+        description = ''
+          This is used to encrypt the admin passwords.
+        '';
+      };
+
+      encFile = mkOption {
+        type = types.str;
+        default = "${cfg.stateDir}/enckey";
+        description = ''
+          This is used to encrypt the token data and token passwords
+        '';
+      };
+
+      auditKeyPrivate = mkOption {
+        type = types.str;
+        default = "${cfg.stateDir}/private.pem";
+        description = ''
+          Private Key for signing the audit log.
+        '';
+      };
+
+      auditKeyPublic = mkOption {
+        type = types.str;
+        default = "${cfg.stateDir}/public.pem";
+        description = ''
+          Public key for checking signatures of the audit log.
+        '';
+      };
+
+      adminPasswordFile = mkOption {
+        type = types.path;
+        description = "File containing password for the admin user";
+      };
+
+      adminEmail = mkOption {
+        type = types.str;
+        example = "admin@example.com";
+        description = "Mail address for the admin user";
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra configuration options for pi.cfg.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "privacyidea";
+        description = "User account under which PrivacyIDEA runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "privacyidea";
+        description = "Group account under which PrivacyIDEA runs.";
+      };
+
+      ldap-proxy = {
+        enable = mkEnableOption "PrivacyIDEA LDAP Proxy";
+
+        configFile = mkOption {
+          type = types.path;
+          default = "";
+          description = ''
+            Path to PrivacyIDEA LDAP Proxy configuration (proxy.ini).
+          '';
+        };
+
+        user = mkOption {
+          type = types.str;
+          default = "pi-ldap-proxy";
+          description = "User account under which PrivacyIDEA LDAP proxy runs.";
+        };
+
+        group = mkOption {
+          type = types.str;
+          default = "pi-ldap-proxy";
+          description = "Group account under which PrivacyIDEA LDAP proxy runs.";
+        };
+      };
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf cfg.enable {
+
+      environment.systemPackages = [ python.pkgs.privacyidea ];
+
+      services.postgresql.enable = mkDefault true;
+
+      systemd.services.privacyidea = let
+        piuwsgi = pkgs.writeText "uwsgi.json" (builtins.toJSON {
+          uwsgi = {
+            plugins = [ "python3" ];
+            pythonpath = "${penv}/${uwsgi.python3.sitePackages}";
+            socket = "/run/privacyidea/socket";
+            uid = cfg.user;
+            gid = cfg.group;
+            chmod-socket = 770;
+            chown-socket = "${cfg.user}:nginx";
+            chdir = cfg.stateDir;
+            wsgi-file = "${penv}/etc/privacyidea/privacyideaapp.wsgi";
+            processes = 4;
+            harakiri = 60;
+            reload-mercy = 8;
+            stats = "/run/privacyidea/stats.socket";
+            max-requests = 2000;
+            limit-as = 1024;
+            reload-on-as = 512;
+            reload-on-rss = 256;
+            no-orphans = true;
+            vacuum = true;
+          };
+        });
+      in {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "postgresql.service" ];
+        path = with pkgs; [ openssl ];
+        environment.PRIVACYIDEA_CONFIGFILE = piCfgFile;
+        preStart = let
+          pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
+          pgsu = config.services.postgresql.superUser;
+          psql = config.services.postgresql.package;
+        in ''
+          mkdir -p ${cfg.stateDir} /run/privacyidea
+          chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea
+          if ! test -e "${cfg.stateDir}/db-created"; then
+            ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
+            ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
+            ${pi-manage} create_enckey
+            ${pi-manage} create_audit_keys
+            ${pi-manage} createdb
+            ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})"
+            ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations
+            touch "${cfg.stateDir}/db-created"
+            chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem"
+          fi
+          ${pi-manage} db upgrade -d ${penv}/lib/privacyidea/migrations
+        '';
+        serviceConfig = {
+          Type = "notify";
+          ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}";
+          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
+          NotifyAccess = "main";
+          KillSignal = "SIGQUIT";
+          StandardError = "syslog";
+        };
+      };
+
+      users.users.privacyidea = mkIf (cfg.user == "privacyidea") {
+        group = cfg.group;
+      };
+
+      users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {};
+    })
+
+    (mkIf cfg.ldap-proxy.enable {
+
+      systemd.services.privacyidea-ldap-proxy = let
+        ldap-proxy-env = pkgs.python2.withPackages (ps: [ ps.privacyidea-ldap-proxy ]);
+      in {
+        description = "privacyIDEA LDAP proxy";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          User = cfg.ldap-proxy.user;
+          Group = cfg.ldap-proxy.group;
+          ExecStart = ''
+            ${ldap-proxy-env}/bin/twistd \
+              --nodaemon \
+              --pidfile= \
+              -u ${cfg.ldap-proxy.user} \
+              -g ${cfg.ldap-proxy.group} \
+              ldap-proxy \
+              -c ${cfg.ldap-proxy.configFile}
+          '';
+          Restart = "always";
+        };
+      };
+
+      users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") {
+        group = cfg.ldap-proxy.group;
+      };
+
+      users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {};
+    })
+  ];
+
+}

nixos/modules/services/web-servers/nginx/default.nix

@@ -463,6 +463,14 @@ in
         '';
       };
 
+      enableSandbox = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Starting Nginx web server with additional sandbox/hardening options.
+        '';
+      };
+
       user = mkOption {
         type = types.str;
         default = "nginx";
@@ -710,6 +718,27 @@ in
         LogsDirectoryMode = "0750";
         # Capabilities
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+        # Security
+        NoNewPrivileges = true;
+      } // optionalAttrs cfg.enableSandbox {
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = mkDefault true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
       };
     };
 

nixos/modules/services/x11/window-managers/default.nix

@@ -30,6 +30,7 @@ in
     ./sawfish.nix
     ./stumpwm.nix
     ./spectrwm.nix
+    ./tinywm.nix
     ./twm.nix
     ./windowmaker.nix
     ./wmii.nix

nixos/modules/services/x11/window-managers/tinywm.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.xserver.windowManager.tinywm;
+in
+{
+  ###### interface
+  options = {
+    services.xserver.windowManager.tinywm.enable = mkEnableOption "tinywm";
+  };
+
+  ###### implementation
+  config = mkIf cfg.enable {
+    services.xserver.windowManager.session = singleton {
+      name = "tinywm";
+      start = ''
+        ${pkgs.tinywm}/bin/tinywm &
+        waitPID=$!
+      '';
+    };
+    environment.systemPackages = [ pkgs.tinywm ];
+  };
+}

nixos/modules/system/boot/systemd.nix

@@ -201,8 +201,23 @@ let
     ];
 
   makeJobScript = name: text:
-    let mkScriptName =  s: "unit-script-" + (replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape s) );
+    let
-    in  pkgs.writeTextFile { name = mkScriptName name; executable = true; inherit text; };
+      scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name);
+      out = pkgs.writeTextFile {
+        # The derivation name is different from the script file name
+        # to keep the script file name short to avoid cluttering logs.
+        name = "unit-script-${scriptName}";
+        executable = true;
+        destination = "/bin/${scriptName}";
+        text = ''
+          #!${pkgs.runtimeShell} -e
+          ${text}
+        '';
+        checkPhase = ''
+          ${pkgs.stdenv.shell} -n "$out/bin/${scriptName}"
+        '';
+      };
+    in "${out}/bin/${scriptName}";
 
   unitConfig = { config, options, ... }: {
     config = {
@@ -250,40 +265,28 @@ let
           environment.PATH = config.path;
         }
         (mkIf (config.preStart != "")
-          { serviceConfig.ExecStartPre = makeJobScript "${name}-pre-start" ''
+          { serviceConfig.ExecStartPre =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-pre-start" config.preStart;
-              ${config.preStart}
-            '';
           })
         (mkIf (config.script != "")
-          { serviceConfig.ExecStart = makeJobScript "${name}-start" ''
+          { serviceConfig.ExecStart =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-start" config.script + " " + config.scriptArgs;
-              ${config.script}
-            '' + " " + config.scriptArgs;
           })
         (mkIf (config.postStart != "")
-          { serviceConfig.ExecStartPost = makeJobScript "${name}-post-start" ''
+          { serviceConfig.ExecStartPost =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-post-start" config.postStart;
-              ${config.postStart}
-            '';
           })
         (mkIf (config.reload != "")
-          { serviceConfig.ExecReload = makeJobScript "${name}-reload" ''
+          { serviceConfig.ExecReload =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-reload" config.reload;
-              ${config.reload}
-            '';
           })
         (mkIf (config.preStop != "")
-          { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" ''
+          { serviceConfig.ExecStop =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-pre-stop" config.preStop;
-              ${config.preStop}
-            '';
           })
         (mkIf (config.postStop != "")
-          { serviceConfig.ExecStopPost = makeJobScript "${name}-post-stop" ''
+          { serviceConfig.ExecStopPost =
-              #! ${pkgs.runtimeShell} -e
+              makeJobScript "${name}-post-stop" config.postStop;
-              ${config.postStop}
-            '';
           })
       ];
   };

nixos/modules/virtualisation/libvirtd.nix

@@ -7,10 +7,8 @@ let
   cfg = config.virtualisation.libvirtd;
   vswitch = config.virtualisation.vswitch;
   configFile = pkgs.writeText "libvirtd.conf" ''
-    unix_sock_group = "libvirtd"
+    auth_unix_ro = "polkit"
-    unix_sock_rw_perms = "0770"
+    auth_unix_rw = "polkit"
-    auth_unix_ro = "none"
-    auth_unix_rw = "none"
     ${cfg.extraConfig}
   '';
   qemuConfigFile = pkgs.writeText "qemu.conf" ''
@@ -269,5 +267,14 @@ in {
 
     systemd.sockets.libvirtd    .wantedBy = [ "sockets.target" ];
     systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ];
+
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.libvirt.unix.manage" &&
+          subject.isInGroup("libvirtd")) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
   };
 }

nixos/tests/all-tests.nix

@@ -225,6 +225,7 @@ in
   nginx = handleTest ./nginx.nix {};
   nginx-etag = handleTest ./nginx-etag.nix {};
   nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
+  nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
   nginx-sso = handleTest ./nginx-sso.nix {};
   nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
   nixos-generate-config = handleTest ./nixos-generate-config.nix {};
@@ -260,6 +261,7 @@ in
   pppd = handleTest ./pppd.nix {};
   predictable-interface-names = handleTest ./predictable-interface-names.nix {};
   printing = handleTest ./printing.nix {};
+  privacyidea = handleTest ./privacyidea.nix {};
   prometheus = handleTest ./prometheus.nix {};
   prometheus-exporters = handleTest ./prometheus-exporters.nix {};
   prosody = handleTest ./xmpp/prosody.nix {};

nixos/tests/installer.nix

@@ -97,7 +97,7 @@ let
 
 
       def create_machine_named(name):
-          return create_machine({**default_flags, "name": "boot-after-install"})
+          return create_machine({**default_flags, "name": name})
 
 
       machine.start()
@@ -650,6 +650,32 @@ in {
     '';
   };
 
+  bcache = makeInstallerTest "bcache" {
+    createPartitions = ''
+      machine.succeed(
+          "flock /dev/vda parted --script /dev/vda --"
+          + " mklabel msdos"
+          + " mkpart primary ext2 1M 50MB"  # /boot
+          + " mkpart primary 50MB 512MB  "  # swap
+          + " mkpart primary 512MB 1024MB"  # Cache (typically SSD)
+          + " mkpart primary 1024MB -1s ",  # Backing device (typically HDD)
+          "modprobe bcache",
+          "udevadm settle",
+          "make-bcache -B /dev/vda4 -C /dev/vda3",
+          "echo /dev/vda3 > /sys/fs/bcache/register",
+          "echo /dev/vda4 > /sys/fs/bcache/register",
+          "udevadm settle",
+          "mkfs.ext3 -L nixos /dev/bcache0",
+          "mount LABEL=nixos /mnt",
+          "mkfs.ext3 -L boot /dev/vda1",
+          "mkdir /mnt/boot",
+          "mount LABEL=boot /mnt/boot",
+          "mkswap -f /dev/vda2 -L swap",
+          "swapon -L swap",
+      )
+    '';
+  };
+
   # Test a basic install using GRUB 1.
   grub1 = makeInstallerTest "grub1" {
     createPartitions = ''

nixos/tests/nginx-pubhtml.nix

@@ -2,6 +2,7 @@ import ./make-test-python.nix {
   name = "nginx-pubhtml";
 
   machine = { pkgs, ... }: {
+    systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
     services.nginx.enable = true;
     services.nginx.virtualHosts.localhost = {
       locations."~ ^/\\~([a-z0-9_]+)(/.*)?$".alias = "/home/$1/public_html$2";

nixos/tests/nginx-sandbox.nix

@@ -0,0 +1,66 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "nginx-sandbox";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ izorkin ];
+  };
+
+  # This test checks the creation and reading of a file in sandbox mode. Used simple lua script.
+
+  machine = { pkgs, ... }: {
+    nixpkgs.overlays = [
+      (self: super: {
+        nginx-lua = super.nginx.override {
+          modules = [
+            pkgs.nginxModules.lua
+          ];
+        };
+      })
+    ];
+    services.nginx.enable = true;
+    services.nginx.package = pkgs.nginx-lua;
+    services.nginx.enableSandbox = true;
+    services.nginx.virtualHosts.localhost = {
+      extraConfig = ''
+        location /test1-write {
+          content_by_lua_block {
+            local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
+            local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
+            local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
+          }
+        }
+        location /test1-read {
+          root /tmp;
+        }
+        location /test2-write {
+          content_by_lua_block {
+            local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
+            local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
+            local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
+          }
+        }
+        location /test2-read {
+          root /var/web;
+        }
+      '';
+    };
+    users.users.foo.isNormalUser = true;
+  };
+
+  testScript = ''
+    machine.wait_for_unit("nginx")
+    machine.wait_for_open_port(80)
+
+    # Checking write in temporary folder
+    machine.succeed("$(curl -vvv http://localhost/test1-write)")
+    machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
+
+    # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
+    # in read-only mode.
+    machine.succeed("mkdir -p /var/web")
+    machine.succeed("chown nginx:nginx /var/web")
+    machine.succeed("$(curl -vvv http://localhost/test2-write)")
+    assert "404 Not Found" in machine.succeed(
+        "curl -vvv -s http://localhost/test2-read/bar.txt"
+    )
+  '';
+})

nixos/tests/privacyidea.nix

@@ -0,0 +1,36 @@
+# Miscellaneous small tests that don't warrant their own VM run.
+
+import ./make-test-python.nix ({ pkgs, ...} : rec {
+  name = "privacyidea";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ fpletz ];
+  };
+
+  machine = { ... }: {
+    virtualisation.cores = 2;
+    virtualisation.memorySize = 512;
+
+    services.privacyidea = {
+      enable = true;
+      secretKey = "testing";
+      pepper = "testing";
+      adminPasswordFile = pkgs.writeText "admin-password" "testing";
+      adminEmail = "root@localhost";
+    };
+    services.nginx = {
+      enable = true;
+      virtualHosts."_".locations."/".extraConfig = ''
+        uwsgi_pass unix:/run/privacyidea/socket;
+      '';
+    };
+  };
+
+  testScript = ''
+    machine.start()
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("curl --fail http://localhost | grep privacyIDEA")
+    machine.succeed(
+        "curl --fail http://localhost/auth -F username=admin -F password=testing | grep token"
+    )
+  '';
+})

pkgs/applications/audio/gspeech/default.nix

@@ -0,0 +1,73 @@
+{ lib
+, fetchFromGitHub
+, python3
+, gtk3
+, wrapGAppsHook
+, glibcLocales
+, gobject-introspection
+, gettext
+, pango
+, gdk-pixbuf
+, librsvg
+, atk
+, libnotify
+, libappindicator-gtk3
+, gst_all_1
+, makeWrapper
+, picotts
+, sox
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "gSpeech";
+  version = "0.9.2";
+
+  src = fetchFromGitHub {
+    owner = "mothsart";
+    repo = pname;
+    rev = version;
+    sha256 = "11pvdpb9jjssp8nmlj21gs7ncgfm89kw26mfc8c2x8w2q4h92ja3";
+  };
+
+  nativeBuildInputs = [
+    wrapGAppsHook
+    gobject-introspection
+    pango
+    gdk-pixbuf
+    atk
+    gettext
+    libnotify
+    libappindicator-gtk3
+    gst_all_1.gstreamer
+    gst_all_1.gst-plugins-base
+    gst_all_1.gst-plugins-good
+    makeWrapper
+  ];
+
+  buildInputs = [
+    glibcLocales
+    gtk3
+    python3
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pygobject3
+    librsvg
+  ];
+
+  postFixup = ''
+    wrapProgram $out/bin/gspeech --prefix PATH : ${lib.makeBinPath [ picotts ]}
+    wrapProgram $out/bin/gspeech-cli --prefix PATH : ${lib.makeBinPath [ picotts ]}
+  '';
+
+  strictDeps = false;
+
+  meta = with lib; {
+    description = "A minimal GUI for the Text To Speech 'Svox Pico'. Read clipboard or selected text in different languages and manage it : pause, stop, replay.";
+    homepage = "https://github.com/mothsART/gSpeech";
+    maintainers = with maintainers; [ mothsart ];
+    license = licenses.gpl3;
+    platforms = platforms.unix;
+  };
+}
+

pkgs/applications/audio/synthv1/default.nix

@@ -2,11 +2,11 @@
 
 mkDerivation rec {
   pname = "synthv1";
-  version = "0.9.13";
+  version = "0.9.14";
 
   src = fetchurl {
     url = "mirror://sourceforge/synthv1/${pname}-${version}.tar.gz";
-    sha256 = "0bb48myvgvqcibwm68qhd4852pjr2g19rasf059a799d1hzgfq3l";
+    sha256 = "08n83krkak20924flb9azhm9hn40lyfvn29m63zs3lw3wajf0b40";
   };
 
   buildInputs = [ qtbase qttools libjack2 alsaLib liblo lv2 ];

pkgs/applications/blockchains/ledger-live-desktop/default.nix

@@ -2,12 +2,12 @@
 
 let
   pname = "ledger-live-desktop";
-  version = "2.1.0";
+  version = "2.3.2";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "https://github.com/LedgerHQ/${pname}/releases/download/v${version}/${pname}-${version}-linux-x86_64.AppImage";
-    sha256 = "1ywvdqmq8asczhmvc6ai2v6di1f5q19x3ygqlinwz8d1hrj3496r";
+    sha256 = "0xd3w564zij614ajg57n1qlvz0hd9l7219qxx81ai6b02b9a5g9h";
   };
 
   appimageContents = appimageTools.extractType2 {

pkgs/applications/editors/emacs-modes/emacspeak/default.nix

@@ -1,10 +1,9 @@
-{ stdenv, fetchurl, makeWrapper, emacs, tcl, tclx, espeak-ng }:
+{ stdenv, fetchurl, makeWrapper, emacs, tcl, tclx, espeak-ng, lib }:
 
 stdenv.mkDerivation rec {
   pname = "emacspeak";
   version = "51.0";
 
-
   src = fetchurl {
     url = "https://github.com/tvraman/emacspeak/releases/download/${version}/${pname}-${version}.tar.bz2";
     sha256 = "09a0ywxlqa8jmc0wmvhaf7bdydnkyhy9nqfsdqcpbsgdzj6qpg90";
@@ -33,11 +32,11 @@ stdenv.mkDerivation rec {
         --add-flags '-l "${placeholder "out"}/share/emacs/site-lisp/emacspeak/lisp/emacspeak-setup.elc"'
   '';
 
-  meta = with stdenv.lib; {
+  meta = {
     homepage = "https://github.com/tvraman/emacspeak/";
     description = "Emacs extension that provides spoken output";
-    license = licenses.gpl2;
+    license = lib.licenses.gpl2;
-    maintainers = [ dema ];
+    maintainers = [ ];
-    platforms = platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }

pkgs/applications/editors/emacs-modes/hol_light/default.nix

@@ -1,29 +0,0 @@
-{ stdenv, fetchsvn }:
-
-stdenv.mkDerivation rec {
-  pname = "hol_light-mode";
-  version = "73";
-
-  src = fetchsvn {
-    url = "http://seanmcl-ocaml-lib.googlecode.com/svn/trunk/workshop/software/emacs";
-    rev = version;
-    sha256 = "3ca83098960439da149a47e1caff32536601559a77f04822be742a390c67feb7";
-  };
-
-  installPhase = ''
-    DEST=$out/share/emacs/site-lisp
-    mkdir -p $DEST
-    cp -a * $DEST
-  '';
-
-  meta = {
-    description = "A HOL Light mode for Emacs";
-    homepage    = "http://www.cl.cam.ac.uk/~jrh13/hol-light/";
-    license     = stdenv.lib.licenses.gpl2Plus;
-    platforms   = stdenv.lib.platforms.all;
-    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
-
-    # Fails trying to fetch dependencies in build
-    # broken = true;
-  };
-}

pkgs/applications/editors/emacs-modes/libgenerated.nix

@@ -25,10 +25,12 @@ let
         }
       ) {};
       git = self.callPackage ({ fetchgit }:
-        fetchgit {
+        (fetchgit {
           rev = commit;
           inherit sha256 url;
-        }
+        }).overrideAttrs(_: {
+          GIT_SSL_NO_VERIFY = true;
+        })
       ) {};
       bitbucket = self.callPackage ({ fetchhg }:
         fetchhg {

pkgs/applications/editors/emacs-modes/manual-packages.nix

@@ -135,7 +135,6 @@
   colorThemeSolarized = callPackage ./color-theme-solarized { };
   emacsSessionManagement = callPackage ./session-management-for-emacs { };
   hsc3-mode = callPackage ./hsc3 { };
-  hol_light_mode = callPackage ./hol_light { };
   ido-ubiquitous = callPackage ./ido-ubiquitous { };
   ocaml-mode = callPackage ./ocaml { };
   prolog-mode = callPackage ./prolog { };

pkgs/applications/editors/lite/default.nix

@@ -0,0 +1,58 @@
+{ stdenv
+, fetchFromGitHub
+, SDL2
+, lua52Packages
+, pkg-config
+, makeWrapper
+} :
+
+stdenv.mkDerivation rec {
+  pname = "lite";
+  version = "1.03";
+
+  src = fetchFromGitHub {
+    owner = "rxi";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1h8z4fav5ns9sm92axs3k9v6jgkqq0vg9mixza14949blr426mlj";
+  };
+
+  nativeBuildInputs = [ makeWrapper pkg-config ];
+
+  buildInputs = [ SDL2 lua52Packages.lua ];
+
+  postPatch = ''
+    # use system Lua 5.2
+    rm -rf src/lib/lua52
+    substituteInPlace src/api/api.h \
+      --replace '"lib/lua52/lua.h"' '<lua.h>' \
+      --replace '"lib/lua52/lauxlib.h"' '<lauxlib.h>' \
+      --replace '"lib/lua52/lualib.h"' '<lualib.h>'
+  '';
+
+  buildPhase = ''
+    # extracted and adapted from build.sh
+    CC=$NIX_CC/bin/cc
+    CFLAGS="-Wall -O3 -g -std=gnu11 -Isrc -DLUA_USE_POPEN $(pkg-config --cflags lua sdl2)"
+    LDFLAGS="$(pkg-config --libs lua sdl2)"
+    for f in $(find src -name "*.c"); do
+      $CC -c $CFLAGS $f -o "''${f//\//_}.o"
+    done
+    $CC *.o $LDFLAGS -o lite
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/${pname}
+    cp -a lite $out/lib/${pname}
+    cp -a data $out/lib/${pname}
+    makeWrapper $out/lib/${pname}/lite $out/bin/lite
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A lightweight text editor written in Lua";
+    homepage = "https://github.com/rxi/lite";
+    license = licenses.mit;
+    maintainers = with maintainers; [ filalex77 ];
+    platforms = platforms.unix;
+  };
+}

pkgs/applications/editors/vscode/generic.nix

@@ -78,8 +78,6 @@ in
         mkdir -p $out/lib/vscode $out/bin
         cp -r ./* $out/lib/vscode
 
-        substituteInPlace $out/lib/vscode/bin/${executableName} --replace '"$CLI" "$@"' '"$CLI" "--skip-getting-started" "$@"'
-
         ln -s $out/lib/vscode/bin/${executableName} $out/bin
 
         mkdir -p $out/share/applications

pkgs/applications/editors/vscode/vscode.nix

@@ -11,8 +11,8 @@ let
   archive_fmt = if system == "x86_64-darwin" then "zip" else "tar.gz";
 
   sha256 = {
-    x86_64-linux = "1n083pzp2dsz6z6rcl1ldcwhd4i03sjigdfslfardhc4v5lbvmv8";
+    x86_64-linux = "16zchjp72m6n6za4ak5kn2ax1s5pjfn7l082d6gfbb2y62isvs7q";
-    x86_64-darwin = "1qk3gscyskf4fwc8i09afr3wsyd1lwwycx6rf02wwh4n9py50b20";
+    x86_64-darwin = "0w35s6nxagcnd6xcm6bp0m63agkqxffig61cr3nnmpbcgj9zc969";
   }.${system};
 in
   callPackage ./generic.nix rec {
@@ -21,7 +21,7 @@ in
 
     # Please backport all compatible updates to the stable release.
     # This is important for the extension ecosystem.
-    version = "1.44.2";
+    version = "1.45.0";
     pname = "vscode";
 
     executableName = "code" + lib.optionalString isInsiders "-insiders";

pkgs/applications/editors/vscode/vscodium.nix

@@ -11,8 +11,8 @@ let
   archive_fmt = if system == "x86_64-darwin" then "zip" else "tar.gz";
 
   sha256 = {
-    x86_64-linux = "141hwj1a2bsgzpfk354dnnmg4ak00fss3xsgqplyk949pbk6v1af";
+    x86_64-linux = "1wb4s2jw90irlawgl6539gwl0xwaxglaksmbcddbvnr6rq3ypn8n";
-    x86_64-darwin = "0fi8nz1gayzw5dp6d3m7jsmij3jj4yjg5rk1s9w6falpgka76dm1";
+    x86_64-darwin = "16c1r7knfd5pfqhnk77nanh82azkc28pwkqfcyasbdgm70k17d3p";
   }.${system};
 
   sourceRoot = {
@@ -27,7 +27,7 @@ in
 
     # Please backport all compatible updates to the stable release.
     # This is important for the extension ecosystem.
-    version = "1.44.2";
+    version = "1.45.0";
     pname = "vscodium";
 
     executableName = "codium";

pkgs/applications/graphics/krop/default.nix

@@ -24,6 +24,10 @@ python3Packages.buildPythonApplication rec {
    "\${qtWrapperArgs[@]}"
   ];
 
+  postInstall = ''
+    install -m666 -Dt $out/share/applications krop.desktop
+  '';
+
   # Disable checks because of interference with older Qt versions // xcb
   doCheck = false;
 

pkgs/applications/kde/kdegraphics-thumbnailers.nix

@@ -13,7 +13,7 @@ mkDerivation {
     # Fix a bug with thumbnail.so processes hanging:
     # https://bugs.kde.org/show_bug.cgi?id=404652
     (fetchpatch {
-      url = "https://phabricator.kde.org/file/data/tnk4b6roouixzifi6vre/PHID-FILE-qkkedevt7svx7lv56ea5/D26635.diff";
+      url = "https://github.com/KDE/kdegraphics-thumbnailers/commit/3e2ea6e924d0e2a2cdd9bb435b06965117d6d34c.patch";
       sha256 = "0fq85zhymmrq8vl0y6vgh87qf4c6fhcq704p4kpkaq7y0isxj4h1";
     })
   ];

pkgs/applications/misc/almanah/default.nix

@@ -1,5 +1,6 @@
 { stdenv
 , fetchurl
+, fetchpatch
 , atk
 , cairo
 , desktop-file-utils
@@ -30,6 +31,15 @@ stdenv.mkDerivation rec {
     sha256 = "09rxx4s4c34d1axza6ayss33v78p44r9bpx058shllh1sf5avpcb";
   };
 
+  patches = [
+    # Fix gpgme detection
+    # https://gitlab.gnome.org/GNOME/almanah/merge_requests/7
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/almanah/commit/4b979c4145ef2fbceebb3849a70df1d0ceb1bb93.patch";
+      sha256 = "q3M+osNWz7AsDQtFju5S7P4wH3cAdzKOPKnEXTJ+k3M=";
+    })
+  ];
+
   nativeBuildInputs = [
     desktop-file-utils
     gettext

pkgs/applications/misc/cheat/default.nix

@@ -3,13 +3,13 @@
 
 buildGoModule rec {
   pname = "cheat";
-  version = "3.9.0";
+  version = "3.10.0";
 
   src = fetchFromGitHub {
     owner = "cheat";
     repo = "cheat";
     rev = version;
-    sha256 = "0jbqflkcfdrinx1lk45klm8ml0n4cgp43nzls1376cd3hfayby1y";
+    sha256 = "1rrhll1i5ibxdchpdifajvsm697pilf82rbq7arn4f4pw5izrhy6";
   };
 
   subPackages = [ "cmd/cheat" ];
@@ -20,7 +20,7 @@ buildGoModule rec {
     installShellCompletion scripts/cheat.{bash,fish,zsh}
   '';
 
-  modSha256 = "1is19qca5wgzya332rmpk862nnivxzgxchkllv629f5fwwdvdgmg";
+  modSha256 = "1z4za3rivc3vqv59p5yb5c9dcpmq669rzmf4z7zilbvmgm0pbgfp";
 
   meta = with stdenv.lib; {
     description = "Create and view interactive cheatsheets on the command-line";

pkgs/applications/misc/cpu-x/default.nix

@@ -0,0 +1,27 @@
+{ stdenv, fetchFromGitHub, cmake, pkgconfig, gtk3, ncurses, curl
+, json_c, libcpuid, pciutils, procps, wrapGAppsHook, nasm }:
+
+stdenv.mkDerivation rec {
+  pname = "cpu-x";
+  version = "3.2.4";
+
+  src = fetchFromGitHub {
+    owner = "X0rg";
+    repo = "CPU-X";
+    rev = "v${version}";
+    sha256 = "03y49wh9v7x6brmavj5a2clihn0z4f01pypl7m8ymarv4y3a6xkl";
+  };
+
+  nativeBuildInputs = [ cmake pkgconfig wrapGAppsHook nasm ];
+  buildInputs = [
+    gtk3 ncurses curl json_c libcpuid pciutils procps
+  ];
+
+  meta = with stdenv.lib; {
+    description = "Free software that gathers information on CPU, motherboard and more";
+    homepage = src.meta.homepage;
+    license = licenses.gpl3;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ gnidorah ];
+  };
+}

pkgs/applications/misc/lutris/chrootenv.nix

@@ -105,6 +105,9 @@ in buildFHSUserEnv {
     cups lcms2 mpg123 cairo unixODBC samba4 sane-backends openldap
     ocl-icd utillinux libkrb5
 
+    # Proton
+    libselinux
+
     # Winetricks
     fribidi
   ] ++ xorgDeps pkgs;

pkgs/applications/misc/tilda/default.nix

@@ -7,13 +7,13 @@ with stdenv.lib;
 stdenv.mkDerivation rec {
 
   pname = "tilda";
-  version = "1.5.0";
+  version = "1.5.1";
 
   src = fetchFromGitHub {
     owner = "lanoxx";
     repo = "tilda";
     rev = "${pname}-${version}";
-    sha256 = "13djibj3s7ig13c57ywy38pxy3qfmqihii2c0g15fy2h9q8xp1gx";
+    sha256 = "1kk69sg7ph906yr5jagkjx0qfkhr5w2nyx407wl2dsjimbps44rd";
   };
 
   nativeBuildInputs = [ autoreconfHook makeWrapper pkgconfig ];

pkgs/applications/misc/translate-shell/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "translate-shell";
-  version = "0.9.6.11";
+  version = "0.9.6.12";
 
   src = fetchFromGitHub {
     owner = "soimort";
     repo = "translate-shell";
     rev = "v${version}";
-    sha256 = "137fz3ahzf65hfqcs4k7hhrmfjlhlw7wr3gfsvk88bnyqkyw44sm";
+    sha256 = "075vqnha21rhr1b61dim7dqlfwm1yffyzcaa83s36rpk9r5sddzx";
   };
 
   buildInputs = [ makeWrapper ];

pkgs/applications/misc/visidata/default.nix

@@ -43,7 +43,7 @@ buildPythonApplication rec {
     description = "Interactive terminal multitool for tabular data";
     license = lib.licenses.gpl3;
     maintainers = [ lib.maintainers.raskin ];
-    platforms = lib.platforms.linux;
+    platforms = with lib.platforms; linux ++ darwin;
     homepage = "http://visidata.org/";
   };
 }

pkgs/applications/misc/worker/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "worker";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchurl {
     url = "http://www.boomerangsworld.de/cms/worker/downloads/${pname}-${version}.tar.gz";
-    sha256 = "0s7i1qjnh4mfjyrfvbbr1dklqi0n2nwksls21106q633wk9qdlqx";
+    sha256 = "1k2svpzq01n1h9365nhi7r2k7dmsviczxi9m6fb80ccccdz7i530";
   };
 
   buildInputs = [ libX11 ];

pkgs/applications/misc/xmrig/proxy.nix

@@ -1,20 +1,20 @@
-{ stdenv, lib, fetchFromGitHub, cmake, libuv, libmicrohttpd, libuuid, openssl
+{ stdenv, lib, fetchFromGitHub, cmake, libuv, libmicrohttpd, openssl
 , donateLevel ? 0
 }:
 
 stdenv.mkDerivation rec {
   pname = "xmrig-proxy";
-  version = "5.0.1";
+  version = "5.10.0";
 
   src = fetchFromGitHub {
     owner = "xmrig";
     repo = "xmrig-proxy";
     rev = "v${version}";
-    sha256 = "0lp11p4lf03l9x2kcpq1j19z7c1zrdvjmcfh2xyvlbw8pqx0hxkv";
+    sha256 = "1p8bxp2nv30c3j3kb0bpby86378h6m7nv2vvzw06lqsj5fqbw4g5";
   };
 
   nativeBuildInputs = [ cmake ];
-  buildInputs = [ libuv libmicrohttpd libuuid openssl ];
+  buildInputs = [ libuv libmicrohttpd openssl ];
 
   postPatch = ''
     # Link dynamically against libuuid instead of statically

pkgs/applications/networking/browsers/firefox/common.nix

@@ -94,6 +94,11 @@ stdenv.mkDerivation ({
 
   patches = [
     ./env_var_for_system_dir.patch
+    # Fix for NSS 3.52 (add missing CK_GCM_PARMS field)
+    (fetchpatch {
+      url = "https://hg.mozilla.org/mozilla-central/raw-rev/463069687b3d";
+      sha256 = "00yhz67flnkww3rbry0kqn6z6bm7vxfb2sgf7qikgbjcm3ysvpsm";
+    })
   ]
   ++ patches;
 

pkgs/applications/networking/browsers/qutebrowser/default.nix

@@ -21,12 +21,12 @@ let
 
 in mkDerivationWith python3Packages.buildPythonApplication rec {
   pname = "qutebrowser";
-  version = "1.11.0";
+  version = "1.11.1";
 
   # the release tarballs are different from the git checkout!
   src = fetchurl {
     url = "https://github.com/qutebrowser/qutebrowser/releases/download/v${version}/${pname}-${version}.tar.gz";
-    sha256 = "0b0qlki9bp9mm41lrh6rc6qqvm4nsz8da63sby3a1f2xm9b9vvg2";
+    sha256 = "0cxmmw002f5rvxzyhlhzqm2ipf64w4vspf298p6c5kpg535m8cvs";
   };
 
   # Needs tox

pkgs/applications/networking/cluster/cni/plugins.nix

@@ -2,17 +2,21 @@
 
 buildGoPackage rec {
   pname = "cni-plugins";
-  version = "0.8.5";
+  version = "0.8.6";
 
   src = fetchFromGitHub {
     owner = "containernetworking";
     repo = "plugins";
     rev = "v${version}";
-    sha256 = "17c8pvpn0dpda6ah7irr9hhd8sk7mnm32zv72nc5pxg1xvfpaipi";
+    sha256 = "0f1cqxjf26sy1c4aw6y7pyd9lrz0vknby4q5j6xj77a1pab9073m";
   };
 
   goPackagePath = "github.com/containernetworking/plugins";
 
+  buildFlagsArray = [
+    "-ldflags=-X ${goPackagePath}/pkg/utils/buildversion.BuildVersion=${version}"
+  ];
+
   subPackages = [
     "plugins/ipam/dhcp"
     "plugins/ipam/host-local"

pkgs/applications/networking/cluster/helmsman/default.nix

@@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub, ... }:
+
+buildGoModule rec {
+  pname = "helmsman";
+  version = "3.3.0";
+
+  src = fetchFromGitHub {
+    owner = "Praqma";
+    repo = "helmsman";
+    rev = "v${version}";
+    sha256 = "0i7sg3iwxb07gjxcz6chpdcx3fqykzldmf7s1c9m02hkps910ca8";
+  };
+
+  modSha256 = "19qdrrwmjc32nw8m0zi251z32wqj2d956wgd1dkcvx1x0n4p435g";
+
+  meta = with lib; {
+    description = "Helm Charts (k8s applications) as Code tool";
+    homepage = "https://github.com/Praqma/helmsman";
+    license = licenses.mit;
+    maintainers = with maintainers; [ lynty ];
+    platforms = platforms.unix;
+  };
+}

pkgs/applications/networking/cluster/minikube/default.nix

@@ -11,18 +11,18 @@
 
 buildGoModule rec {
   pname = "minikube";
-  version = "1.9.2";
+  version = "1.10.1";
 
   # for -ldflags
-  commit = "1b78a7b8a99ad6a3c62b8d22f57120d614d17935";
+  commit = "63ab801ac27e5742ae442ce36dff7877dcccb278";
 
-  modSha256 = "1pxs6myszgma3rzz0nhfjbnylv6m0xzlinvmlg0c4ijvkkzxg3v5";
+  modSha256 = "1g94jjwr5higg1b297zwp6grkj7if3mrdafjq9vls9y2svh11xr8";
 
   src = fetchFromGitHub {
     owner = "kubernetes";
     repo = "minikube";
     rev = "v${version}";
-    sha256 = "025v45427d885qkjjg7ig8fgrvjalnf1lajsj0cnbwbih2m69svg";
+    sha256 = "05lv6k0j0l00s2895fryp027aa40whbf1gf3fhfg0z5d3p9sbprk";
   };
 
   nativeBuildInputs = [ go-bindata installShellFiles pkg-config which ];

pkgs/applications/networking/cluster/terraform/default.nix

@@ -118,8 +118,8 @@ in rec {
   terraform_0_11-full = terraform_0_11.full;
 
   terraform_0_12 = pluggable (generic {
-    version = "0.12.24";
+    version = "0.12.25";
-    sha256 = "1rjihp6qcaizp2nnv4z20kpmjnqcw95pq5rnhq381a3pdzr0cd0z";
+    sha256 = "0xq4327386x6isw82d4xyq70pw7xxlh4sgmqas0b2pvyz85jxdch";
     patches = [
         ./provider-path.patch
         (fetchpatch {

pkgs/applications/networking/instant-messengers/zoom-us/default.nix

@@ -15,11 +15,11 @@ assert pulseaudioSupport -> libpulseaudio != null;
 let
   inherit (stdenv.lib) concatStringsSep makeBinPath optional;
 
-  version = "5.0.399860.0429";
+  version = "5.0.403652.0509";
   srcs = {
     x86_64-linux = fetchurl {
       url = "https://zoom.us/client/${version}/zoom_x86_64.tar.xz";
-      sha256 = "1jid8rs403b709scz8vpqsi1dxdmssn5426wa3d16p45blnxk16k";
+      sha256 = "00bprrfc7mmf3yg6jddqm2qr73m2zycr8hy19dxqpzld9gbvyzik";
     };
   };
 

pkgs/applications/networking/openbazaar/client.nix

@@ -0,0 +1,57 @@
+{ stdenv
+, fetchurl
+, gcc-unwrapped
+, dpkg
+, bash
+, nodePackages
+, makeWrapper
+, electron_6
+}:
+
+stdenv.mkDerivation rec {
+  pname = "openbazaar-client";
+  version = "2.4.4";
+
+  src = fetchurl {
+    url = "https://github.com/OpenBazaar/openbazaar-desktop/releases/download/v${version}/openbazaar2client_${version}_amd64.deb";
+    sha256 = "146vqwc1gv5zqcz60np8v9ps44m0d2yyjzqpmd4s0pcywvvwdvn6";
+  };
+
+  dontBuild = true;
+  dontConfigure = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  unpackPhase = ''
+    ${dpkg}/bin/dpkg-deb -x $src .
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin $out/share/{${pname},applications,pixmaps}
+
+    cp -a usr/lib/openbazaar2client/{locales,resources} $out/share/${pname}
+    cp -a usr/share/applications/openbazaar2client.desktop $out/share/applications/${pname}.desktop
+    cp -a usr/share/pixmaps/openbazaar2client.png $out/share/pixmaps/${pname}.png
+
+    substituteInPlace $out/share/applications/${pname}.desktop \
+      --replace 'openbazaar2client' 'openbazaar-client'
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    makeWrapper ${electron_6}/bin/electron $out/bin/${pname} \
+      --add-flags $out/share/${pname}/resources/app \
+      --prefix LD_LIBRARY_PATH : "${stdenv.lib.makeLibraryPath [ gcc-unwrapped.lib ]}"
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Decentralized Peer to Peer Marketplace for Bitcoin - client";
+    homepage = "https://www.openbazaar.org/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ prusnak ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/applications/networking/openbazaar/default.nix

@@ -0,0 +1,48 @@
+{ stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "openbazaar";
+  version = "0.14.2";
+
+  suffix = {
+    i686-linux    = "linux-386";
+    x86_64-darwin = "darwin-10.6-amd64";
+    x86_64-linux  = "linux-amd64";
+  }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+  src = fetchurl {
+    url = "https://github.com/OpenBazaar/openbazaar-go/releases/download/v${version}/${pname}-go-${suffix}";
+    sha256 = {
+      i686-linux    = "02kl4ci2pz86qqsll7578q0acygncsyylaschjzzii34c86f1aym";
+      x86_64-darwin = "1v5m94x4x0nc6i8zlcwb36ps1zpgqgcsz81x1ghkz5c9xzszgzbp";
+      x86_64-linux  = "0m0digw66rzhwl2im88qavli9cc5vxd9pwj6ix86dcf98r93xsrp";
+    }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+  };
+
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontStrip = true;
+  dontPatchELF = true;
+  preferLocalBuild = true;
+
+  installPhase = ''
+    install -D $src $out/bin/openbazaard
+  '';
+
+  postFixup = stdenv.lib.optionalString (!stdenv.isDarwin) ''
+    patchelf \
+      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      $out/bin/openbazaard
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Decentralized Peer to Peer Marketplace for Bitcoin - daemon";
+    homepage = "https://www.openbazaar.org/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ prusnak ];
+    platforms = [ "i686-linux" "x86_64-darwin" "x86_64-linux" ];
+  };
+}

pkgs/applications/networking/znc/default.nix

@@ -13,11 +13,11 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   pname = "znc";
-  version = "1.7.5";
+  version = "1.8.0";
 
   src = fetchurl {
     url = "https://znc.in/releases/archive/${pname}-${version}.tar.gz";
-    sha256 = "08a7yb2xs85hyyz8dpzfbsfjwj2r6kcii022lj3l4rf8hl9ix558";
+    sha256 = "0m5xf60r40pgbg9lyk56dafxj2hj149pn2wf8vzsp8xgq4kv5zcl";
   };
 
   nativeBuildInputs = [ pkgconfig ];

pkgs/applications/office/skrooge/default.nix

@@ -7,11 +7,11 @@
 
 mkDerivation rec {
   pname = "skrooge";
-  version = "2.21.1";
+  version = "2.22.1";
 
   src = fetchurl {
     url = "http://download.kde.org/stable/skrooge/${pname}-${version}.tar.xz";
-    sha256 = "0lv953i7cybzbxr5gx6g4libdcjj086jf152mwrwvx1avrpjavb8";
+    sha256 = "194vwnc2fi7cgdhasxpr1gxjqqsiqadhadvv43d0lxaxys6f360h";
   };
 
   nativeBuildInputs = [

pkgs/applications/office/zotero/default.nix

@@ -35,11 +35,11 @@
 
 stdenv.mkDerivation rec {
   pname = "zotero";
-  version = "5.0.83";
+  version = "5.0.85";
 
   src = fetchurl {
     url = "https://download.zotero.org/client/release/${version}/Zotero-${version}_linux-x86_64.tar.bz2";
-    sha256 = "1abkwxdi154hnry8nsvxbklvbsnvd7cs2as0041h2kbiz824pv31";
+    sha256 = "0zqc27kld7rm3akmrnf9ba1x2hb9838cbv6i3nkqvg81ly5gfbxs";
   };
 
   nativeBuildInputs = [ wrapGAppsHook ];

pkgs/applications/science/electronics/verilator/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "verilator";
-  version = "4.032";
+  version = "4.034";
 
   src = fetchurl {
     url    = "https://www.veripool.org/ftp/${pname}-${version}.tgz";
-    sha256 = "1l3rhgw7pk59dz7dyhcl0iygn6c9rv9bv131rfzg66asxfwbfq1s";
+    sha256 = "02xqvl9ic21jpda0xldh4ihqwl4ss8389s8fklgx5d98xq37pval";
   };
 
   enableParallelBuilding = true;

pkgs/applications/science/math/wxmaxima/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "wxmaxima";
-  version = "20.02.4";
+  version = "20.04.0";
 
   src = fetchFromGitHub {
     owner = "wxMaxima-developers";
     repo = "wxmaxima";
     rev = "Version-${version}";
-    sha256 = "106a7jrjwfmymzj70nsv44fm3jbxngr8pmkaghhpwy0ln38lhf54";
+    sha256 = "0vrjxzfgmjdzm1rgl0crz4b4badl14jwh032y3xkcdvjl5j67lp3";
   };
 
   buildInputs = [ wxGTK maxima gnome3.adwaita-icon-theme ];

pkgs/applications/version-management/git-and-tools/gh/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "gh";
-  version = "0.7.0";
+  version = "0.8.0";
 
   src = fetchFromGitHub {
     owner = "cli";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "054mag8jgxkvx2f95ha10n45v4xv5lms69w76g95z18m62qhjcyl";
+    sha256 = "08fy3677yq52x40rab49ijhw4r25ls2807dbv9wpna6w07n7r8v7";
   };
 
   modSha256 = "0v33x9bnwjfg4425vralnsb4i22c0g1rcmaga9911v0i7d51k0fn";

pkgs/applications/version-management/git-and-tools/git-machete/default.nix

@@ -4,11 +4,11 @@
 
 buildPythonApplication rec {
   pname = "git-machete";
-  version = "2.13.6";
+  version = "2.14.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0n07gm05676vgfh6vlym59jwwzym9xmibhr0zpf0drlx02fr47qy";
+    sha256 = "01ch4d0r3bi9nl5nknp3dyizc2rl9w46gm1ydnvqbrzhgw65lpp0";
   };
 
   nativeBuildInputs = [ installShellFiles pbr ];

pkgs/applications/version-management/git-and-tools/gitui/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "gitui";
-  version = "0.2.1";
+  version = "0.2.2";
 
   src = fetchFromGitHub {
     owner = "extrawurst";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0ln959zsdn0w15kfyp5i4524hzzk23l31n9smi1md4jfj7jycbh1";
+    sha256 = "1vcdgzr71m9rlkaq5pc2vnli3hdh7vv8g3ji5ancnlk3zcqc78xy";
   };
 
-  cargoSha256 = "128g23pcccy07jcb4phlfag9ixh5fkwkaiyd7mxjh3wmhppjcx0i";
+  cargoSha256 = "04g089y6k0p36h08v6swcg1ig2kcadkidnlc0rh04znmv0bkn84d";
 
   buildInputs = stdenv.lib.optionals stdenv.isDarwin [ libiconv Security ];
 

pkgs/applications/video/makemkv/default.nix

@@ -3,21 +3,21 @@
 }:
 
 let
-  version = "1.15.0";
+  version = "1.15.1";
   # Using two URLs as the first one will break as soon as a new version is released
   src_bin = fetchurl {
     urls = [
       "http://www.makemkv.com/download/makemkv-bin-${version}.tar.gz"
       "http://www.makemkv.com/download/old/makemkv-bin-${version}.tar.gz"
     ];
-    sha256 = "1zr63fqx4qcrnrbg1f97w9mp3yzzxf0dk8pw60y2d4436vanfba4";
+    sha256 = "0c9661sdlld8b1g2pk8lbn3gz7cikh9bjqss11ffkriwii1x9fw0";
   };
   src_oss = fetchurl {
     urls = [
       "http://www.makemkv.com/download/makemkv-oss-${version}.tar.gz"
       "http://www.makemkv.com/download/old/makemkv-oss-${version}.tar.gz"
     ];
-    sha256 = "01pdydll37inkq74874rqd5kk0maafnm1lqcv41jzgzjrfkky8d9";
+    sha256 = "0rm1zykqagy2g8hb7pjrc6akdsym8pgdnx66hnna161jbah3sssy";
   };
 in mkDerivation {
   pname = "makemkv";

pkgs/applications/virtualization/conmon/default.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "conmon";
-  version = "2.0.15";
+  version = "2.0.16";
 
   src = fetchFromGitHub {
     owner = "containers";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1fshcmnfqzbagzcrh5nxw7pi0dd60xpq47a2lzfghklqhl1h0b5i";
+    sha256 = "0z0hds95mjxm703ig2aisghvpd2l3wn6m72jnnlv8jnz2iq2nc4g";
   };
 
   nativeBuildInputs = [ pkg-config ];

pkgs/applications/virtualization/cri-o/default.nix

@@ -1,5 +1,4 @@
-{ flavor ? ""
+{ stdenv
-, stdenv
 , btrfs-progs
 , buildGoPackage
 , fetchFromGitHub
@@ -18,7 +17,6 @@
 buildGoPackage rec {
   pname = "cri-o";
   version = "1.18.0";
-  name = "${pname}-${version}${flavor}";
 
   goPackagePath = "github.com/cri-o/cri-o";
 
@@ -54,9 +52,7 @@ buildGoPackage rec {
   '';
 
   installPhase = ''
-    install -Dm755 bin/crio $out/bin/crio${flavor}
+    install -Dm755 bin/* -t $out/bin
-    install -Dm755 bin/crio-status $out/bin/crio-status${flavor}
-    install -Dm755 bin/pinns $out/bin/pinns${flavor}
 
     for shell in bash fish zsh; do
       installShellCompletion --$shell completions/$shell/*

pkgs/applications/virtualization/gvisor/default.nix

@@ -76,7 +76,7 @@ in buildBazelPackage rec {
       rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
     '';
 
-    sha256 = "1bn7nhv5pag8fdm8l8nvgg3fzvhpy2yv9yl2slrb16lckxzha3v6";
+    sha256 = "0r11kbyp1ambgcj35gvjjmxrsrdg7b9jb9sq3kih4lik7zyljp25";
   };
 
   buildAttrs = {

pkgs/applications/virtualization/podman/default.nix

@@ -14,13 +14,13 @@
 
 buildGoPackage rec {
   pname = "podman";
-  version = "1.9.1";
+  version = "1.9.2";
 
   src = fetchFromGitHub {
     owner = "containers";
     repo = "libpod";
     rev = "v${version}";
-    sha256 = "0dr5vd52fnjwx3zn2nj2nlvkbvh5bg579nf3qw8swrn8i1jwxd6j";
+    sha256 = "0jvqzn1q52z6aka98d2i3dyn2i8xld7xvmi2zfxgm9g53wdgi2g2";
   };
 
   goPackagePath = "github.com/containers/libpod";

pkgs/applications/virtualization/podman/wrapper.nix

@@ -29,7 +29,7 @@ let
 
 in runCommand podman.name {
   name = "${podman.pname}-wrapper-${podman.version}";
-  inherit (podman) pname version;
+  inherit (podman) pname version passthru;
 
   meta = builtins.removeAttrs podman.meta [ "outputsToInstall" ];
 

pkgs/applications/window-managers/tinywm/default.nix

@@ -0,0 +1,51 @@
+{ stdenv, fetchFromGitHub
+, libX11 }:
+
+stdenv.mkDerivation rec {
+  pname = "tinywm";
+  version = "2014-04-22";
+
+  src = fetchFromGitHub {
+    owner = "mackstann";
+    repo = pname;
+    rev = "9d05612f41fdb8bc359f1fd9cc930bf16315abb1";
+    sha256 = "1s7r4f2d3lk1i8h089v2vyrr02hh0y9i3ihl9kqgk9s87hqw8q5b";
+  };
+
+  buildInputs = [ libX11 ];
+
+  dontConfigure = true;
+
+  buildPhase = ''
+    ${stdenv.cc}/bin/cc -Wall -pedantic -I${libX11}/include tinywm.c -L${libX11}/lib -lX11 -o tinywm
+  '';
+
+  installPhase = ''
+    install -dm755 $out/bin $out/share/doc/${pname}-${version}
+    install -m755 tinywm -t $out/bin/
+    # The annotated source code is a piece of documentation
+    install -m644 annotated.c README -t $out/share/doc/${pname}-${version}
+  '';
+
+  meta = with stdenv.lib;{
+    description = "A tiny window manger for X11";
+    longDescription = ''
+
+      TinyWM is a tiny window manager that I created as an exercise in
+      minimalism. It is also maybe helpful in learning some of the very basics
+      of creating a window manager. It is only around 50 lines of C. There is
+      also a Python version using python-xlib.
+
+      It lets you do four basic things:
+
+      - Move windows interactively with Alt+Button1 drag (left mouse button)
+      - Resize windows interactively with Alt+Button3 drag (right mouse button)
+      - Raise windows with Alt+F1 (not high on usability I know, but I needed a
+        keybinding in there somewhere)
+      - Focus windows with the mouse pointer (X does this on its own)      
+    '';
+    homepage = "http://incise.org/tinywm.html";
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = libX11.meta.platforms;
+  };
+}

pkgs/build-support/build-bazel-package/default.nix

@@ -42,9 +42,11 @@ in stdenv.mkDerivation (fBuildAttrs // {
   inherit name bazelFlags bazelBuildFlags bazelFetchFlags bazelTarget;
 
   deps = stdenv.mkDerivation (fFetchAttrs // {
-    name = "${name}-deps";
+    name = "${name}-deps.tar.gz";
     inherit bazelFlags bazelBuildFlags bazelFetchFlags bazelTarget;
 
+    impureEnvVars = lib.fetchers.proxyImpureEnvVars;
+
     nativeBuildInputs = fFetchAttrs.nativeBuildInputs or [] ++ [ bazel ];
 
     preHook = fFetchAttrs.preHook or "" + ''
@@ -120,9 +122,9 @@ in stdenv.mkDerivation (fBuildAttrs // {
         ln -sf "$new_target" "$symlink"
       done
 
-      cp -r $bazelOut/external $out
+      echo '${bazel.name}' > $bazelOut/external/.nix-bazel-version
 
-      echo '${bazel.name}' > $out/.nix-bazel-version
+      (cd $bazelOut/ && tar czf $out --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner external/)
 
       runHook postInstall
     '';
@@ -130,7 +132,6 @@ in stdenv.mkDerivation (fBuildAttrs // {
     dontFixup = true;
     allowedRequisites = [];
 
-    outputHashMode = "recursive";
     outputHashAlgo = "sha256";
     outputHash = fetchAttrs.sha256;
   });
@@ -146,14 +147,15 @@ in stdenv.mkDerivation (fBuildAttrs // {
   preConfigure = ''
     mkdir -p "$bazelOut"
 
-    test "${bazel.name}" = "$(<$deps/.nix-bazel-version)" || {
+    (cd $bazelOut && tar xfz $deps)
+
+    test "${bazel.name}" = "$(<$bazelOut/external/.nix-bazel-version)" || {
       echo "fixed output derivation was built for a different bazel version" >&2
-      echo "     got: $(<$deps/.nix-bazel-version)" >&2
+      echo "     got: $(<$bazelOut/external/.nix-bazel-version)" >&2
       echo "expected: ${bazel.name}" >&2
       exit 1
     }
 
-    cp -r $deps $bazelOut/external
     chmod -R +w $bazelOut
     find $bazelOut -type l | while read symlink; do
       ln -sf $(readlink "$symlink" | sed "s,NIX_BUILD_TOP,$NIX_BUILD_TOP,") "$symlink"

pkgs/development/compilers/gleam/default.nix

@@ -2,18 +2,18 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "gleam";
-  version = "0.7.1";
+  version = "0.8.0";
 
   src = fetchFromGitHub {
     owner = "gleam-lang";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1bcxq7bgn0kf1vdw6id8s3izz6mwf3ivr8iph4miig302qm9lmmr";
+    sha256 = "05n8a7b63i9946fvbxphfh8n6ib20qnbv44ghlzcjwca9qvlx7i7";
   };
 
   buildInputs = stdenv.lib.optionals stdenv.isDarwin [ Security ];
 
-  cargoSha256 = "17bvms65frxhw0d196qswh3jjqlriidq3xi3mfjjgfh6n17rh608";
+  cargoSha256 = "1ga5dinkmibkg53bfr6vc0i4bbgyn2y3d5qjf5bd965c1v7ba1jl";
 
   meta = with stdenv.lib; {
     description = "A statically typed language for the Erlang VM";

pkgs/development/interpreters/clojure/babashka.nix

@@ -3,17 +3,17 @@
 with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "babashka";
-  version = "0.0.89";
+  version = "0.0.94";
 
   reflectionJson = fetchurl {
     name = "reflection.json";
     url = "https://github.com/borkdude/${pname}/releases/download/v${version}/${pname}-${version}-reflection.json";
-    sha256 = "0bc5rbizd2lg7qfh733yiip8m9zqrwgjf5ca09sdibxp7nhhsjby";
+    sha256 = "103x5ih48rhhdipar66bp0s0j62fv4r3sszh8fwaivs7dvsvcvsd";
   };
 
   src = fetchurl {
     url = "https://github.com/borkdude/${pname}/releases/download/v${version}/${pname}-${version}-standalone.jar";
-    sha256 = "11jhqbm3svvikr9glz8wwps1267y25g3384ijw6avn267s7d7l8c";
+    sha256 = "0fin80x898qzylzq91q6mp8pgwk0sciwwa9l71mdhahqasa90sri";
   };
 
   dontUnpack = true;
@@ -79,6 +79,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/borkdude/babashka";
     license = licenses.epl10;
     platforms = graalvm8.meta.platforms;
-    maintainers = with maintainers; [ bhougland DerGuteMoritz jlesquembre ];
+    maintainers = with maintainers; [ bandresen bhougland DerGuteMoritz jlesquembre ];
   };
 }

pkgs/development/interpreters/j/default.nix

@@ -1,4 +1,6 @@
-{ stdenv, fetchFromGitHub, readline, libedit, bc }:
+{ stdenv, fetchFromGitHub, readline, libedit, bc
+, avxSupport ? false
+}:
 
 stdenv.mkDerivation rec {
   pname = "j";
@@ -19,6 +21,9 @@ stdenv.mkDerivation rec {
     if stdenv.isLinux then "linux" else
     if stdenv.isDarwin then "darwin" else
     "unknown";
+  variant = if stdenv.isx86_64 && avxSupport then "avx" else "";
+
+  j64x="j${bits}${variant}";
 
   doCheck = true;
 
@@ -34,7 +39,7 @@ stdenv.mkDerivation rec {
     patchShebangs .
     sed -i $JLIB/bin/profile.ijs -e "s@'/usr/share/j/.*'@'$out/share/j'@;"
 
-    ./build_all.sh
+    j64x="${j64x}" ./build_all.sh
 
     cp $SOURCE_DIR/bin/${platform}/j${bits}*/* "$JLIB/bin"
   '';

pkgs/development/interpreters/wasmer/default.nix

@@ -8,17 +8,17 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "wasmer";
-  version = "0.16.2";
+  version = "0.17.0";
 
   src = fetchFromGitHub {
     owner = "wasmerio";
     repo = pname;
     rev = version;
-    sha256 = "124zq772kz9a7n3qpxgmp4awqj41l8mhhwc0y3r77i1q02i1sy7z";
+    sha256 = "05g4h0xkqd14wnmijiiwmhk6l909fjxr6a2zplrjfxk5bypdalpm";
     fetchSubmodules = true;
   };
 
-  cargoSha256 = "1qqysvcviimpm2zhzsbn8vhy91rxzaknh9hv75y38xd5ggnnh9m6";
+  cargoSha256 = "1ssmgx9fjvkq7ycyzjanqmlm5b80akllq6qyv3mj0k5fvs659wcq";
 
   nativeBuildInputs = [ cmake pkg-config ];
 

pkgs/development/libraries/cudd/cudd.patch

@@ -0,0 +1,14 @@
+diff --git a/Makefile.am b/Makefile.am
+index 45f216a..39c3c82 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -3,6 +3,9 @@ ACLOCAL_AMFLAGS = -I m4
+ include_HEADERS = cudd/cudd.h
+ if DDDMP
+ include_HEADERS += dddmp/dddmp.h
++include_HEADERS += util/util.h
++include_HEADERS += config.h
++include_HEADERS += mtr/mtr.h
+ endif
+ if OBJ
+ include_HEADERS += cplusplus/cuddObj.hh

pkgs/development/libraries/cudd/default.nix

@@ -0,0 +1,30 @@
+{ stdenv, fetchurl, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "cudd";
+  version = "3.0.0";
+
+  src = fetchurl {
+    url = "https://davidkebo.com/source/cudd_versions/cudd-3.0.0.tar.gz";
+    sha256 = "0sgbgv7ljfr0lwwwrb9wsnav7mw7jmr3k8mygwza15icass6dsdq";
+  };
+
+  configureFlags = [
+    "--enable-dddmp"
+    "--enable-obj"
+  ];
+
+  patches = [
+    ./cudd.patch
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with stdenv.lib; {
+    homepage = "https://davidkebo.com/cudd";
+    description = "Binary Decision Diagram (BDD) library";
+    license = licenses.bsd3;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ chessai ];
+  };
+}

pkgs/development/libraries/libcello/default.nix

@@ -1,17 +1,21 @@
-{stdenv, fetchurl}:
+{ stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "libcello-0.9.2";
+  pname = "libcello";
+  version = "2.1.0";
 
   src = fetchurl {
-    url = "http://libcello.org/static/${name}.tar.gz";
+    url = "http://libcello.org/static/libCello-${version}.tar.gz";
-    sha256 = "cd82639cb9b133119fd89a77a5a505a55ea5fcc8decfc53bee0725358ec8bad0";
+    sha256 = "0a1b2x5ni07vd9ridnl7zv7h2s32070wsphjy94qr066b99gdb29";
   };
 
+  makeFlags = [ "PREFIX=$(out)" ];
+
   meta = {
     homepage = "http://libcello.org/";
     description = "Higher level programming in C";
     license = stdenv.lib.licenses.bsd3;
+    maintainers = [ stdenv.lib.maintainers.MostAwesomeDude ];
     platforms = stdenv.lib.platforms.unix;
   };
 }

pkgs/development/libraries/librealsense/default.nix

@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "librealsense";
-  version = "2.33.1";
+  version = "2.34.0";
 
   outputs = [ "out" "dev" ];
 
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     owner = "IntelRealSense";
     repo = pname;
     rev = "v${version}";
-    sha256 = "04macplj3k2sdpf1wdjm6gsghak5dzfhi2pmr47qldh2sy2zz0a3";
+    sha256 = "0bi7pszrryz18aqna0z73mb1hzz2vqdb0m00pf93hnwc2hba7hwm";
   };
 
   buildInputs = [

pkgs/development/libraries/liburcu/default.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl }:
 
 stdenv.mkDerivation rec {
-  version = "0.11.1";
+  version = "0.12.1";
   pname = "liburcu";
 
   src = fetchurl {
     url = "https://lttng.org/files/urcu/userspace-rcu-${version}.tar.bz2";
-    sha256 = "0l1kxgzch4m8fxiz2hc8fwg56hrvzzspp7n0svnl7i7iycdrgfcj";
+    sha256 = "03nd1gy2c3fdb6xwdrd5lr1jcjxbzffqh3z91mzbjhjn6k8fmymv";
   };
 
   checkInputs = [ perl ];

pkgs/development/libraries/libvirt/default.nix

@@ -4,7 +4,7 @@
 , iproute, iptables, readline, lvm2, utillinux, systemd, libpciaccess, gettext
 , libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor
 , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages
-, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode
+, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, dbus
 , enableXen ? false, xen ? null
 , enableIscsi ? false, openiscsi
 , enableCeph ? false, ceph
@@ -36,7 +36,7 @@ in stdenv.mkDerivation rec {
   nativeBuildInputs = [ makeWrapper pkgconfig docutils ] ++ optionals (!buildFromTarball) [ autoreconfHook ];
   buildInputs = [
     libxml2 gnutls perl python2 readline gettext libtasn1 libgcrypt yajl
-    libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib
+    libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib dbus
   ] ++ optionals stdenv.isLinux [
     libpciaccess lvm2 utillinux systemd libnl numad zfs
     libapparmor libcap_ng numactl attr parted
@@ -74,6 +74,7 @@ in stdenv.mkDerivation rec {
     "--with-test"
     "--with-esx"
     "--with-remote"
+    "--with-polkit"
   ] ++ optionals stdenv.isLinux [
     "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper"
     "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper"

pkgs/development/libraries/science/math/sympow/default.nix

@@ -9,7 +9,7 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "2.023.5";
+  version = "2.023.6";
   pname = "sympow";
 
   src = fetchFromGitLab {
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     owner = "forks";
     repo = "sympow";
     rev = "v${version}";
-    sha256 = "1c5a2pizgqsf3pjkf7rfj20022ym4ixhrddp8ivs2nbzxwz6qvv9";
+    sha256 = "132l0xv00ld1svvv9wh99wfra4zzjv2885h2sq0dsl98wiyvi5zl";
   };
 
   postUnpack = ''

pkgs/development/libraries/sentencepiece/default.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "sentencepiece";
-  version = "0.1.86";
+  version = "0.1.90";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0r4z5n3dx0bg1pm2kgfllyj65s7ljn2ny7i7c5bz618r7h8bax9p";
+    sha256 = "10y16qkr2ibn8synmyzgwcbkszyfys1v0dx75p3mayh02yif4dx2";
   };
 
   nativeBuildInputs = [ cmake ] ++ lib.optional withGPerfTools gperftools;

pkgs/development/libraries/webkitgtk/default.nix

@@ -178,7 +178,6 @@ stdenv.mkDerivation rec {
     homepage = "https://webkitgtk.org/";
     license = licenses.bsd2;
     platforms = platforms.linux;
-    hydraPlatforms = [];
     maintainers = teams.gnome.members;
   };
 }

pkgs/development/ocaml-modules/fiat-p256/default.nix

@@ -0,0 +1,26 @@
+{ lib, buildDunePackage, fetchurl, alcotest, asn1-combinators, benchmark
+, bigarray-compat, cstruct, eqaf, hex, ppx_deriving_yojson, rresult
+, stdlib-shims, yojson, dune-configurator }:
+
+buildDunePackage rec {
+  pname = "fiat-p256";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://github.com/mirage/fiat/releases/download/v${version}/${pname}-v${version}.tbz";
+    sha256 = "0086h9qkvnqfm8acrxqbki54z619nj73x7f0d01v5vg2naznx7w9";
+  };
+
+  buildInputs = [ dune-configurator ];
+  propagatedBuildInputs = [ bigarray-compat cstruct eqaf hex ];
+  checkInputs = [ alcotest asn1-combinators benchmark
+                  ppx_deriving_yojson rresult stdlib-shims yojson ];
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Primitives for Elliptic Curve Cryptography taken from Fiat";
+    homepage = "https://github.com/mirage/fiat";
+    license = licenses.mit;
+    maintainers = with maintainers; [ sternenseemann ];
+  };
+}

pkgs/development/ocaml-modules/hacl_x25519/default.nix

@@ -0,0 +1,23 @@
+{ lib, buildDunePackage, fetchurl, benchmark, cstruct
+, eqaf, hex, ppx_blob, ppx_deriving_yojson, stdlib-shims, yojson }:
+
+buildDunePackage rec {
+  pname = "hacl_x25519";
+  version = "0.1.1";
+
+  src = fetchurl {
+    url = "https://github.com/mirage/hacl/releases/download/v${version}/${pname}-v${version}.tbz";
+    sha256 = "187khbx1myh942c2v5f7wbms2hmhmgn57ik25djhnryln32c0874";
+  };
+
+  propagatedBuildInputs = [ eqaf cstruct ];
+  checkInputs = [ benchmark hex ppx_blob ppx_deriving_yojson stdlib-shims yojson ];
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Primitives for Elliptic Curve Cryptography taken from Project Everest";
+    homepage = "https://github.com/mirage/hacl";
+    license = licenses.mit;
+    maintainers = with maintainers; [ sternenseemann ];
+  };
+}

pkgs/development/ocaml-modules/hkdf/default.nix

@@ -0,0 +1,26 @@
+{ lib, buildDunePackage, fetchurl, cstruct, mirage-crypto, alcotest }:
+
+buildDunePackage rec {
+  pname = "hkdf";
+  version = "1.0.4";
+
+  minimumOCamlVersion = "4.07";
+
+  src = fetchurl {
+    url = "https://github.com/hannesm/ocaml-${pname}/releases/download/v${version}/${pname}-v${version}.tbz";
+    sha256 = "0nzx6vzbc1hh6vx1ly8df4b16lgps6zjpp9mjycsnnn49bddc9mr";
+  };
+
+  useDune2 = true;
+
+  propagatedBuildInputs = [ cstruct mirage-crypto ];
+  checkInputs = [ alcotest ];
+  doCheck = true;
+
+  meta = with lib; {
+    description = "HMAC-based Extract-and-Expand Key Derivation Function (RFC 5869)";
+    homepage = "https://github.com/hannesm/ocaml-hkdf";
+    license = licenses.mit;
+    maintainers = with maintainers; [ sternenseemann ];
+  };
+}

pkgs/development/ocaml-modules/janestreet/re2.nix

@@ -1,20 +0,0 @@
-{stdenv, buildOcamlJane,
- bin_prot, core_kernel, fieldslib, sexplib, typerep, variantslib,
- ppx_assert, ppx_bench, ppx_driver, ppx_expect, ppx_inline_test, ppx_jane,
- rsync}:
-
-buildOcamlJane {
-  name = "re2";
-  hash = "0fw5jscb1i17aw8v4l965zw20kyimhfnmf4w83wqaaxkqy3l6fqw";
-  buildInputs = [ rsync ];
-  propagatedBuildInputs =
-    [ bin_prot core_kernel fieldslib sexplib typerep variantslib
-      ppx_assert ppx_bench ppx_driver ppx_expect ppx_inline_test ppx_jane ];
-
-  meta = with stdenv.lib; {
-    homepage = "https://github.com/janestreet/re2";
-    description = "OCaml bindings for RE2";
-    maintainers = [ maintainers.maurer ];
-    license = licenses.asl20;
-  };
-}

pkgs/development/ocaml-modules/mdx/default.nix

@@ -1,19 +1,20 @@
 { lib, fetchurl, buildDunePackage, opaline, ocaml
+, alcotest
 , astring, cmdliner, cppo, fmt, logs, ocaml-migrate-parsetree, ocaml-version, ocaml_lwt, pandoc, re }:
 
 buildDunePackage rec {
   pname = "mdx";
-  version = "1.5.0";
+  version = "1.6.0";
 
   src = fetchurl {
-    url = "https://github.com/realworldocaml/mdx/releases/download/1.5.0/mdx-1.5.0.tbz";
+    url = "https://github.com/realworldocaml/mdx/releases/download/${version}/mdx-${version}.tbz";
-    sha256 = "0g45plf4z7d178gp0bx7842fwbd3m19679yfph3s95da6mrfm3xn";
+    sha256 = "18m4ay226dwbgnwp3ia6bfcm033dvp9yby0lbddqn8ak374m2k3b";
   };
 
   nativeBuildInputs = [ cppo ];
   buildInputs = [ cmdliner ];
   propagatedBuildInputs = [ astring fmt logs ocaml-migrate-parsetree ocaml-version re ];
-  checkInputs = lib.optionals doCheck [ ocaml_lwt pandoc ];
+  checkInputs = [ alcotest ocaml_lwt pandoc ];
 
   doCheck = true;
 

pkgs/development/ocaml-modules/re2/Makefile.patch

@@ -1,17 +0,0 @@
---- ./lib/Makefile	2014-11-18 08:16:19.000000000 -0800
-+++ ./lib/Makefile	2015-05-23 14:48:31.000000000 -0700
-@@ -6,12 +6,12 @@
- all: libre2_stubs.a dllre2_stubs.so
- 
- dllre2_stubs.so libre2_stubs.a: stubs.o $(LIBRE2)
--	ocamlmklib -oc re2_stubs stubs.o $(LIBRE2) -lstdc++
-+	ocamlmklib -oc re2_stubs stubs.o $(LIBRE2) -lc++
- 	rm libre2_stubs.a # ocamlmklib just includes $(LIBRE2) inside the stubs archive
- 	cp $(LIBRE2) libre2_stubs.a && ar r libre2_stubs.a stubs.o
- 
- stubs.o: stubs.cpp stubs.h util.h enum_x_macro.h
--	g++ -O2 -DPIC -fPIC -g -pipe -DCAML_NAME_SPACE -Wall -I. -I../../../include \
-+	$(CXX) -O2 -DPIC -fPIC -g -pipe -DCAML_NAME_SPACE -Wall -I. -I../../../include \
- 	-I$(RE2_HOME) -I$(ocaml-version-selected-include-path) -c stubs.cpp
- 
- #stubs.o: %.o: %.cpp %.h

pkgs/development/ocaml-modules/re2/default.nix

@@ -1,29 +0,0 @@
-{stdenv, buildOcaml, fetchurl, core_p4, pa_ounit, pa_test,
- bin_prot_p4, comparelib, sexplib_p4, rsync}:
-
-buildOcaml rec {
-  name = "re2";
-  version = "112.06.00";
-
-  minimumSupportedOcamlVersion = "4.00";
-
-  src = fetchurl {
-    url = "https://github.com/janestreet/re2/archive/${version}.tar.gz";
-    sha256 = "a538765872363fcb67f12b95c07455a0afd68f5ae9008b59bb85a996d97cc752";
-  };
-  patches = if stdenv.isDarwin
-            then [./Makefile.patch ./myocamlbuild.patch]
-            else null;
-
-  buildInputs = [ pa_ounit pa_test rsync ];
-  propagatedBuildInputs = [ core_p4 bin_prot_p4 comparelib sexplib_p4 ];
-
-  hasSharedObjects = true;
-
-  meta = with stdenv.lib; {
-    homepage = "https://github.com/janestreet/re2";
-    description = "OCaml bindings for RE2";
-    license = stdenv.lib.licenses.asl20;
-    maintainers = [ maintainers.ericbmerritt ];
-  };
-}

pkgs/development/ocaml-modules/re2/myocamlbuild.patch

@@ -1,24 +0,0 @@
---- ./myocamlbuild.ml	2015-05-23 14:35:18.000000000 -0700
-+++ ./myocamlbuild.ml	2015-05-23 15:05:24.000000000 -0700
-@@ -626,16 +626,18 @@
-     rule "Generate lib/options.ml"
-       ~prod:"lib/options.ml"
-       ~deps:["lib/options.mlp"; "lib/enum_x_macro.h"]
--      (fun _ _ -> Cmd (S[A"gcc"; A"-E"; A"-P"; A"-x"; A"c";
-+      (fun _ _ -> Cmd (S[A"cc"; A"-E"; A"-P"; A"-x"; A"c";
-                          P"lib/options.mlp"; A"-o"; P"lib/options.ml"]));
- 
-     flag ["ocaml"; "link"; "library"; "native"] (S[A"-cclib"; A"-Llib";
-                                                    A"-cclib"; A"-lre2_stubs";
--                                                   A"-cclib"; A"-lstdc++"]);
-+                                                   A"-ccopt"; A"--stdlib=libc++";
-+                                                   A"-cclib"; A"-lc++"]);
-     flag ["ocaml"; "link"; "library"; "byte"]   (S[A"-dllib"; A"dllre2_stubs.so";
-                                                    A"-cclib"; A"-Llib";
-                                                    A"-cclib"; A"-lre2_stubs";
--                                                   A"-cclib"; A"-lstdc++"]);
-+                                                   A"-ccopt"; A"--stdlib=libc++";                                                   
-+                                                   A"-cclib"; A"-lc++"]);
-   | _ ->
-     ()
- 

pkgs/development/ocaml-modules/tls/default.nix

@@ -1,28 +1,30 @@
-{ stdenv, fetchurl, buildDunePackage, ppx_sexp_conv, ppx_cstruct, cstruct
+{ lib, fetchurl, buildDunePackage, ppx_sexp_conv, ppx_cstruct, cstruct
 , cstruct-sexp, sexplib, mirage-crypto, mirage-crypto-pk, mirage-crypto-rng
-, x509, domain-name, fmt, cstruct-unix, ounit2, ocaml_lwt, ptime }:
+, x509, domain-name, fmt, cstruct-unix, ounit2, ocaml_lwt, ptime
+, hacl_x25519, fiat-p256, hkdf, logs, alcotest }:
 
 buildDunePackage rec {
   minimumOCamlVersion = "4.07";
 
-  version = "0.11.1";
+  version = "0.12.0";
   pname = "tls";
 
   src = fetchurl {
     url = "https://github.com/mirleft/ocaml-tls/releases/download/v${version}/tls-v${version}.tbz";
-    sha256 = "0ms13fbaxgmpbviazlfa4hb7nmi7s22nklc7ns926b0rr1aq1069";
+    sha256 = "0fy38qmy7rcld1b4qzz4ycl1fr0v1wa7qd24125lpd6hly86fn57";
   };
 
   useDune2 = true;
 
   doCheck = true;
-  buildInputs = [ cstruct-unix ounit2 ];
+  checkInputs = [ cstruct-unix ounit2 alcotest ];
 
   propagatedBuildInputs = [ ppx_sexp_conv ppx_cstruct cstruct cstruct-sexp
                             sexplib mirage-crypto mirage-crypto-pk mirage-crypto-rng
-                            x509 domain-name fmt ocaml_lwt ptime ];
+                            x509 domain-name fmt ocaml_lwt ptime hacl_x25519 fiat-p256
+                            hkdf logs ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/mirleft/ocaml-tls";
     description = "TLS in pure OCaml";
     license = licenses.bsd2;

pkgs/development/ocaml-modules/wasm/default.nix

@@ -6,13 +6,13 @@ else
 
 stdenv.mkDerivation rec {
   name = "ocaml${ocaml.version}-wasm-${version}";
-  version = "1.1";
+  version = "1.1.1";
 
   src = fetchFromGitHub {
     owner = "WebAssembly";
     repo = "spec";
-    rev = "v${version}";
+    rev = "opam-${version}";
-    sha256 = "1jsgrjqzsdmm6f5pgd947nikj7pnxx1mqdnz16j7s62rg8x06h7d";
+    sha256 = "1kp72yv4k176i94np0m09g10cviqp2pnpm7jmiq6ik7fmmbknk7c";
   };
 
   buildInputs = [ ocaml findlib ocamlbuild ];

pkgs/development/python-modules/apache-airflow/default.nix

@@ -167,6 +167,9 @@ buildPythonPackage rec {
       --replace "/bin/bash" "${stdenv.shell}"
   '';
 
+  # allow for gunicorn processes to have access to python packages
+  makeWrapperArgs = [ "--prefix PYTHONPATH : $PYTHONPATH" ];
+
   checkPhase = ''
    export HOME=$(mktemp -d)
    export AIRFLOW_HOME=$HOME

pkgs/development/python-modules/asdf/default.nix

@@ -15,12 +15,12 @@
 
 buildPythonPackage rec {
   pname = "asdf";
-  version = "2.5.2";
+  version = "2.6.0";
   disabled = isPy27;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0ai5l62ldaq1cqfmq3hvnzp8gp0hjjmjnck9d3cnx5r8la5ig18y";
+    sha256 = "1ym9mmxjpnnlinly1rxfqj9rlyl2fv7dxc81f30n1b8n9pwc6jb5";
   };
 
   postPatch = ''

pkgs/development/python-modules/azure-core/default.nix

@@ -12,14 +12,14 @@
 }:
 
 buildPythonPackage rec {
-  version = "1.4.0";
+  version = "1.5.0";
   pname = "azure-core";
   disabled = isPy27;
 
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    sha256 = "0vfcfpb01qsrqh9xg4xyfm153bczwjglkv59zpdvrn7x0rrdc1cc";
+    sha256 = "181iyigm11y56lf1kwv7pcdyppavpwjb1b6k3qp3jnbqaypad9mg";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/bidict/default.nix

@@ -12,12 +12,12 @@
 
 buildPythonPackage rec {
   pname = "bidict";
-  version = "0.18.3";
+  version = "0.19.0";
   disabled = !isPy3k;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1742a25a9ef1b1ac4000683406879a3e1a6577faa02f31e482e6c84e2e3bf628";
+    sha256 = "11wiis62kcw6g3n4gdj39fx1yrlq5vz3zx3kmb6g79mliyhn2x7g";
   };
 
   nativeBuildInputs = [ setuptools_scm ];

pkgs/development/python-modules/dict2xml/default.nix

@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "dict2xml";
-  version = "1.6.1";
+  version = "1.7.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "17wsybqq0916i1yh7bpf2cmicldn7d0y2b9mzlgs503fkcpxda5w";
+    sha256 = "0bfn8n8sb3slwx7ra8m8fbfy65k20h2qxcqfq99hwqrrkgcffihl";
   };
 
   propagatedBuildInputs = [ six ];

pkgs/development/python-modules/dm-sonnet/default.nix

@@ -36,7 +36,7 @@ let
     bazelTarget = ":install";
 
     fetchAttrs = {
-      sha256 = "0wb2gh9ji8bgq4s9ci9x017dybxqzjhncpw33b1wjksm2yhbkvlz";
+      sha256 = "0jlgmwcanfkhkwvh4vxibpi0zyyl6xkjzcz2xqn7raympqscq81a";
     };
 
     bazelFlags = [

pkgs/development/python-modules/dotnetcore2/default.nix

@@ -15,7 +15,7 @@ buildPythonPackage rec {
     inherit pname version format;
     python = "py3";
     platform = "manylinux1_x86_64";
-    sha256 = "68182f4b704db401b2012c10ed8a19561f8d487063632f8731c2e58960ca9242";
+    sha256 = "0dxp9a73ncjylc09bjwq81fgj5ysk1yi27l8ka5f98121k1kmn6q";
   };
 
   nativeBuildInputs = [ unzip ];
@@ -35,14 +35,18 @@ buildPythonPackage rec {
     )
   ];
 
-  # prevent exposing a broken dotnet executable
+  # remove bin, which has a broken dotnetcore installation
-  postInstall = ''
+  installPhase = ''
-    rm -r $out/${python.sitePackages}/${pname}/bin
+    rm -rf dotnetcore2/bin
+    mkdir -p $out/${python.sitePackages}/
+    cp -r dotnetcore2 $out/${python.sitePackages}/
   '';
 
   # no tests, ensure it's one useful function works
   checkPhase = ''
-    ${python.interpreter} -c 'from dotnetcore2 import runtime; print(runtime.get_runtime_path())'
+    rm -r dotnetcore2 # avoid importing local directory
+    export PYTHONPATH=$out/${python.sitePackages}:$PYTHONPATH
+    ${python.interpreter} -c 'from dotnetcore2 import runtime; print(runtime.get_runtime_path()); runtime.ensure_dependencies()'
   '';
 
   meta = with lib; {