Merge master into staging-next

doc/languages-frameworks/rust.section.md

@@ -817,7 +817,7 @@ $ cargo test
 ## Using community maintained Rust toolchains {#using-community-maintained-rust-toolchains}
 
 ::: {.note}
-Note: The following projects cannot be used within nixpkgs since [IFD](#ssec-import-from-derivation) is disallowed.
+The following projects cannot be used within Nixpkgs since [Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs.
 To package things that require Rust nightly, `RUSTC_BOOTSTRAP = true;` can sometimes be used as a hack.
 :::
 

lib/fileset/README.md

@@ -176,7 +176,7 @@ File sets do not support Nix store paths in strings such as `"/nix/store/...-sou
 
 Arguments:
 - (+) Such paths are usually produced by derivations, which means `toSource` would either:
-  - Require IFD if `builtins.path` is used as the underlying primitive
+  - Require [Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) if `builtins.path` is used as the underlying primitive
   - Require importing the entire `root` into the store such that derivations can be used to do the filtering
 - (+) The convenient path coercion like `union ./foo ./bar` wouldn't work for absolute paths, requiring more verbose alternate interfaces:
   - `let root = "/nix/store/...-source"; in union "${root}/foo" "${root}/bar"`

lib/strings.nix

@@ -854,7 +854,7 @@ rec {
     assert (lib.isBool flag);
     mesonOption feature (if flag then "enabled" else "disabled");
 
-  /* Create an --{enable,disable}-<feat> string that can be passed to
+  /* Create an --{enable,disable}-<feature> string that can be passed to
      standard GNU Autoconf scripts.
 
      Example:
@@ -863,11 +863,12 @@ rec {
        enableFeature false "shared"
        => "--disable-shared"
   */
-  enableFeature = enable: feat:
-    assert isString feat; # e.g. passing openssl instead of "openssl"
-    "--${if enable then "enable" else "disable"}-${feat}";
+  enableFeature = flag: feature:
+    assert lib.isBool flag;
+    assert lib.isString feature; # e.g. passing openssl instead of "openssl"
+    "--${if flag then "enable" else "disable"}-${feature}";
 
-  /* Create an --{enable-<feat>=<value>,disable-<feat>} string that can be passed to
+  /* Create an --{enable-<feature>=<value>,disable-<feature>} string that can be passed to
      standard GNU Autoconf scripts.
 
      Example:
@@ -876,9 +877,10 @@ rec {
        enableFeatureAs false "shared" (throw "ignored")
        => "--disable-shared"
   */
-  enableFeatureAs = enable: feat: value: enableFeature enable feat + optionalString enable "=${value}";
+  enableFeatureAs = flag: feature: value:
+    enableFeature flag feature + optionalString flag "=${value}";
 
-  /* Create an --{with,without}-<feat> string that can be passed to
+  /* Create an --{with,without}-<feature> string that can be passed to
      standard GNU Autoconf scripts.
 
      Example:
@@ -887,11 +889,11 @@ rec {
        withFeature false "shared"
        => "--without-shared"
   */
-  withFeature = with_: feat:
-    assert isString feat; # e.g. passing openssl instead of "openssl"
-    "--${if with_ then "with" else "without"}-${feat}";
+  withFeature = flag: feature:
+    assert isString feature; # e.g. passing openssl instead of "openssl"
+    "--${if flag then "with" else "without"}-${feature}";
 
-  /* Create an --{with-<feat>=<value>,without-<feat>} string that can be passed to
+  /* Create an --{with-<feature>=<value>,without-<feature>} string that can be passed to
      standard GNU Autoconf scripts.
 
      Example:
@@ -900,7 +902,8 @@ rec {
        withFeatureAs false "shared" (throw "ignored")
        => "--without-shared"
   */
-  withFeatureAs = with_: feat: value: withFeature with_ feat + optionalString with_ "=${value}";
+  withFeatureAs = flag: feature: value:
+    withFeature flag feature + optionalString flag "=${value}";
 
   /* Create a fixed width string with additional prefix to match
      required width.

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -189,6 +189,8 @@
 
 - `odoo` now defaults to 16, updated from 15.
 
+- `varnish` was upgraded from 7.2.x to 7.4.x, see https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html and https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html for upgrade notes. The current LTS version is still offered as `varnish60`.
+
 - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities.
 
 - `services.keyd` changed API. Now you can create multiple configuration files.

nixos/modules/module-list.nix

@@ -1083,6 +1083,7 @@
   ./services/networking/thelounge.nix
   ./services/networking/tinc.nix
   ./services/networking/tinydns.nix
+  ./services/networking/tinyproxy.nix
   ./services/networking/tmate-ssh-server.nix
   ./services/networking/tox-bootstrapd.nix
   ./services/networking/tox-node.nix

nixos/modules/programs/wayland/sway.nix

@@ -42,6 +42,11 @@ in {
       <https://github.com/swaywm/sway/wiki> and
       "man 5 sway" for more information'');
 
+    enableRealtime = mkEnableOption (lib.mdDoc ''
+      add CAP_SYS_NICE capability on `sway` binary for realtime scheduling
+      privileges. This may improve latency and reduce stuttering, specially in
+      high load scenarios'') // { default = true; };
+
     package = mkOption {
       type = with types; nullOr package;
       default = defaultSwayPackage;
@@ -149,6 +154,14 @@ in {
             "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config";
           };
         };
+        security.wrappers = mkIf (cfg.enableRealtime && cfg.package != null) {
+          sway = {
+            owner = "root";
+            group = "root";
+            source = "${cfg.package}/bin/sway";
+            capabilities = "cap_sys_nice+ep";
+          };
+        };
         # To make a Sway session available if a display manager like SDDM is enabled:
         services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; }
       (import ./wayland-session.nix { inherit lib pkgs; })

nixos/modules/services/networking/connman.nix

@@ -1,55 +1,59 @@
 { config, lib, pkgs, ... }:
 
-with pkgs;
-with lib;
-
 let
   cfg = config.services.connman;
   configFile = pkgs.writeText "connman.conf" ''
     [General]
-    NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist}
+    NetworkInterfaceBlacklist=${lib.concatStringsSep "," cfg.networkInterfaceBlacklist}
 
     ${cfg.extraConfig}
   '';
   enableIwd = cfg.wifi.backend == "iwd";
 in {
+  meta.maintainers = with lib.maintainers; [ AndersonTorres ];
 
   imports = [
-    (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ])
+    (lib.mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ])
   ];
 
   ###### interface
 
   options = {
-
     services.connman = {
-
-      enable = mkOption {
-        type = types.bool;
+      enable = lib.mkOption {
+        type = lib.types.bool;
         default = false;
         description = lib.mdDoc ''
           Whether to use ConnMan for managing your network connections.
         '';
       };
 
-      enableVPN = mkOption {
-        type = types.bool;
+      package = lib.mkOption {
+        type = lib.types.package;
+        description = lib.mdDoc "The connman package / build flavor";
+        default = pkgs.connman;
+        defaultText = lib.literalExpression "pkgs.connman";
+        example = lib.literalExpression "pkgs.connmanFull";
+      };
+
+      enableVPN = lib.mkOption {
+        type = lib.types.bool;
         default = true;
         description = lib.mdDoc ''
           Whether to enable ConnMan VPN service.
         '';
       };
 
-      extraConfig = mkOption {
-        type = types.lines;
+      extraConfig = lib.mkOption {
+        type = lib.types.lines;
         default = "";
         description = lib.mdDoc ''
           Configuration lines appended to the generated connman configuration file.
         '';
       };
 
-      networkInterfaceBlacklist = mkOption {
-        type = with types; listOf str;
+      networkInterfaceBlacklist = lib.mkOption {
+        type = with lib.types; listOf str;
         default = [ "vmnet" "vboxnet" "virbr" "ifb" "ve" ];
         description = lib.mdDoc ''
           Default blacklisted interfaces, this includes NixOS containers interfaces (ve).
@@ -57,8 +61,8 @@ in {
       };
 
       wifi = {
-        backend = mkOption {
-          type = types.enum [ "wpa_supplicant" "iwd" ];
+        backend = lib.mkOption {
+          type = lib.types.enum [ "wpa_supplicant" "iwd" ];
           default = "wpa_supplicant";
           description = lib.mdDoc ''
             Specify the Wi-Fi backend used.
@@ -67,31 +71,20 @@ in {
         };
       };
 
-      extraFlags = mkOption {
-        type = with types; listOf str;
+      extraFlags = lib.mkOption {
+        type = with lib.types; listOf str;
         default = [ ];
         example = [ "--nodnsproxy" ];
         description = lib.mdDoc ''
           Extra flags to pass to connmand
         '';
       };
-
-      package = mkOption {
-        type = types.package;
-        description = lib.mdDoc "The connman package / build flavor";
-        default = connman;
-        defaultText = literalExpression "pkgs.connman";
-        example = literalExpression "pkgs.connmanFull";
-      };
-
     };
-
   };
 
   ###### implementation
 
-  config = mkIf cfg.enable {
-
+  config = lib.mkIf cfg.enable {
     assertions = [{
       assertion = !config.networking.useDHCP;
       message = "You can not use services.connman with networking.useDHCP";
@@ -107,8 +100,8 @@ in {
     systemd.services.connman = {
       description = "Connection service";
       wantedBy = [ "multi-user.target" ];
-      after = [ "syslog.target" ] ++ optional enableIwd "iwd.service";
-      requires = optional enableIwd "iwd.service";
+      after = [ "syslog.target" ] ++ lib.optional enableIwd "iwd.service";
+      requires = lib.optional enableIwd "iwd.service";
       serviceConfig = {
         Type = "dbus";
         BusName = "net.connman";
@@ -117,13 +110,13 @@ in {
           "${cfg.package}/sbin/connmand"
           "--config=${configFile}"
           "--nodaemon"
-        ] ++ optional enableIwd "--wifi=iwd_agent"
+        ] ++ lib.optional enableIwd "--wifi=iwd_agent"
           ++ cfg.extraFlags);
         StandardOutput = "null";
       };
     };
 
-    systemd.services.connman-vpn = mkIf cfg.enableVPN {
+    systemd.services.connman-vpn = lib.mkIf cfg.enableVPN {
       description = "ConnMan VPN service";
       wantedBy = [ "multi-user.target" ];
       after = [ "syslog.target" ];
@@ -136,7 +129,7 @@ in {
       };
     };
 
-    systemd.services.net-connman-vpn = mkIf cfg.enableVPN {
+    systemd.services.net-connman-vpn = lib.mkIf cfg.enableVPN {
       description = "D-BUS Service";
       serviceConfig = {
         Name = "net.connman.vpn";
@@ -150,9 +143,9 @@ in {
     networking = {
       useDHCP = false;
       wireless = {
-        enable = mkIf (!enableIwd) true;
+        enable = lib.mkIf (!enableIwd) true;
         dbusControlled = true;
-        iwd = mkIf enableIwd {
+        iwd = lib.mkIf enableIwd {
           enable = true;
         };
       };

nixos/modules/services/networking/tinyproxy.nix

@@ -0,0 +1,103 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tinyproxy;
+  mkValueStringTinyproxy = with lib; v:
+        if true  ==         v then "yes"
+        else if false ==    v then "no"
+        else generators.mkValueStringDefault {} v;
+  mkKeyValueTinyproxy = {
+    mkValueString ? mkValueStringDefault {}
+  }: sep: k: v:
+    if null     ==  v then ""
+    else "${lib.strings.escape [sep] k}${sep}${mkValueString v}";
+
+  settingsFormat = (pkgs.formats.keyValue {
+      mkKeyValue = mkKeyValueTinyproxy {
+        mkValueString = mkValueStringTinyproxy;
+      } " ";
+      listsAsDuplicateKeys= true;
+  });
+  configFile = settingsFormat.generate "tinyproxy.conf" cfg.settings;
+
+in
+{
+
+  options = {
+    services.tinyproxy = {
+      enable = mkEnableOption (lib.mdDoc "Tinyproxy daemon");
+      package = mkPackageOptionMD pkgs "tinyproxy" {};
+      settings = mkOption {
+        description = lib.mdDoc "Configuration for [tinyproxy](https://tinyproxy.github.io/).";
+        default = { };
+        example = literalExpression ''{
+          Port 8888;
+          Listen 127.0.0.1;
+          Timeout 600;
+          Allow 127.0.0.1;
+          Anonymous = ['"Host"' '"Authorization"'];
+          ReversePath = '"/example/" "http://www.example.com/"';
+        }'';
+        type = types.submodule ({name, ...}: {
+          freeformType = settingsFormat.type;
+          options = {
+            Listen = mkOption {
+              type = types.str;
+              default = "127.0.0.1";
+              description = lib.mdDoc ''
+              Specify which address to listen to.
+              '';
+            };
+            Port = mkOption {
+              type = types.int;
+              default = 8888;
+              description = lib.mdDoc ''
+              Specify which port to listen to.
+              '';
+            };
+            Anonymous = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = lib.mdDoc ''
+              If an `Anonymous` keyword is present, then anonymous proxying is enabled. The headers listed with `Anonymous` are allowed through, while all others are denied. If no Anonymous keyword is present, then all headers are allowed through. You must include quotes around the headers.
+              '';
+            };
+            Filter = mkOption {
+              type = types.nullOr types.path;
+              default = null;
+              description = lib.mdDoc ''
+              Tinyproxy supports filtering of web sites based on URLs or domains. This option specifies the location of the file containing the filter rules, one rule per line.
+              '';
+            };
+          };
+        });
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.tinyproxy = {
+      description = "TinyProxy daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "tinyproxy";
+        Group = "tinyproxy";
+        Type = "simple";
+        ExecStart = "${getExe pkgs.tinyproxy} -d -c ${configFile}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+        KillSignal = "SIGINT";
+        TimeoutStopSec = "30s";
+        Restart = "on-failure";
+      };
+    };
+
+    users.users.tinyproxy = {
+        group = "tinyproxy";
+        isSystemUser = true;
+    };
+    users.groups.tinyproxy = {};
+  };
+  meta.maintainers = with maintainers; [ tcheronneau ];
+}

nixos/tests/all-tests.nix

@@ -819,6 +819,7 @@ in {
   timezone = handleTest ./timezone.nix {};
   tinc = handleTest ./tinc {};
   tinydns = handleTest ./tinydns.nix {};
+  tinyproxy = handleTest ./tinyproxy.nix {};
   tinywl = handleTest ./tinywl.nix {};
   tmate-ssh-server = handleTest ./tmate-ssh-server.nix { };
   tomcat = handleTest ./tomcat.nix {};
@@ -855,8 +856,7 @@ in {
   uwsgi = handleTest ./uwsgi.nix {};
   v2ray = handleTest ./v2ray.nix {};
   varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; };
-  varnish72 = handleTest ./varnish.nix { package = pkgs.varnish72; };
-  varnish73 = handleTest ./varnish.nix { package = pkgs.varnish73; };
+  varnish74 = handleTest ./varnish.nix { package = pkgs.varnish74; };
   vault = handleTest ./vault.nix {};
   vault-agent = handleTest ./vault-agent.nix {};
   vault-dev = handleTest ./vault-dev.nix {};

nixos/tests/tinyproxy.nix

@@ -0,0 +1,20 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "tinyproxy";
+
+  nodes.machine = { config, pkgs, ... }: {
+    services.tinyproxy = {
+      enable = true;
+      settings = {
+        Listen = "127.0.0.1";
+        Port = 8080;
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("tinyproxy.service")
+    machine.wait_for_open_port(8080)
+
+    machine.succeed('curl -s http://localhost:8080 |grep -i tinyproxy')
+  '';
+})

pkgs/README.md

@@ -368,19 +368,11 @@ See the Nixpkgs manual for more details on [standard meta-attributes](https://ni
 
 ### Import From Derivation
 
-Import From Derivation (IFD) is disallowed in Nixpkgs for performance reasons:
-[Hydra] evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical.
-
-[Hydra]: https://github.com/NixOS/hydra
+[Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs for performance reasons:
+[Hydra](https://github.com/NixOS/hydra) evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical.
 
 Import From Derivation can be worked around in some cases by committing generated intermediate files to version control and reading those instead.
 
-<!-- TODO: remove the following and link to Nix manual once https://github.com/NixOS/nix/pull/7332 is merged -->
-
-See also [NixOS Wiki: Import From Derivation].
-
-[NixOS Wiki: Import From Derivation]: https://nixos.wiki/wiki/Import_From_Derivation
-
 ## Sources
 
 ### Fetching Sources

pkgs/applications/misc/pdfstudio/common.nix

@@ -5,6 +5,7 @@
 , version
 , desktopName
 , longDescription
+, broken ? false
 , buildFHSEnv
 , extraBuildInputs ? [ ]
 , jdk
@@ -85,6 +86,7 @@ buildFHSEnv {
   '';
 
   meta = with lib; {
+    inherit broken;
     homepage = "https://www.qoppa.com/${pname}/";
     description = "An easy to use, full-featured PDF editing software";
     longDescription = longDescription;

pkgs/applications/misc/pdfstudio/default.nix

@@ -40,6 +40,10 @@ in
       sha256 = "sha256-QXNsH1T+ItV3s9r8CnwgRUo1mhVbe8LkEun9gUmlVQg=";
     };
     jdk = jdk17;
+
+    # Bad hash, got sha256-afRhx9VCVRFUJoUnqs1bzF0yXpz3yEgLiFjMRB9xvsk=
+    # Likely unstable.
+    broken = true;
   };
 
   pdfstudio2021 = callPackage ./common.nix rec {

pkgs/applications/networking/instant-messengers/rocketchat-desktop/default.nix

@@ -4,11 +4,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "rocketchat-desktop";
-  version = "3.9.8";
+  version = "3.9.9";
 
   src = fetchurl {
     url = "https://github.com/RocketChat/Rocket.Chat.Electron/releases/download/${version}/rocketchat-${version}-linux-amd64.deb";
-    hash = "sha256-sx4WRAeitbBrz6jFvD0WF/EzR7cx4tOPoczbJ+tkw1s=";
+    hash = "sha256-50mVmE+q2VYJXIv2iD6ppS83We0aJRT9vje+zpJcdq0=";
   };
 
   nativeBuildInputs = [

pkgs/applications/science/logic/dafny/default.nix

@@ -8,28 +8,36 @@
 
 buildDotnetModule rec {
   pname = "Dafny";
-  version = "4.2.0";
+  version = "4.3.0";
 
   src = fetchFromGitHub {
     owner = "dafny-lang";
     repo = "dafny";
     rev = "v${version}";
-    sha256 = "sha256-RSGaOgGf3m94t3SKnvSPqz0VHhWr6NmIMtGsmOynMaM=";
+    hash = "sha256-bnKaaqh1/921SRwnwqgYb31SJ8vguEBtzywPTz79S6I=";
   };
 
-  postPatch = ''
-    cp ${writeScript "fake-gradlew-for-dafny" ''
-      mkdir -p build/libs/
-      javac $(find -name "*.java" | grep "^./src/main") -d classes
-      jar cf build/libs/DafnyRuntime-${version}.jar -C classes dafny
-    ''} Source/DafnyRuntime/DafnyRuntimeJava/gradlew
+  postPatch =
+    # This version number seems to be hardcoded and didn't get updated with the
+    # version bump from 4.2.0 to 4.3.0.
+    let dafnyRuntimeJarVersion = "4.2.0";
+    in ''
+      cp ${
+        writeScript "fake-gradlew-for-dafny" ''
+          mkdir -p build/libs/
+          javac $(find -name "*.java" | grep "^./src/main") -d classes
+          jar cf build/libs/DafnyRuntime-${dafnyRuntimeJarVersion}.jar -C classes dafny
+        ''} Source/DafnyRuntime/DafnyRuntimeJava/gradlew
 
-    # Needed to fix
-    # "error NETSDK1129: The 'Publish' target is not supported without specifying a target framework. The current project targets multiple frameworks, you must specify the framework for the published application."
-    substituteInPlace Source/DafnyRuntime/DafnyRuntime.csproj \
-      --replace TargetFrameworks TargetFramework \
-      --replace "netstandard2.0;net452" net6.0
-  '';
+      # Needed to fix
+      # "error NETSDK1129: The 'Publish' target is not supported without
+      # specifying a target framework. The current project targets multiple
+      # frameworks, you must specify the framework for the published
+      # application."
+      substituteInPlace Source/DafnyRuntime/DafnyRuntime.csproj \
+        --replace TargetFrameworks TargetFramework \
+        --replace "netstandard2.0;net452" net6.0
+    '';
 
   buildInputs = [ jdk11 ];
   nugetDeps = ./deps.nix;

pkgs/applications/window-managers/sway/default.nix

@@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: {
     # Use /run/current-system/sw/share and /etc instead of /nix/store
     # references:
     ./sway-config-nixos-paths.patch
+    # Drop ambient capabilities after getting SCHED_RR
+    ./drop_ambient_capabilities.patch
   ];
 
   strictDeps = true;

pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch

@@ -0,0 +1,41 @@
+From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001
+From: Thiago Kenji Okada <thiagokokada@gmail.com>
+Date: Thu, 5 Oct 2023 15:23:35 +0100
+Subject: [PATCH] drop ambient capabilities
+
+Within NixOS the only possibility to gain cap_sys_nice is using the
+security.wrapper infrastructure. However to pass the capabilities to the
+wrapped program, they are raised to the ambient set. To fix this we make
+sure to drop the ambient capabilities during sway startup and realtime
+setup. Otherwise all programs started by sway also gain cap_sys_nice,
+which is not something we want.
+
+Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de>
+---
+ sway/realtime.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sway/realtime.c b/sway/realtime.c
+index 11154af0..06f872a8 100644
+--- a/sway/realtime.c
++++ b/sway/realtime.c
+@@ -3,6 +3,7 @@
+ #include <unistd.h>
+ #include <pthread.h>
+ #include "sway/server.h"
++#include "sys/prctl.h"
+ #include "log.h"
+ 
+ static void child_fork_callback(void) {
+@@ -10,6 +11,8 @@ static void child_fork_callback(void) {
+ 
+ 	param.sched_priority = 0;
+ 
++	prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
++
+ 	int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, &param);
+ 	if (ret != 0) {
+ 		sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork");
+-- 
+2.42.0
+

pkgs/by-name/README.md

@@ -3,6 +3,10 @@
 The structure of this directory maps almost directly to top-level package attributes.
 This is the recommended way to add new top-level packages to Nixpkgs [when possible](#limitations).
 
+Packages found in the named-based structure do not need to be explicitly added to the
+`top-level/all-packages.nix` file unless they require overriding the default value
+of an implicit attribute (see below).
+
 ## Example
 
 The top-level package `pkgs.some-package` may be declared by setting up this file structure:

pkgs/by-name/ci/cimg/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "cimg";
-  version = "3.2.6";
+  version = "3.3.1";
 
   src = fetchFromGitHub {
     owner = "GreycLab";
     repo = "CImg";
     rev = "v.${finalAttrs.version}";
-    hash = "sha256-HEqjvL16Ca3Al3I6VK50CU6zHFj9Nn/SAXXCfRU4rgo=";
+    hash = "sha256-Y3UPfBH+Sa1f529J1JXx8Ul0zi3b1mkOvo1tbxBSYRk=";
   };
 
   outputs = [ "out" "doc" ];

pkgs/by-name/co/connman/package.nix

@@ -0,0 +1,176 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, autoreconfHook
+, dbus
+, file
+, glib
+, gnutls
+, iptables
+, libmnl
+, libnftnl # for nftables
+, nixosTests
+, openconnect
+, openvpn
+, pkg-config
+, polkit
+, ppp
+, pptp
+, readline
+, vpnc
+, dnsType ? "internal" # or "systemd-resolved"
+, enableBluetooth ? true
+, enableClient ? true
+, enableDatafiles ? true
+, enableDundee ? true
+, enableEthernet ? true
+, enableGadget ? true
+, enableHh2serialGps ? false
+, enableIospm ? false
+, enableL2tp ? false
+, enableLoopback ? true
+, enableNeard ? true
+, enableNetworkManager ? null
+, enableNetworkManagerCompatibility ?
+  if enableNetworkManager == null
+  then false
+  else lib.warn "enableNetworkManager option is deprecated; use enableNetworkManagerCompatibility instead" enableNetworkManager
+, enableOfono ? true
+, enableOpenconnect ? true
+, enableOpenvpn ? true
+, enablePacrunner ? true
+, enablePolkit ? true
+, enablePptp ? true
+, enableStats ? true
+, enableTist ? false
+, enableTools ? true
+, enableVpnc ? true
+, enableWifi ? true
+, enableWireguard ? true
+, enableWispr ? true
+, firewallType ? "iptables" # or "nftables"
+}:
+
+let
+  inherit (lib)
+    enableFeature
+    enableFeatureAs
+    optionals
+    withFeatureAs;
+in
+assert lib.asserts.assertOneOf "firewallType" firewallType [ "iptables" "nftables" ];
+assert lib.asserts.assertOneOf "dnsType" dnsType [ "internal" "systemd-resolved" ];
+stdenv.mkDerivation (finalAttrs: {
+  pname = "connman";
+  version = "1.42";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/network/connman/connman-${finalAttrs.version}.tar.xz";
+    hash = "sha256-o+a65G/Age8una48qk92Sd6JLD3mIsICg6wMqBQjwqo=";
+  };
+
+  patches = [
+    # simply the middle section of upstream commit a48864a2e5d2a725dfc6eef567108bc13b43857f
+    # dist tarball is broken, hence this patch as a workaround
+    ./create-libppp-compat.h.patch
+  ] ++ optionals stdenv.hostPlatform.isMusl [
+    # Fix Musl build by avoiding a Glibc-only API.
+    (fetchurl {
+      url = "https://git.alpinelinux.org/aports/plain/community/connman/libresolv.patch?id=e393ea84386878cbde3cccadd36a30396e357d1e";
+      hash = "sha256-7Q1bp8rD/gGVYUqnIXqjr9vypR8jlC926p3KYWl9kLw=";
+    })
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    file
+    pkg-config
+  ];
+
+  buildInputs = [
+    glib
+    dbus
+    libmnl
+    gnutls
+    readline
+  ]
+  ++ optionals (firewallType == "iptables") [ iptables ]
+  ++ optionals (firewallType == "nftables") [ libnftnl ]
+  ++ optionals (enableOpenconnect) [ openconnect ]
+  ++ optionals (enablePolkit) [ polkit ]
+  ++ optionals (enablePptp) [ pptp ppp ]
+  ;
+
+  postPatch = ''
+    sed -i "s@/usr/bin/file@file@g" ./configure
+  '';
+
+  configureFlags = [
+    # directories flags
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ] ++ [
+    # production build flags
+    (enableFeature false "maintainer-mode")
+    (enableFeatureAs true "session-policy-local" "builtin")
+    # for building and running tests
+    # (enableFeature true "tests") # installs the tests, we don't want that
+    (enableFeature true "tools")
+    (enableFeature enableLoopback "loopback")
+    (enableFeature enableEthernet "ethernet")
+    (enableFeature enableWireguard "wireguard")
+    (enableFeature enableGadget "gadget")
+    (enableFeature enableWifi "wifi")
+    # enable IWD support for wifi as it doesn't require any new dependencies and
+    # it's easier for the NixOS module to use only one connman package when IWD
+    # is requested
+    (enableFeature enableWifi "iwd")
+    (enableFeature enableBluetooth "bluetooth")
+    (enableFeature enableOfono "ofono")
+    (enableFeature enableDundee "dundee")
+    (enableFeature enablePacrunner "pacrunner")
+    (enableFeature enableNeard "neard")
+    (enableFeature enableWispr "wispr")
+    (enableFeature enableTools "tools")
+    (enableFeature enableStats "stats")
+    (enableFeature enableClient "client")
+    (enableFeature enableDatafiles "datafiles")
+    (enableFeature enablePolkit "polkit")
+    (enableFeature enablePptp "pptp")
+    (enableFeature enableWireguard "wireguard")
+    (enableFeature enableNetworkManagerCompatibility "nmcompat")
+    (enableFeature enableHh2serialGps "hh2serial-gps")
+    (enableFeature enableL2tp "l2tp")
+    (enableFeature enableIospm "iospm")
+    (enableFeature enableTist "tist")
+  ] ++ [
+    (enableFeatureAs enableOpenconnect "openconnect" "builtin")
+    (enableFeatureAs enableOpenvpn "openvpn" "builtin")
+    (enableFeatureAs enableVpnc "vpnc" "builtin")
+  ] ++ [
+    (withFeatureAs true "dbusconfdir" "${placeholder "out"}/share")
+    (withFeatureAs true "dbusdatadir" "${placeholder "out"}/share")
+    (withFeatureAs true "tmpfilesdir" "${placeholder "out"}/tmpfiles.d")
+    (withFeatureAs true "systemdunitdir" "${placeholder "out"}/systemd/system")
+    (withFeatureAs true "dns-backend" "${dnsType}")
+    (withFeatureAs true "firewall" "${firewallType}")
+    (withFeatureAs enableOpenconnect "openconnect" "${openconnect}/sbin/openconnect")
+    (withFeatureAs enableOpenvpn "openvpn" "${openvpn}/sbin/openvpn")
+    (withFeatureAs enableVpnc "vpnc" "${vpnc}/sbin/vpnc")
+    (withFeatureAs enablePptp "pptp" "${pptp}/sbin/pptp")
+  ];
+
+  doCheck = true;
+
+  passthru.tests.connman = nixosTests.connman;
+
+  meta = {
+    description = "A daemon for managing internet connections";
+    homepage = "https://git.kernel.org/pub/scm/network/connman/connman.git/about/";
+    license = lib.licenses.gpl2Only;
+    mainProgram = "connmanctl";
+    maintainers = with lib.maintainers; [ eclairevoyant AndersonTorres ];
+    platforms = lib.platforms.linux;
+  };
+})

pkgs/by-name/gm/gmic/package.nix

@@ -26,7 +26,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gmic";
-  version = "3.2.6";
+  version = "3.3.1";
 
   outputs = [ "out" "lib" "dev" "man" ];
 
@@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "GreycLab";
     repo = "gmic";
     rev = "v.${finalAttrs.version}";
-    hash = "sha256-kaI5rcAz3Cw/xzWgJhMRu/cQwVrvLRAPiB5BhzPMOHY=";
+    hash = "sha256-HagGabJ1jkg5SkMlr0Y5rGFw64jPW8QLuR0I2idM1N0=";
   };
 
   # TODO: build this from source

pkgs/development/php-packages/meminfo/default.nix

@@ -0,0 +1,22 @@
+{ buildPecl, lib, fetchFromGitHub }:
+
+buildPecl rec {
+  version = "unstable-2022-03-25";
+  pname = "meminfo";
+
+  src = fetchFromGitHub {
+    owner = "BitOne";
+    repo = "php-meminfo";
+    rev = "0ab7f5aea96c4dafce27c7e215b4907db2a2f493";
+    hash = "sha256-MO+B+ZNg6OAnxkOtdA15o+G41XbsG1N1WBz7thMCjck=";
+  };
+
+  sourceRoot = "${src.name}/extension";
+
+  meta = {
+    description = "PHP extension to get insight about memory usage";
+    homepage = "https://github.com/BitOne/php-meminfo";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ drupol ];
+  };
+}

pkgs/development/python-modules/rnginline/default.nix

@@ -1,12 +1,14 @@
 { lib
 , fetchPypi
 , buildPythonPackage
+, poetry-core
 , lxml
-, docopt
-, six
+, docopt-ng
+, typing-extensions
+, importlib-metadata
+, importlib-resources
 , pytestCheckHook
 , mock
-, fetchpatch
 }:
 
 buildPythonPackage rec {
@@ -18,20 +20,23 @@ buildPythonPackage rec {
     hash = "sha256-JWqzs+OqOynIAWYVgGrZiuiCqObAgGe6rBt0DcP3U6E=";
   };
 
-  patches = [
-    # Fix failing tests. Should be included in releases after 0.0.2
-    # https://github.com/h4l/rnginline/issues/3
-    (fetchpatch {
-      url = "https://github.com/h4l/rnginline/commit/b1d1c8cda2a17d46627309950f2442021749c07e.patch";
-      hash = "sha256-XbisEwun2wPOp7eqW2YDVdayJ4sjAMG/ezFwgoCKe9o=";
-      name = "fix_tests_failing_collect.patch";
-    })
+  format = "pyproject";
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace 'importlib-metadata = "^6.6.0"' 'importlib-metadata = "^6.0.0"'
+  '';
+
+  nativeBuildInputs = [
+    poetry-core
   ];
 
   propagatedBuildInputs = [
-    docopt
+    docopt-ng
     lxml
-    six
+    typing-extensions
+    importlib-metadata
+    importlib-resources
   ];
 
   nativeCheckInputs = [

pkgs/os-specific/linux/firmware/fwupd/default.nix

@@ -227,7 +227,6 @@ stdenv.mkDerivation (finalAttrs: {
   ] ++ lib.optionals (!enablePassim) [
     "-Dpassim=disabled"
   ] ++ lib.optionals (!haveDell) [
-    "-Dplugin_dell=disabled"
     "-Dplugin_synaptics_mst=disabled"
   ] ++ lib.optionals (!haveRedfish) [
     "-Dplugin_redfish=disabled"

pkgs/servers/sql/postgresql/default.nix

@@ -110,23 +110,50 @@ let
         locale = "${if stdenv.isDarwin then darwin.adv_cmds else lib.getBin stdenv.cc.libc}/bin/locale";
       })
 
-    ] ++ lib.optionals (stdenv'.hostPlatform.isMusl && atLeast "12") [
-      (fetchpatch {
-        url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/icu-collations-hack.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7";
-        hash = "sha256-Yb6lMBDqeVP/BLMyIr5rmR6OkaVzo68cV/+cL2LOe/M=";
-      })
-    ] ++ lib.optionals (stdenv'.hostPlatform.isMusl && atLeast "13") [
-      (if olderThan "14" then
-        fetchpatch {
-           url = "https://git.alpinelinux.org/aports/plain/main/postgresql13/disable-test-collate.icu.utf8.patch?id=69faa146ec9fff3b981511068f17f9e629d4688b";
-           hash = "sha256-IOOx7/laDYhTz1Q1r6H1FSZBsHCgD4lHvia+/os7CCo=";
-         }
-       else
-         fetchpatch {
-           url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/disable-test-collate.icu.utf8.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7";
-           hash = "sha256-pnl+wM3/IUyq5iJzk+h278MDA9R0GQXQX8d4wJcB2z4=";
-         })
-    ] ++ lib.optionals stdenv'.isLinux  [
+    ] ++ lib.optionals stdenv'.hostPlatform.isMusl (
+      let
+        self = {
+          "12" = {
+            icu-collations-hack = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/testing/postgresql12/icu-collations-hack.patch?id=d5227c91adda59d4e7f55f13468f0314e8869174";
+              hash = "sha256-wuwjvGHArkRNwFo40g3p43W32OrJohretlt6iSRlJKg=";
+            };
+          };
+          "13" = {
+            inherit (self."14") icu-collations-hack;
+            disable-test-collate-icu-utf8 = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/main/postgresql13/disable-test-collate.icu.utf8.patch?id=69faa146ec9fff3b981511068f17f9e629d4688b";
+              hash = "sha256-jS/qxezaiaKhkWeMCXwpz1SDJwUWn9tzN0uKaZ3Ph2Y=";
+            };
+          };
+          "14" = {
+            icu-collations-hack = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/icu-collations-hack.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7";
+              hash = "sha256-wuwjvGHArkRNwFo40g3p43W32OrJohretlt6iSRlJKg=";
+            };
+            disable-test-collate-icu-utf8 = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/disable-test-collate.icu.utf8.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7";
+              hash = "sha256-jXe23AxnFjEl+TZQm4R7rStk2Leo08ctxMNmu1xr5zM=";
+            };
+          };
+          "15" = {
+            icu-collations-hack = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/main/postgresql15/icu-collations-hack.patch?id=f424e934e6d076c4ae065ce45e734aa283eecb9c";
+              hash = "sha256-HgtmhF4OJYU9macGJbTB9PjQi/yW7c3Akm3U0niWs8I=";
+            };
+          };
+          "16" = {
+            icu-collations-hack = fetchurl {
+              url = "https://git.alpinelinux.org/aports/plain/main/postgresql16/icu-collations-hack.patch?id=08a24be262339fd093e641860680944c3590238e";
+              hash = "sha256-+urQdVIlADLdDPeT68XYv5rljhbK8M/7mPZn/cF+FT0=";
+            };
+          };
+        };
+
+        patchesForVersion = self.${lib.versions.major version} or (throw "no musl patches for postgresql ${version}");
+      in
+        lib.attrValues patchesForVersion
+    ) ++ lib.optionals stdenv'.isLinux  [
       (if atLeast "13" then ./patches/socketdir-in-run-13.patch else ./patches/socketdir-in-run.patch)
     ];
 

pkgs/servers/varnish/default.nix

@@ -51,19 +51,14 @@ let
     };
 in
 {
-  # EOL TBA
+  # EOL (LTS) TBA
   varnish60 = common {
     version = "6.0.11";
     hash = "sha256-UVkA2+tH/9MOs5BlyuAzFnmD7Pm9A6lDWic2B+HRKNs=";
   };
-  # EOL 2023-09-15
-  varnish72 = common {
-    version = "7.2.1";
-    hash = "sha256-TZN9FyCo7BnFM/ly2TA6HJiJt7/KdDeJOuXCfPIEqUA=";
-  };
-  # EOL 2024-03-15
-  varnish73 = common {
-    version = "7.3.0";
-    hash = "sha256-4tu7DsJwqQZHw4aGbm4iaZOu1G5I3nUacruBlzfxSuc=";
+  # EOL 2024-09-15
+  varnish74 = common {
+    version = "7.4.1";
+    hash = "sha256-h02Deq9JuPJxjLYLjIx5AOnqEMJk8hjIjNZy1Zb0uJ8=";
   };
 }

pkgs/servers/varnish/modules.nix

@@ -41,12 +41,8 @@ in
     version = "0.15.1";
     sha256 = "1lwgjhgr5yw0d17kbqwlaj5pkn70wvaqqjpa1i0n459nx5cf5pqj";
   };
-  modules20 = common {
-    version = "0.20.0";
-    sha256 = "sha256-3eH3qCa24rWqYXsTTDmm/9LjBMxcxUuozuRzZ3e8cUo=";
-  };
-  modules22 = common {
-    version = "0.22.0";
-    sha256 = "sha256-eoa6i6AuOS4pxQKA/lbJnwFc39cRiLqnBSpPM4Oitrc=";
+  modules23 = common {
+    version = "0.23.0";
+    sha256 = "sha256-Dd1pLMmRC59iRRpReDeQJ8Sv00ojb8InvaMrb+iRv4I=";
   };
 }

pkgs/servers/varnish/packages.nix

@@ -1,4 +1,4 @@
-{ callPackages, callPackage, varnish60, varnish72, varnish73, fetchFromGitHub }: {
+{ callPackages, callPackage, varnish60, varnish74, fetchFromGitHub }: {
   varnish60Packages = rec {
     varnish = varnish60;
     modules = (callPackages ./modules.nix { inherit varnish; }).modules15;
@@ -13,12 +13,8 @@
       sha256 = "1n94slrm6vn3hpymfkla03gw9603jajclg84bjhwb8kxsk3rxpmk";
     };
   };
-  varnish72Packages = rec {
-    varnish = varnish72;
-    modules = (callPackages ./modules.nix { inherit varnish; }).modules20;
-  };
-  varnish73Packages = rec {
-    varnish = varnish73;
-    modules = (callPackages ./modules.nix { inherit varnish; }).modules22;
+  varnish74Packages = rec {
+    varnish = varnish74;
+    modules = (callPackages ./modules.nix { inherit varnish; }).modules23;
   };
 }

pkgs/servers/web-apps/snipe-it/default.nix

@@ -36,13 +36,13 @@ let
 
 in package.override rec {
   pname = "snipe-it";
-  version = "6.2.1";
+  version = "6.2.2";
 
   src = fetchFromGitHub {
     owner = "snipe";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0kx5j9a2fbj9zy0i9r01z3lsbqlf488kn5b42fjs47nfzk1yznvx";
+    sha256 = "11i9ijkl7am5k48y7r5k6nki2827cd7mw3dr1xj8dvb8diwaskqi";
   };
 
   passthru.tests = nixosTests.snipe-it;

pkgs/tools/admin/lxd/package.json

@@ -4,7 +4,7 @@
   "author": "Canonical Webteam",
   "license": "LGPL-3.0-only",
   "scripts": {
-    "clean": "rm -rf node_modules yarn-error.log *.log build/ .jekyll-metadata .bundle",
+    "clean": "rm -rf node_modules yarn-error.log *.log build/ .jekyll-metadata .bundle playwright-report test-results haproxy-local.cfg",
     "build-html": "cp build/ui/index.html build/index.html",
     "build": "npx vite build && yarn build-html",
     "format-js-eslint": "eslint 'src/**/*.{json,jsx,tsx,ts}' 'tests/**/*.ts' --fix",
@@ -17,13 +17,14 @@
     "hooks-add": "husky install",
     "hooks-remove": "husky uninstall",
     "start": "concurrently --kill-others --raw 'vite | grep -v localhost' 'yarn serve'",
-    "serve": "./entrypoint"
-  },
+    "serve": "./entrypoint",
+    "test-js": "react-scripts test src/ --watchAll=false"},
   "dependencies": {
-    "@canonical/react-components": "0.42.0",
+    "@canonical/react-components": "0.47.0",
     "@monaco-editor/react": "^4.4.6",
     "@tanstack/react-query": "^4.14.5",
     "@use-it/event-listener": "^0.1.7",
+    "axios": "1.3.2",
     "cytoscape": "3.23.0",
     "cytoscape-popper": "2.0.0",
     "formik": "2.2.9",
@@ -38,7 +39,7 @@
     "react-scripts": "5.0.1",
     "react-useportal": "^1.0.17",
     "serve": "14.1.2",
-    "vanilla-framework": "3.15.1",
+    "vanilla-framework": "4.3.0",
     "xterm-addon-fit": "0.6.0",
     "xterm-for-react": "1.0.4",
     "yup": "0.32.11"
@@ -78,7 +79,7 @@
     "sass": "1.57.1",
     "sass-loader": "13.2.0",
     "style-loader": "3.3.1",
-    "stylelint": "14.16.1",
+    "stylelint": "15.10.1",
     "stylelint-config-prettier": "9.0.4",
     "stylelint-config-standard-scss": "6.1.0",
     "stylelint-order": "5.0.0",

pkgs/tools/admin/lxd/ui.nix

@@ -6,19 +6,19 @@
 
 mkYarnPackage rec {
   pname = "lxd-ui";
-  version = "unstable-2023-07-03";
+  version = "0.2";
 
   src = fetchFromGitHub {
     owner = "canonical";
     repo = "lxd-ui";
-    rev = "c2e819a027d440cbb1cb9d450aad280dde68e231";
-    sha256 = "sha256-lEzGACSv6CpxnfkOcsdPrH6KRKDkoKv63m8Gsodk8uc=";
+    rev = "refs/tags/${version}";
+    sha256 = "sha256-DygWNktangFlAqinBm6wWsRLGmX6yjhmRJ2iU0yjcgk=";
   };
 
   packageJSON = ./package.json;
   offlineCache = fetchYarnDeps {
     yarnLock = "${src}/yarn.lock";
-    sha256 = "sha256-SLkgJDb9lwz/ShZh+H4YKAFRc1BdANWI5ndM2O6NzXE=";
+    sha256 = "sha256-B1SVCViX1LEFoBLMdFk9qaoayku7Y+zU5c4JEJkLmwE=";
   };
 
   buildPhase = ''

pkgs/tools/graphics/gmic-qt/default.nix

@@ -55,11 +55,11 @@ assert lib.assertMsg
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gmic-qt${lib.optionalString (variant != "standalone") "-${variant}"}";
-  version = "3.2.6";
+  version = "3.3.1";
 
   src = fetchzip {
     url = "https://gmic.eu/files/source/gmic_${finalAttrs.version}.tar.gz";
-    hash = "sha256-asB1YftHfdb7JG87WJ+ggyMCu7qb0f+aCanl5LLi9VE=";
+    hash = "sha256-d9FRNW/MXM9ZJ1xgIZvGTUPDDnHgTJU0DuWyPkzNAmo=";
   };
 
   nativeBuildInputs = [

pkgs/tools/misc/timidity/configure-compat.patch

@@ -0,0 +1,33 @@
+--- a/configure	2018-08-28 19:33:39.000000000 -0400
++++ b/configure	2023-09-05 19:44:27.311279263 -0400
+@@ -6874,6 +6874,7 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ #include <ctype.h>
++#include <stdlib.h>
+ #if ((' ' & 0x0FF) == 0x020)
+ # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+ # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+@@ -7731,6 +7732,7 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ #include <ctype.h>
++#include <stdlib.h>
+ #if ((' ' & 0x0FF) == 0x020)
+ # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+ # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+@@ -10311,8 +10313,13 @@
+   if test "$cross_compiling" = yes; then
+   ac_cv_func_fork_works=cross
+ else
+-  cat >conftest.$ac_ext <<_ACEOF
++   cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++   cat confdefs.h >>conftest.$ac_ext
++   cat >>conftest.$ac_ext <<_ACEOF
+ /* By Ruediger Kuhlmann. */
++      #include <stdlib.h>
+       #include <sys/types.h>
+       #if HAVE_UNISTD_H
+       # include <unistd.h>

pkgs/tools/misc/timidity/default.nix

@@ -1,6 +1,14 @@
-{ lib, stdenv, fetchurl
-, pkg-config, buildPackages
-, CoreAudio, alsa-lib, libjack2, ncurses
+{ lib
+, stdenv
+, fetchurl
+, pkg-config
+, memstreamHook
+, CoreAudio
+, libobjc
+, libjack2
+, ncurses
+, alsa-lib
+, buildPackages
 }:
 
 stdenv.mkDerivation rec {
@@ -12,9 +20,15 @@ stdenv.mkDerivation rec {
     sha256 = "1xf8n6dqzvi6nr2asags12ijbj1lwk1hgl3s27vm2szib8ww07qn";
   };
 
-  patches = [ ./timidity-iA-Oj.patch ];
+  patches = [
+    ./timidity-iA-Oj.patch
+    # Fixes misdetection of features by clang 16. The configure script itself is patched because
+    # it is old and does not work nicely with autoreconfHook.
+    ./configure-compat.patch
+  ];
 
-  nativeBuildInputs = [ pkg-config ];
+  nativeBuildInputs = [ pkg-config ]
+    ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ memstreamHook ];
   buildInputs = [
     libjack2
     ncurses
@@ -22,6 +36,7 @@ stdenv.mkDerivation rec {
     alsa-lib
   ] ++ lib.optionals stdenv.isDarwin [
     CoreAudio
+    libobjc
   ];
 
   configureFlags = [
@@ -36,6 +51,13 @@ stdenv.mkDerivation rec {
   ] ++ lib.optionals stdenv.isDarwin [
     "--enable-audio=darwin,jack"
     "lib_cv_va_val_copy=no"
+    "timidity_cv_ccoption_rdynamic=yes"
+    # These configure tests fail because of incompatible function pointer conversions.
+    "ac_cv_func_vprintf=yes"
+    "ac_cv_func_popen=yes"
+    "ac_cv_func_vsnprintf=yes"
+    "ac_cv_func_snprintf=yes"
+    "ac_cv_func_open_memstream=yes"
   ];
 
   makeFlags = [

pkgs/tools/networking/connman/connman/default.nix

@@ -1,190 +0,0 @@
-{ lib
-, nixosTests
-, stdenv
-, fetchurl
-, fetchpatch
-, pkg-config
-, autoreconfHook
-, file
-, glib
-# always required runtime dependencies
-, dbus
-, libmnl
-, gnutls
-, readline
-# configurable options
-, firewallType ? "iptables" # or "nftables"
-, iptables ? null
-, libnftnl ? null # for nftables
-, dnsType ? "internal" # or "systemd-resolved"
-# optional features which are turned *on* by default
-, enableOpenconnect ? true
-, openconnect ? null
-, enableOpenvpn ? true
-, openvpn ? null
-, enableVpnc ? true
-, vpnc ? true
-, enablePolkit ? true
-, polkit ? null
-, enablePptp ? true
-, pptp ? null
-, ppp ? null
-, enableLoopback ? true
-, enableEthernet ? true
-, enableWireguard ? true
-, enableGadget ? true
-, enableWifi ? true
-, enableBluetooth ? true
-, enableOfono ? true
-, enableDundee ? true
-, enablePacrunner ? true
-, enableNeard ? true
-, enableWispr ? true
-, enableTools ? true
-, enableStats ? true
-, enableClient ? true
-, enableDatafiles ? true
-# optional features which are turned *off* by default
-, enableNetworkManager ? false
-, enableHh2serialGps ? false
-, enableL2tp ? false
-, enableIospm ? false
-, enableTist ? false
-}:
-
-assert lib.asserts.assertOneOf "firewallType" firewallType [ "iptables" "nftables" ];
-assert lib.asserts.assertOneOf "dnsType" dnsType [ "internal" "systemd-resolved" ];
-
-let inherit (lib) optionals; in
-
-stdenv.mkDerivation rec {
-  pname = "connman";
-  version = "1.42";
-  src = fetchurl {
-    url = "mirror://kernel/linux/network/connman/${pname}-${version}.tar.xz";
-    hash = "sha256-o+a65G/Age8una48qk92Sd6JLD3mIsICg6wMqBQjwqo=";
-  };
-
-  patches = [
-    # simply the middle section of upstream commit a48864a2e5d2a725dfc6eef567108bc13b43857f
-    # dist tarball is broken, hence this patch as a workaround
-    ./create-libppp-compat.h.patch
-  ] ++ optionals stdenv.hostPlatform.isMusl [
-    # Fix Musl build by avoiding a Glibc-only API.
-    (fetchurl {
-      url = "https://git.alpinelinux.org/aports/plain/community/connman/libresolv.patch?id=e393ea84386878cbde3cccadd36a30396e357d1e";
-      hash = "sha256-7Q1bp8rD/gGVYUqnIXqjr9vypR8jlC926p3KYWl9kLw=";
-    })
-  ];
-
-  buildInputs = [
-    glib
-    dbus
-    libmnl
-    gnutls
-    readline
-  ] ++ optionals (enableOpenconnect) [ openconnect ]
-    ++ optionals (firewallType == "iptables") [ iptables ]
-    ++ optionals (firewallType == "nftables") [ libnftnl ]
-    ++ optionals (enablePolkit) [ polkit ]
-    ++ optionals (enablePptp) [ pptp ppp ]
-  ;
-
-  nativeBuildInputs = [
-    pkg-config
-    file
-    autoreconfHook  # as long as we're patching configure.ac
-  ];
-
-  # fix invalid path to 'file'
-  postPatch = ''
-    sed -i "s/\/usr\/bin\/file/file/g" ./configure
-  '';
-
-  configureFlags = [
-    # directories flags
-    "--sysconfdir=/etc"
-    "--localstatedir=/var"
-    "--with-dbusconfdir=${placeholder "out"}/share"
-    "--with-dbusdatadir=${placeholder "out"}/share"
-    "--with-tmpfilesdir=${placeholder "out"}/lib/tmpfiles.d"
-    "--with-systemdunitdir=${placeholder "out"}/lib/systemd/system"
-    "--with-dns-backend=${dnsType}"
-    "--with-firewall=${firewallType}"
-    # production build flags
-    "--disable-maintainer-mode"
-    "--enable-session-policy-local=builtin"
-    # for building and running tests
-    # "--enable-tests" # installs the tests, we don't want that
-    "--enable-tools"
-  ]
-    ++ optionals (!enableLoopback) [ "--disable-loopback" ]
-    ++ optionals (!enableEthernet) [ "--disable-ethernet" ]
-    ++ optionals (!enableWireguard) [ "--disable-wireguard" ]
-    ++ optionals (!enableGadget) [ "--disable-gadget" ]
-    ++ optionals (!enableWifi) [ "--disable-wifi" ]
-    # enable IWD support for wifi as it doesn't require any new dependencies
-    # and it's easier for the NixOS module to use only one connman package when
-    # IWD is requested
-    ++ optionals (enableWifi) [ "--enable-iwd" ]
-    ++ optionals (!enableBluetooth) [ "--disable-bluetooth" ]
-    ++ optionals (!enableOfono) [ "--disable-ofono" ]
-    ++ optionals (!enableDundee) [ "--disable-dundee" ]
-    ++ optionals (!enablePacrunner) [ "--disable-pacrunner" ]
-    ++ optionals (!enableNeard) [ "--disable-neard" ]
-    ++ optionals (!enableWispr) [ "--disable-wispr" ]
-    ++ optionals (!enableTools) [ "--disable-tools" ]
-    ++ optionals (!enableStats) [ "--disable-stats" ]
-    ++ optionals (!enableClient) [ "--disable-client" ]
-    ++ optionals (!enableDatafiles) [ "--disable-datafiles" ]
-    ++ optionals (enableOpenconnect) [
-      "--enable-openconnect=builtin"
-      "--with-openconnect=${openconnect}/sbin/openconnect"
-    ]
-    ++ optionals (enableOpenvpn) [
-      "--enable-openvpn=builtin"
-      "--with-openvpn=${openvpn}/sbin/openvpn"
-    ]
-    ++ optionals (enableVpnc) [
-      "--enable-vpnc=builtin"
-      "--with-vpnc=${vpnc}/sbin/vpnc"
-    ]
-    ++ optionals (enablePolkit) [
-      "--enable-polkit"
-    ]
-    ++ optionals (enablePptp) [
-      "--enable-pptp"
-      "--with-pptp=${pptp}/sbin/pptp"
-    ]
-    ++ optionals (!enableWireguard) [
-      "--disable-wireguard"
-    ]
-    ++ optionals (enableNetworkManager) [
-      "--enable-nmcompat"
-    ]
-    ++ optionals (enableHh2serialGps) [
-      "--enable-hh2serial-gps"
-    ]
-    ++ optionals (enableL2tp) [
-      "--enable-l2tp"
-    ]
-    ++ optionals (enableIospm) [
-      "--enable-iospm"
-    ]
-    ++ optionals (enableTist) [
-      "--enable-tist"
-    ]
-  ;
-
-  doCheck = true;
-
-  passthru.tests.connman = nixosTests.connman;
-
-  meta = with lib; {
-    description = "A daemon for managing internet connections";
-    homepage = "https://git.kernel.org/pub/scm/network/connman/connman.git/";
-    maintainers = with maintainers; [ eclairevoyant ];
-    platforms = platforms.linux;
-    license = licenses.gpl2Only;
-  };
-}

pkgs/tools/networking/connman/default.nix

@@ -1,49 +0,0 @@
-{ lib, pkgs }:
-
-lib.makeScope pkgs.newScope (self: with self; {
-
-  # All the defaults
-  connman = callPackage ./connman { };
-
-  connmanFull = connman.override {
-    # TODO: Why is this in `connmanFull` and not the default build? See TODO in
-    # nixos/modules/services/networking/connman.nix (near the assertions)
-    enableNetworkManager = true;
-    enableHh2serialGps = true;
-    enableL2tp = true;
-    enableIospm = true;
-    enableTist = true;
-  };
-
-  connmanMinimal = connman.override {
-    enableOpenconnect = false;
-    enableOpenvpn = false;
-    enableVpnc = false;
-    vpnc = false;
-    enablePolkit = false;
-    enablePptp = false;
-    enableLoopback = false;
-    # enableEthernet = false; # If disabled no ethernet connection can be performed
-    enableWireguard = false;
-    enableGadget = false;
-    # enableWifi = false; # If disabled no WiFi connection can be performed
-    enableBluetooth = false;
-    enableOfono = false;
-    enableDundee = false;
-    enablePacrunner = false;
-    enableNeard = false;
-    enableWispr = false;
-    enableTools = false;
-    enableStats = false;
-    enableClient = false;
-    # enableDatafiles = false; # If disabled, configuration and data files are not installed
-  };
-
-  connman_dmenu = callPackage ./connman_dmenu { };
-
-  connman-gtk = callPackage ./connman-gtk { };
-
-  connman-ncurses = callPackage ./connman-ncurses { };
-
-  connman-notify = callPackage ./connman-notify { };
-})

pkgs/tools/networking/tinyproxy/default.nix

@@ -4,6 +4,7 @@
 , fetchpatch
 , autoreconfHook
 , perl
+, nixosTests
 , withDebug ? false
 }:
 
@@ -30,6 +31,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook perl ];
 
   configureFlags = lib.optionals withDebug [ "--enable-debug" ]; # Enable debugging support code and methods.
+  passthru.tests = { inherit (nixosTests) tinyproxy; };
 
   meta = with lib; {
     homepage = "https://tinyproxy.github.io/";

pkgs/tools/system/stress-ng/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "stress-ng";
-  version = "0.16.04";
+  version = "0.17.00";
 
   src = fetchFromGitHub {
     owner = "ColinIanKing";
     repo = pname;
     rev = "V${version}";
-    hash = "sha256-Qr1t+xyl0aS2tSB+DyS7oXOkbcJRaSabS6g/qc8hdWc=";
+    hash = "sha256-VChEuxNDQfkJyherlInbFEBGf6djp5zRQYaZB7w7A3s=";
   };
 
   postPatch = ''

pkgs/top-level/aliases.nix

@@ -133,6 +133,15 @@ mapAliases ({
   inherit (libsForQt5.mauiPackages) clip; # added 2022-05-17
   cpp-ipfs-api = cpp-ipfs-http-client; # Project has been renamed. Added 2022-05-15
   crispyDoom = crispy-doom; # Added 2023-05-01
+  clasp = clingo; # added 2022-12-22
+  claws-mail-gtk3 = claws-mail; # Added 2021-07-10
+  codimd = hedgedoc; # Added 2020-11-29
+  inherit (libsForQt5.mauiPackages) communicator; # added 2022-05-17
+  compton = throw "'compton' has been renamed to/replaced by 'picom'"; # Converted to throw 2023-09-10
+  concurrencykit = libck; # Added 2021-03
+  connmanPackages = throw "'connmanPackages' was removed and their subpackages/attributes were promoted to top level."; # Added 2023-10-08
+  cups-kyodialog3 = cups-kyodialog; # Added 2022-11-12
+  cvs_fast_export = cvs-fast-export; # Added 2021-06-10
 
   # these are for convenience, not for backward compat and shouldn't expire
   clang5Stdenv = lowPrio llvmPackages_5.stdenv;
@@ -148,19 +157,8 @@ mapAliases ({
   clang15Stdenv = lowPrio llvmPackages_15.stdenv;
   clang16Stdenv = lowPrio llvmPackages_16.stdenv;
 
-  clasp = clingo; # added 2022-12-22
-  claws-mail-gtk3 = claws-mail; # Added 2021-07-10
-  codimd = hedgedoc; # Added 2020-11-29
-  inherit (libsForQt5.mauiPackages) communicator; # added 2022-05-17
-  compton = throw "'compton' has been renamed to/replaced by 'picom'"; # Converted to throw 2023-09-10
-  concurrencykit = libck; # Added 2021-03
-
-  cups-kyodialog3 = cups-kyodialog; # Added 2022-11-12
-  cvs_fast_export = cvs-fast-export; # Added 2021-06-10
-
   ### D ###
 
-  oroborus = throw "oroborus was removed, because it was abandoned years ago."; #Added 2023-09-10
   dart_stable = dart; # Added 2020-01-15
   dat = nodePackages.dat;
   deadpixi-sam = deadpixi-sam-unstable;
@@ -609,11 +607,11 @@ mapAliases ({
   openssl_3_0 = openssl_3; # Added 2022-06-27
   openvpn_24 = throw "openvpn_24 has been removed, because it went EOL. 2.5.x or newer is still available"; # Added 2023-01-23
   orchis = orchis-theme; # Added 2021-06-09
+  oroborus = throw "oroborus was removed, because it was abandoned years ago."; #Added 2023-09-10
   osxfuse = macfuse-stubs; # Added 2021-03-20
 
   ### P ###
 
-
   packet-cli = metal-cli; # Added 2021-10-25
   palemoon = throw "palemoon has been dropped due to python2 being EOL and marked insecure. Use 'palemoon-bin' instead"; # Added 2023-05-18
   paperless = paperless-ngx; # Added 2021-06-06
@@ -853,6 +851,10 @@ mapAliases ({
   vivaldi-widevine = throw "'vivaldi-widevine' has been renamed to/replaced by 'widevine-cdm'"; # Added 2023-02-25
   vkBasalt = vkbasalt; # Added 2022-11-22
   vte_290 = throw "'vte_290' has been renamed to/replaced by 'vte'"; # Added 2023-01-05
+  varnish72 = throw "varnish 7.2 is EOL. Either use the LTS or upgrade."; # Added 2023-10-09
+  varnish73 = throw "varnish 7.3 is EOL. Either use the LTS or upgrade."; # Added 2023-10-09
+  varnish72Packages = throw "varnish 7.2 is EOL. Either use the LTS or upgrade."; # Added 2023-10-09
+  varnish73Packages = throw "varnish 7.3 is EOL. Either use the LTS or upgrade."; # Added 2023-10-09
   inherit (libsForQt5.mauiPackages) vvave; # added 2022-05-17
 
   ### W ###

pkgs/top-level/all-packages.nix

@@ -5569,8 +5569,6 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) Cocoa;
   };
 
-  gmic = callPackage ../tools/graphics/gmic { };
-
   gmic-qt = libsForQt5.callPackage ../tools/graphics/gmic-qt { };
 
   gpg-tui = callPackage ../tools/security/gpg-tui {
@@ -6905,17 +6903,38 @@ with pkgs;
 
   conspy = callPackage ../os-specific/linux/conspy { };
 
-  connmanPackages =
-    recurseIntoAttrs (callPackage ../tools/networking/connman { });
-  inherit (connmanPackages)
-    connman
-    connmanFull
-    connmanMinimal
-    connman_dmenu
-    connman-gtk
-    connman-ncurses
-    connman-notify
-  ;
+  connmanFull = connman.override {
+    # TODO: Why is this in `connmanFull` and not the default build? See TODO in
+    # nixos/modules/services/networking/connman.nix (near the assertions)
+    enableNetworkManagerCompatibility = true;
+    enableHh2serialGps = true;
+    enableL2tp = true;
+    enableIospm = true;
+    enableTist = true;
+  };
+
+  connmanMinimal = connman.override {
+    # enableDatafiles = false; # If disabled, configuration and data files are not installed
+    # enableEthernet = false; # If disabled no ethernet connection can be performed
+    # enableWifi = false; # If disabled no WiFi connection can be performed
+    enableBluetooth = false;
+    enableClient = false;
+    enableDundee = false;
+    enableGadget = false;
+    enableLoopback = false;
+    enableNeard = false;
+    enableOfono = false;
+    enableOpenconnect = false;
+    enableOpenvpn = false;
+    enablePacrunner = false;
+    enablePolkit = false;
+    enablePptp = false;
+    enableStats = false;
+    enableTools = false;
+    enableVpnc = false;
+    enableWireguard = false;
+    enableWispr = false;
+  };
 
   convertlit = callPackage ../tools/text/convertlit { };
 
@@ -14855,11 +14874,11 @@ with pkgs;
   valum = callPackage ../development/web/valum { };
 
   inherit (callPackages ../servers/varnish { })
-    varnish60 varnish72 varnish73;
+    varnish60 varnish74;
   inherit (callPackages ../servers/varnish/packages.nix { })
-    varnish60Packages varnish72Packages varnish73Packages;
+    varnish60Packages varnish74Packages;
 
-  varnishPackages = varnish72Packages;
+  varnishPackages = varnish74Packages;
   varnish = varnishPackages.varnish;
 
   hitch = callPackage ../servers/hitch { };
@@ -20975,8 +20994,6 @@ with pkgs;
 
   cdo = callPackage ../development/libraries/cdo { };
 
-  cimg = callPackage  ../development/libraries/cimg { };
-
   cista = callPackage ../development/libraries/cista { };
 
   cjose = callPackage ../development/libraries/cjose { };
@@ -36058,6 +36075,7 @@ with pkgs;
 
   timidity = callPackage ../tools/misc/timidity {
     inherit (darwin.apple_sdk.frameworks) CoreAudio;
+    inherit (darwin) libobjc;
   };
 
   tint2 = callPackage ../applications/misc/tint2 { };

pkgs/top-level/perl-packages.nix

@@ -4558,6 +4558,22 @@ with self; {
     };
   };
 
+  CPANAudit = buildPerlPackage {
+    pname = "CPAN-Audit";
+    version = "20230309.004";
+    src = fetchurl {
+      url = "mirror://cpan/authors/id/B/BD/BDFOY/CPAN-Audit-20230309.004.tar.gz";
+      hash = "sha256-RzrvktoYTMY1SqiG8QvwRnjvovHpmxZ/o+nvXOGmS14=";
+    };
+    buildInputs = [ CaptureTiny YAMLTiny ];
+    propagatedBuildInputs = [ CPANDistnameInfo IOInteractive JSON ModuleCPANfile ModuleExtractVERSION PerlIOgzip Mojolicious ];
+    meta = {
+      homepage = "https://github.com/briandfoy/cpan-audit";
+      description = "Audit CPAN distributions for known vulnerabilities";
+      license = with lib.licenses; [ artistic1 gpl1Plus ];
+    };
+  };
+
   CPANMini = buildPerlPackage {
     pname = "CPAN-Mini";
     version = "1.111016";
@@ -15680,6 +15696,20 @@ with self; {
     };
   };
 
+  ModuleExtractVERSION = buildPerlPackage {
+    pname = "Module-Extract-VERSION";
+    version = "1.116";
+    src = fetchurl {
+      url = "mirror://cpan/authors/id/B/BD/BDFOY/Module-Extract-VERSION-1.116.tar.gz";
+      hash = "sha256-QZA6BoUXgoU0X12oVdkluUVO5xCpeV48TDJ7ri9Vdpg=";
+    };
+    meta = {
+      homepage = "https://github.com/briandfoy/module-extract-version";
+      description = "Extract a module version safely";
+      license = lib.licenses.artistic2;
+    };
+  };
+
   ModuleFind = buildPerlPackage {
     pname = "Module-Find";
     version = "0.15";
@@ -16105,6 +16135,21 @@ with self; {
     };
   };
 
+  MojoliciousPluginI18N = buildPerlModule {
+    pname = "Mojolicious-Plugin-I18N";
+    version = "1.6";
+    src = fetchurl {
+      url = "mirror://cpan/authors/id/S/SH/SHARIFULN/Mojolicious-Plugin-I18N-1.6.tar.gz";
+      hash = "sha256-Mvte+AN9lUt+zr71wbKyS0IKvYKXAjEvStQnlPUrUU0=";
+    };
+    propagatedBuildInputs = [ Mojolicious ];
+    meta = {
+      homepage = "https://github.com/sharifulin/Mojolicious-Plugin-I18N";
+      description = "Internationalization Plugin for Mojolicious";
+      license = with lib.licenses; [ artistic1 gpl1Plus ];
+    };
+  };
+
   MojoliciousPluginMail = buildPerlModule {
     pname = "Mojolicious-Plugin-Mail";
     version = "1.5";
@@ -28188,6 +28233,22 @@ with self; {
     };
   };
 
+  Yancy = buildPerlPackage {
+    pname = "Yancy";
+    version = "1.088";
+    src = fetchurl {
+      url = "mirror://cpan/authors/id/P/PR/PREACTION/Yancy-1.088.tar.gz";
+      hash = "sha256-addqs5ilrGiQc0Paisybr9UZ+0x4WrAU7CagUhA2vSo=";
+    };
+    buildInputs = [ FileShareDirInstall ];
+    propagatedBuildInputs = [ ClassMethodModifiers JSONValidator Mojolicious MojoliciousPluginI18N MojoliciousPluginOpenAPI RoleTiny ];
+    meta = {
+      homepage = "http://preaction.me/yancy/";
+      description = "The Best Web Framework Deserves the Best CMS";
+      license = with lib.licenses; [ artistic1 gpl1Plus ];
+    };
+  };
+
   WebMachine = buildPerlPackage {
     pname = "Web-Machine";
     version = "0.17";

pkgs/top-level/php-packages.nix

@@ -264,6 +264,8 @@ lib.makeScope pkgs.newScope (self: with self; {
 
     memcached = callPackage ../development/php-packages/memcached { };
 
+    meminfo = callPackage ../development/php-packages/meminfo { };
+
     mongodb = callPackage ../development/php-packages/mongodb {
       inherit (pkgs) darwin;
     };