Merge branch 'master' into feature/kanboard

doc/languages-frameworks/dotnet.section.md

@@ -42,7 +42,7 @@ $ dotnet --info
  Version:   7.0.202
  Commit:    6c74320bc3
 
-Środowisko uruchomieniowe:
+Runtime Environment:
  OS Name:     nixos
  OS Version:  23.05
  OS Platform: Linux

doc/languages-frameworks/texlive.section.md

@@ -1,6 +1,6 @@
 # TeX Live {#sec-language-texlive}
 
-Since release 15.09 there is a new TeX Live packaging that lives entirely under attribute `texlive`.
+There is a TeX Live packaging that lives entirely under attribute `texlive`.
 
 ## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}
 

doc/packages/nginx.section.md

@@ -8,4 +8,4 @@ HTTP has a couple of different mechanisms for caching to prevent clients from ha
 
 Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content.
 
-As of NixOS 19.09, the nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.
+The nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.

doc/packages/steam.section.md

@@ -31,7 +31,6 @@ Use `programs.steam.enable = true;` if you want to add steam to `systemPackages`
 
 - **Using the FOSS Radeon or nouveau (nvidia) drivers**
 
-  - The `newStdcpp` parameter was removed since NixOS 17.09 and should not be needed anymore.
   - Steam ships statically linked with a version of `libcrypto` that conflicts with the one dynamically loaded by radeonsi_dri.so. If you get the error:
 
     ```

maintainers/maintainer-list.nix

@@ -15206,6 +15206,13 @@
     githubId = 1234956;
     "keys" = [ { "fingerprint" = "F21A 6194 C9DB 9899 CD09 E24E 434B 2C14 B8C3 3422"; } ];
   };
+  nadiaholmquist = {
+    name = "Nadia Holmquist Pedersen";
+    email = "[email protected]";
+    matrix = "@nhp:matrix.org";
+    github = "nadiaholmquist";
+    githubId = 893884;
+  };
   nadir-ishiguro = {
     github = "nadir-ishiguro";
     githubId = 23151917;
@@ -16895,6 +16902,12 @@
     githubId = 943430;
     name = "David Hagege";
   };
+  peat-psuwit = {
+    name = "Ratchanan Srirattanamet";
+    email = "[email protected]";
+    github = "peat-psuwit";
+    githubId = 6771175;
+  };
   pedohorse = {
     github = "pedohorse";
     githubId = 13556996;
@@ -18824,6 +18837,12 @@
     githubId = 6204883;
     name = "Longrin Wischnewski";
   };
+  robbiebuxton = {
+    email = "[email protected]";
+    github = "robbiebuxton";
+    githubId = 67549526;
+    name = "Robbie Buxton";
+  };
   robbinch = {
     email = "[email protected]";
     github = "robbinch";

maintainers/scripts/update-dotnet-lockfiles.nix

@@ -8,69 +8,12 @@
   to 'fetch-deps', 'nuget-to-nix', or other changes to the dotnet build
   infrastructure. Regular updates should be done through the individual packages
   update scripts.
- */
-{ startWith ? null }:
-let
-  pkgs = import ../.. { config.allowAliases = false; };
-
-  inherit (pkgs) lib;
-
-  packagesWith = cond: pkgs:
-    let
-      packagesWithInner = attrs:
-        lib.concatLists (
-          lib.mapAttrsToList (name: elem:
-            let
-              result = builtins.tryEval elem;
-            in
-              if result.success then
-                let
-                  value = result.value;
-                in
-                  if lib.isDerivation value then
-                    lib.optional (cond value) value
-                  else
-                    if lib.isAttrs value && (value.recurseForDerivations or false || value.recurseForRelease or false) then
-                      packagesWithInner value
-                    else []
-              else []) attrs);
-    in
-      packagesWithInner pkgs;
-
-  packages = lib.unique
-    (lib.filter (p:
-      (builtins.tryEval p.outPath).success ||
-      builtins.trace "warning: skipping ${p.name} because it failed to evaluate" false)
-    ((pkgs: (lib.drop (lib.lists.findFirstIndex (p: p.name == startWith) 0 pkgs) pkgs))
-    (packagesWith (p: p ? fetch-deps) pkgs)));
-
-  helpText = ''
-    Please run:
-
-        % nix-shell maintainers/scripts/update-dotnet-lockfiles.nix
-  '';
-
-  fetchScripts = map (p: p.fetch-deps) packages;
-
-in pkgs.stdenv.mkDerivation {
-  name = "nixpkgs-update-dotnet-lockfiles";
-  buildCommand = ''
-    echo ""
-    echo "----------------------------------------------------------------"
-    echo ""
-    echo "Not possible to update packages using \`nix-build\`"
-    echo ""
-    echo "${helpText}"
-    echo "----------------------------------------------------------------"
-    exit 1
-  '';
-  shellHook = ''
-    unset shellHook # do not contaminate nested shells
-    set -e
-    for x in $fetchScripts; do
-      $x
-    done
-    exit
-  '';
-  inherit fetchScripts;
-}
+*/
+{ ... }@args:
+import ./update.nix (
+  {
+    predicate = _: _: true;
+    get-script = pkg: pkg.fetch-deps or null;
+  }
+  // args
+)

maintainers/scripts/update.nix

@@ -8,6 +8,7 @@
 { package ? null
 , maintainer ? null
 , predicate ? null
+, get-script ? pkg: pkg.updateScript or null
 , path ? null
 , max-workers ? null
 , include-overlays ? false
@@ -17,13 +18,13 @@
 }:
 
 let
-  pkgs = import ./../../default.nix (
+  pkgs = import ./../../default.nix ((
     if include-overlays == false then
       { overlays = []; }
     else if include-overlays == true then
       { } # Let Nixpkgs include overlays impurely.
     else { overlays = include-overlays; }
-  );
+  ) // { config.allowAliases = false; });
 
   inherit (pkgs) lib;
 
@@ -56,7 +57,7 @@ let
 
           somewhatUniqueRepresentant =
             { package, attrPath }: {
-              inherit (package) updateScript;
+              updateScript = (get-script package);
               # Some updaters use the same `updateScript` value for all packages.
               # Also compare `meta.description`.
               position = package.meta.position or null;
@@ -89,7 +90,7 @@ let
   /* Recursively find all packages in `pkgs` with updateScript matching given predicate.
    */
   packagesWithUpdateScriptMatchingPredicate = cond:
-    packagesWith (path: pkg: builtins.hasAttr "updateScript" pkg && cond path pkg);
+    packagesWith (path: pkg: (get-script pkg != null) && cond path pkg);
 
   /* Recursively find all packages in `pkgs` with updateScript by given maintainer.
    */
@@ -121,7 +122,7 @@ let
       if pathContent == null then
         builtins.throw "Attribute path `${path}` does not exist."
       else
-        packagesWithPath prefix (path: pkg: builtins.hasAttr "updateScript" pkg)
+        packagesWithPath prefix (path: pkg: (get-script pkg != null))
                        pathContent;
 
   /* Find a package under `path` in `pkgs` and require that it has an updateScript.
@@ -132,7 +133,7 @@ let
     in
       if package == null then
         builtins.throw "Package with an attribute name `${path}` does not exist."
-      else if ! builtins.hasAttr "updateScript" package then
+      else if get-script package == null then
         builtins.throw "Package with an attribute name `${path}` does not have a `passthru.updateScript` attribute defined."
       else
         { attrPath = path; inherit package; };
@@ -193,13 +194,13 @@ let
 
   /* Transform a matched package into an object for update.py.
    */
-  packageData = { package, attrPath }: {
+  packageData = { package, attrPath }: let updateScript = get-script package; in {
     name = package.name;
     pname = lib.getName package;
     oldVersion = lib.getVersion package;
-    updateScript = map builtins.toString (lib.toList (package.updateScript.command or package.updateScript));
-    supportedFeatures = package.updateScript.supportedFeatures or [];
-    attrPath = package.updateScript.attrPath or attrPath;
+    updateScript = map builtins.toString (lib.toList (updateScript.command or updateScript));
+    supportedFeatures = updateScript.supportedFeatures or [];
+    attrPath = updateScript.attrPath or attrPath;
   };
 
   /* JSON file with data for update.py.
@@ -230,4 +231,5 @@ in pkgs.stdenv.mkDerivation {
     unset shellHook # do not contaminate nested shells
     exec ${pkgs.python3.interpreter} ${./update.py} ${builtins.concatStringsSep " " args}
   '';
+  nativeBuildInputs = [ pkgs.git pkgs.nix pkgs.cacert ];
 }

nixos/doc/manual/configuration/kubernetes.chapter.md

@@ -52,7 +52,7 @@ and [](#opt-services.kubernetes.easyCerts)
 to true. This sets up flannel as CNI and activates automatic PKI bootstrapping.
 
 ::: {.note}
-As of NixOS 19.03, it is mandatory to configure:
+It is mandatory to configure:
 [](#opt-services.kubernetes.masterAddress).
 The masterAddress must be resolveable and routeable by all cluster nodes.
 In single node clusters, this can be set to `localhost`.

nixos/doc/manual/development/settings-options.section.md

@@ -312,6 +312,8 @@ have a predefined type and string generator already declared under
     may be transformed into multiple key-value pairs depending on
     `listToValue`).
 
+    The attribute `lib.type.atom` contains the used INI atom.
+
 `pkgs.formats.iniWithGlobalSection` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \.\.\. }
 
 :   A function taking an attribute set with values
@@ -333,6 +335,8 @@ have a predefined type and string generator already declared under
     attrset of key-value pairs for a single section, the global section which
     preceedes the section definitions.
 
+    The attribute `lib.type.atom` contains the used INI atom.
+
 `pkgs.formats.toml` { }
 
 :   A function taking an empty attribute set (for future extensibility)

nixos/doc/manual/installation/installing-from-other-distro.section.md

@@ -206,8 +206,7 @@ The first steps to all these are the same:
         line)
 
     ::: {.note}
-    Support for `NIXOS_LUSTRATE` was added in NixOS 16.09. The act of
-    "lustrating" refers to the wiping of the existing distribution.
+    The act of "lustrating" refers to the wiping of the existing distribution.
     Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove
     all mutable files from your root partition (anything that's not in
     `/nix` or `/boot` gets "lustrated" on the next boot.

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -215,8 +215,9 @@
 
 - The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules.
 
-- The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`.
+- The `(buildPythonPackage { ... }).override` and `(buildPythonPackage { ... }).overrideDerivation` attributes is now deprecated and removed in favour of `overridePythonAttrs` and `lib.overrideDerivation`.
   This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute.
+  The `<pkg>.overrideDerivation` attribute of Python packages called with `callPackage` will also remain available after this change.
 
 - All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
 
@@ -737,6 +738,20 @@
 - `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
   Please switch to `pytest` or another test runner/framework.
 
+- `dotnet-sdk`, `dotnet-runtime`, and all other dotnet packages now use a
+  wrapper package containing `bin/dotnet`, build hooks, etc. If you need to
+  reference the underlying dotnet distribution (DOTNET_ROOT) you should use e.g.
+  `dotnet-runtime.unwrapped`.
+
+- The root of dotnet distribution packages (DOTNET_ROOT) is now under e.g.
+  `${dotnet-sdk.unwrapped}/share/dotnet` instead of directly in the package
+  root. This is consistent with packaging guidelines and more friendly for FHS
+  environments.
+
+- `dotnet-sdk`, `dotnet-runtime`, and `dotnet-aspnetcore` now point to dotnet 8
+  rather than dotnet 6. For packages that still need dotnet 6, use
+  `dotnet-sdk_6`, etc.
+
 ## Other Notable Changes {#sec-release-24.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -12,9 +12,10 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Create the first release note entry in this section!
 - [KanBoard](https://github.com/kanboard/kanboard) is project management software that focuses on the Kanban methodology.
 
+- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](option.html#opt-services.kimai).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

nixos/modules/installer/tools/tools.nix

@@ -218,7 +218,7 @@ in
     mkToolModule = { name, package ? pkgs.${name} }: { config, ... }: {
       options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // {
         default = config.nix.enable && ! config.system.disableInstallerTools;
-        internal = true;
+        defaultText = "config.nix.enable && !config.system.disableInstallerTools";
       };
 
       config = lib.mkIf config.system.tools.${name}.enable {

nixos/modules/module-list.nix

@@ -148,6 +148,7 @@
   ./programs/alvr.nix
   ./programs/appgate-sdp.nix
   ./programs/appimage.nix
+  ./programs/arp-scan.nix
   ./programs/atop.nix
   ./programs/ausweisapp.nix
   ./programs/autojump.nix
@@ -295,6 +296,7 @@
   ./programs/sysdig.nix
   ./programs/system-config-printer.nix
   ./programs/systemtap.nix
+  ./programs/tcpdump.nix
   ./programs/thefuck.nix
   ./programs/thunar.nix
   ./programs/thunderbird.nix
@@ -1460,6 +1462,7 @@
   ./services/web-apps/kanboard.nix
   ./services/web-apps/kavita.nix
   ./services/web-apps/keycloak.nix
+  ./services/web-apps/kimai.nix
   ./services/web-apps/komga.nix
   ./services/web-apps/lanraragi.nix
   ./services/web-apps/lemmy.nix

nixos/modules/programs/arp-scan.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.programs.arp-scan;
+in
+{
+  options = {
+    programs.arp-scan = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to configure a setcap wrapper for arp-scan.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers.arp-scan = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_raw+p";
+      source = lib.getExe pkgs.arp-scan;
+    };
+  };
+}