Merge master into staging-next

maintainers/maintainer-list.nix

@@ -15245,6 +15245,12 @@
     }];
     name = "David Tchekachev";
   };
+  tcheronneau = {
+    email = "nix@mcth.fr";
+    github = "tcheronneau";
+    githubId = 7914437;
+    name = "Thomas Cheronneau";
+  };
   tckmn = {
     email = "andy@tck.mn";
     github = "tckmn";

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -87,6 +87,10 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable).
 
+- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).
+
+- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).
+
 - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable).
 
 - [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable).

nixos/modules/module-list.nix

@@ -1109,6 +1109,7 @@
   ./services/security/torsocks.nix
   ./services/security/usbguard.nix
   ./services/security/vault.nix
+  ./services/security/vault-agent.nix
   ./services/security/vaultwarden/default.nix
   ./services/security/yubikey-agent.nix
   ./services/system/automatic-timezoned.nix

nixos/modules/services/backup/restic.nix

@@ -339,6 +339,7 @@ in
               RuntimeDirectory = "restic-backups-${name}";
               CacheDirectory = "restic-backups-${name}";
               CacheDirectoryMode = "0700";
+              PrivateTmp = true;
             } // optionalAttrs (backup.environmentFile != null) {
               EnvironmentFile = backup.environmentFile;
             };

nixos/modules/services/security/vault-agent.nix

@@ -0,0 +1,128 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  format = pkgs.formats.json { };
+  commonOptions = { pkgName, flavour ? pkgName }: mkOption {
+    default = { };
+    description = mdDoc ''
+      Attribute set of ${flavour} instances.
+      Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here.
+    '';
+    type = with types; attrsOf (submodule ({ name, ... }: {
+      options = {
+        enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; };
+
+        package = mkPackageOptionMD pkgs pkgName { };
+
+        user = mkOption {
+          type = types.str;
+          default = "root";
+          description = mdDoc ''
+            User under which this instance runs.
+          '';
+        };
+
+        group = mkOption {
+          type = types.str;
+          default = "root";
+          description = mdDoc ''
+            Group under which this instance runs.
+          '';
+        };
+
+        settings = mkOption {
+          type = types.submodule {
+            freeformType = format.type;
+
+            options = {
+              pid_file = mkOption {
+                default = "/run/${flavour}/${name}.pid";
+                type = types.str;
+                description = mdDoc ''
+                  Path to use for the pid file.
+                '';
+              };
+
+              template = mkOption {
+                default = [ ];
+                type = with types; listOf (attrsOf anything);
+                description =
+                  let upstreamDocs =
+                    if flavour == "vault-agent"
+                    then "https://developer.hashicorp.com/vault/docs/agent/template"
+                    else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates";
+                  in
+                  mdDoc ''
+                    Template section of ${flavour}.
+                    Refer to <${upstreamDocs}> for supported values.
+                  '';
+              };
+            };
+          };
+
+          default = { };
+
+          description =
+            let upstreamDocs =
+              if flavour == "vault-agent"
+              then "https://developer.hashicorp.com/vault/docs/agent#configuration-file-options"
+              else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file";
+            in
+            mdDoc ''
+              Free-form settings written directly to the `config.json` file.
+              Refer to <${upstreamDocs}> for supported values.
+
+              ::: {.note}
+              Resulting format is JSON not HCL.
+              Refer to <https://www.hcl2json.com/> if you are unsure how to convert HCL options to JSON.
+              :::
+            '';
+        };
+      };
+    }));
+  };
+
+  createAgentInstance = { instance, name, flavour }:
+    let
+      configFile = format.generate "${name}.json" instance.settings;
+    in
+    mkIf (instance.enable) {
+      description = "${flavour} daemon - ${name}";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = [ pkgs.getent ];
+      startLimitIntervalSec = 60;
+      startLimitBurst = 3;
+      serviceConfig = {
+        User = instance.user;
+        Group = instance.group;
+        RuntimeDirectory = flavour;
+        ExecStart = "${getExe instance.package} ${optionalString ((getName instance.package) == "vault") "agent"} -config ${configFile}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+        KillSignal = "SIGINT";
+        TimeoutStopSec = "30s";
+        Restart = "on-failure";
+      };
+    };
+in
+{
+  options = {
+    services.consul-template.instances = commonOptions { pkgName = "consul-template"; };
+    services.vault-agent.instances = commonOptions { pkgName = "vault"; flavour = "vault-agent"; };
+  };
+
+  config = mkMerge (map
+    (flavour:
+      let cfg = config.services.${flavour}; in
+      mkIf (cfg.instances != { }) {
+        systemd.services = mapAttrs'
+          (name: instance: nameValuePair "${flavour}-${name}" (createAgentInstance { inherit name instance flavour; }))
+          cfg.instances;
+      })
+    [ "consul-template" "vault-agent" ]);
+
+  meta.maintainers = with maintainers; [ indeednotjames tcheronneau ];
+}
+

nixos/modules/services/web-servers/stargazer.nix

@@ -1,65 +1,71 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 let
   cfg = config.services.stargazer;
-  routesFormat = pkgs.formats.ini { };
+  globalSection = ''
-  globalFile = pkgs.writeText "global.ini" ''
+    listen = ${lib.concatStringsSep " " cfg.listen}
-    listen = ${concatStringsSep " " cfg.listen}
+    connection-logging = ${lib.boolToString cfg.connectionLogging}
-    connection-logging = ${boolToString cfg.connectionLogging}
+    log-ip = ${lib.boolToString cfg.ipLog}
-    log-ip = ${boolToString cfg.ipLog}
+    log-ip-partial = ${lib.boolToString cfg.ipLogPartial}
-    log-ip-partial = ${boolToString cfg.ipLogPartial}
     request-timeout = ${toString cfg.requestTimeout}
     response-timeout = ${toString cfg.responseTimeout}
 
     [:tls]
     store = ${toString cfg.store}
     organization = ${cfg.certOrg}
-    gen-certs = ${boolToString cfg.genCerts}
+    gen-certs = ${lib.boolToString cfg.genCerts}
-    regen-certs = ${boolToString cfg.regenCerts}
+    regen-certs = ${lib.boolToString cfg.regenCerts}
-    ${optionalString (cfg.certLifetime != "") "cert-lifetime = ${cfg.certLifetime}"}
+    ${lib.optionalString (cfg.certLifetime != "") "cert-lifetime = ${cfg.certLifetime}"}
 
   '';
-  routesFile = routesFormat.generate "router.ini" cfg.routes;
+  genINI = lib.generators.toINI { };
-  configFile = pkgs.runCommand "config.ini" { } ''
+  configFile = pkgs.writeText "config.ini" (lib.strings.concatStrings (
-    cat ${globalFile} ${routesFile} > $out
+    [ globalSection ] ++ (lib.lists.forEach cfg.routes (section:
-  '';
+      let
+        name = section.route;
+        params = builtins.removeAttrs section [ "route" ];
+      in
+      genINI
+        {
+          "${name}" = params;
+        } + "\n"
+    ))
+  ));
 in
 {
   options.services.stargazer = {
-    enable = mkEnableOption (lib.mdDoc "Stargazer Gemini server");
+    enable = lib.mkEnableOption (lib.mdDoc "Stargazer Gemini server");
 
     listen = lib.mkOption {
-      type = types.listOf types.str;
+      type = lib.types.listOf lib.types.str;
-      default = [ "0.0.0.0" ] ++ optional config.networking.enableIPv6 "[::0]";
+      default = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
-      defaultText = literalExpression ''[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"'';
+      defaultText = lib.literalExpression ''[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"'';
-      example = literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]'';
+      example = lib.literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]'';
       description = lib.mdDoc ''
         Address and port to listen on.
       '';
     };
 
     connectionLogging = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = true;
       description = lib.mdDoc "Whether or not to log connections to stdout.";
     };
 
     ipLog = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = false;
       description = lib.mdDoc "Log client IP addresses in the connection log.";
     };
 
     ipLogPartial = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = false;
       description = lib.mdDoc "Log partial client IP addresses in the connection log.";
     };
 
     requestTimeout = lib.mkOption {
-      type = types.int;
+      type = lib.types.int;
       default = 5;
       description = lib.mdDoc ''
         Number of seconds to wait for the client to send a complete
@@ -68,7 +74,7 @@ in
     };
 
     responseTimeout = lib.mkOption {
-      type = types.int;
+      type = lib.types.int;
       default = 0;
       description = lib.mdDoc ''
         Number of seconds to wait for the client to send a complete
@@ -78,7 +84,7 @@ in
     };
 
     store = lib.mkOption {
-      type = types.path;
+      type = lib.types.path;
       default = /var/lib/gemini/certs;
       description = lib.mdDoc ''
         Path to the certificate store on disk. This should be a
@@ -87,7 +93,7 @@ in
     };
 
     certOrg = lib.mkOption {
-      type = types.str;
+      type = lib.types.str;
       default = "stargazer";
       description = lib.mdDoc ''
         The name of the organization responsible for the X.509
@@ -96,7 +102,7 @@ in
     };
 
     genCerts = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = true;
       description = lib.mdDoc ''
         Set to false to disable automatic certificate generation.
@@ -105,7 +111,7 @@ in
     };
 
     regenCerts = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = true;
       description = lib.mdDoc ''
         Set to false to turn off automatic regeneration of expired certificates.
@@ -114,54 +120,76 @@ in
     };
 
     certLifetime = lib.mkOption {
-      type = types.str;
+      type = lib.types.str;
       default = "";
       description = lib.mdDoc ''
         How long certs generated by Stargazer should live for.
         Certs live forever by default.
       '';
-      example = literalExpression "\"1y\"";
+      example = lib.literalExpression "\"1y\"";
     };
 
     routes = lib.mkOption {
-      type = routesFormat.type;
+      type = lib.types.listOf
-      default = { };
+        (lib.types.submodule {
+          freeformType = with lib.types; attrsOf (nullOr
+            (oneOf [
+              bool
+              int
+              float
+              str
+            ]) // {
+            description = "INI atom (null, bool, int, float or string)";
+          });
+          options.route = lib.mkOption {
+            type = lib.types.str;
+            description = lib.mdDoc "Route section name";
+          };
+        });
+      default = [ ];
       description = lib.mdDoc ''
         Routes that Stargazer should server.
 
-        [Refer to upstream docs](https://git.sr.ht/~zethra/stargazer/tree/main/item/doc/stargazer.ini.5.txt)
+        Expressed as a list of attribute sets. Each set must have a key `route`
+        that becomes the section name for that route in the stargazer ini cofig.
+        The remaining keys and vaules become the parameters for that route.
+
+        [Refer to upstream docs for other params](https://git.sr.ht/~zethra/stargazer/tree/main/item/doc/stargazer.ini.5.txt)
       '';
-      example = literalExpression ''
+      example = lib.literalExpression ''
+        [
           {
-          "example.com" = {
+            route = "example.com";
-            root = "/srv/gemini/example.com";
+            root = "/srv/gemini/example.com"
-          };
+          }
-          "example.com:/man" = {
+          {
+            route = "example.com:/man";
             root = "/cgi-bin";
             cgi = true;
-          };
+          }
-          "other.org~(.*)" = {
+          {
+            route = "other.org~(.*)";
             redirect = "gemini://example.com";
             rewrite = "\1";
-          };
           }
+        ]
       '';
     };
 
-    user = mkOption {
+    user = lib.mkOption {
-      type = types.str;
+      type = lib.types.str;
       default = "stargazer";
       description = lib.mdDoc "User account under which stargazer runs.";
     };
 
-    group = mkOption {
+    group = lib.mkOption {
-      type = types.str;
+      type = lib.types.str;
       default = "stargazer";
       description = lib.mdDoc "Group account under which stargazer runs.";
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     systemd.services.stargazer = {
       description = "Stargazer gemini server";
       after = [ "network.target" ];
@@ -177,19 +205,19 @@ in
 
     # Create default cert store
     system.activationScripts.makeStargazerCertDir =
-      optionalAttrs (cfg.store == /var/lib/gemini/certs) ''
+      lib.optionalAttrs (cfg.store == /var/lib/gemini/certs) ''
         mkdir -p /var/lib/gemini/certs
         chown -R ${cfg.user}:${cfg.group} /var/lib/gemini/certs
       '';
 
-    users.users = optionalAttrs (cfg.user == "stargazer") {
+    users.users = lib.optionalAttrs (cfg.user == "stargazer") {
       stargazer = {
         group = cfg.group;
         isSystemUser = true;
       };
     };
 
-    users.groups = optionalAttrs (cfg.group == "stargazer") {
+    users.groups = lib.optionalAttrs (cfg.group == "stargazer") {
       stargazer = { };
     };
   };

nixos/tests/all-tests.nix

@@ -146,6 +146,7 @@ in {
   collectd = handleTest ./collectd.nix {};
   connman = handleTest ./connman.nix {};
   consul = handleTest ./consul.nix {};
+  consul-template = handleTest ./consul-template.nix {};
   containers-bridge = handleTest ./containers-bridge.nix {};
   containers-custom-pkgs.nix = handleTest ./containers-custom-pkgs.nix {};
   containers-ephemeral = handleTest ./containers-ephemeral.nix {};
@@ -753,6 +754,7 @@ in {
   varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; };
   varnish72 = handleTest ./varnish.nix { package = pkgs.varnish72; };
   vault = handleTest ./vault.nix {};
+  vault-agent = handleTest ./vault-agent.nix {};
   vault-dev = handleTest ./vault-dev.nix {};
   vault-postgresql = handleTest ./vault-postgresql.nix {};
   vaultwarden = handleTest ./vaultwarden.nix {};

nixos/tests/consul-template.nix

@@ -0,0 +1,36 @@
+import ./make-test-python.nix ({ ... }: {
+  name = "consul-template";
+
+  nodes.machine = { ... }: {
+    services.consul-template.instances.example.settings = {
+      template = [{
+        contents = ''
+          {{ key "example" }}
+        '';
+        perms = "0600";
+        destination = "/example";
+      }];
+    };
+
+    services.consul = {
+      enable = true;
+      extraConfig = {
+        server = true;
+        bootstrap_expect = 1;
+        bind_addr = "127.0.0.1";
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("consul.service")
+    machine.wait_for_open_port(8500)
+
+    machine.wait_for_unit("consul-template-example.service")
+
+    machine.wait_until_succeeds('consul kv put example example')
+
+    machine.wait_for_file("/example")
+    machine.succeed('grep "example" /example')
+  '';
+})

nixos/tests/restic.nix

@@ -2,18 +2,18 @@ import ./make-test-python.nix (
   { pkgs, ... }:
 
   let
-    remoteRepository = "/tmp/restic-backup";
+    remoteRepository = "/root/restic-backup";
-    remoteFromFileRepository = "/tmp/restic-backup-from-file";
+    remoteFromFileRepository = "/root/restic-backup-from-file";
-    rcloneRepository = "rclone:local:/tmp/restic-rclone-backup";
+    rcloneRepository = "rclone:local:/root/restic-rclone-backup";
 
     backupPrepareCommand = ''
-      touch /tmp/backupPrepareCommand
+      touch /root/backupPrepareCommand
-      test ! -e /tmp/backupCleanupCommand
+      test ! -e /root/backupCleanupCommand
     '';
 
     backupCleanupCommand = ''
-      rm /tmp/backupPrepareCommand
+      rm /root/backupPrepareCommand
-      touch /tmp/backupCleanupCommand
+      touch /root/backupCleanupCommand
     '';
 
     testDir = pkgs.stdenvNoCC.mkDerivation {
@@ -81,7 +81,7 @@ import ./make-test-python.nix (
               inherit passwordFile paths;
               repository = "some-fake-repository";
               package = pkgs.writeShellScriptBin "restic" ''
-                echo "$@" >> /tmp/fake-restic.log;
+                echo "$@" >> /root/fake-restic.log;
               '';
 
               pruneOpts = [ "--keep-last 1" ];
@@ -100,18 +100,18 @@ import ./make-test-python.nix (
           "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots",
           '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"',
           "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots",
-          "grep 'backup.* /opt' /tmp/fake-restic.log",
+          "grep 'backup.* /opt' /root/fake-restic.log",
       )
       server.succeed(
           # set up
           "cp -rT ${testDir} /opt",
           "touch /opt/excluded_file_1 /opt/excluded_file_2",
-          "mkdir -p /tmp/restic-rclone-backup",
+          "mkdir -p /root/restic-rclone-backup",
 
           # test that remotebackup runs custom commands and produces a snapshot
           "timedatectl set-time '2016-12-13 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
 
           # test that restoring that snapshot produces the same directory
@@ -129,33 +129,33 @@ import ./make-test-python.nix (
 
           # test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines
           "systemctl start restic-backups-custompackage.service",
-          "grep 'backup.* /opt' /tmp/fake-restic.log",
+          "grep 'backup.* /opt' /root/fake-restic.log",
-          "grep 'check.* --some-check-option' /tmp/fake-restic.log",
+          "grep 'check.* --some-check-option' /root/fake-restic.log",
 
           # test that we can create four snapshots in remotebackup and rclonebackup
           "timedatectl set-time '2017-12-13 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           "systemctl start restic-backups-rclonebackup.service",
 
           "timedatectl set-time '2018-12-13 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           "systemctl start restic-backups-rclonebackup.service",
 
           "timedatectl set-time '2018-12-14 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           "systemctl start restic-backups-rclonebackup.service",
 
           "timedatectl set-time '2018-12-15 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           "systemctl start restic-backups-rclonebackup.service",
 
           "timedatectl set-time '2018-12-16 13:45'",
           "systemctl start restic-backups-remotebackup.service",
-          "rm /tmp/backupCleanupCommand",
+          "rm /root/backupCleanupCommand",
           "systemctl start restic-backups-rclonebackup.service",
 
           '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',

nixos/tests/vault-agent.nix

@@ -0,0 +1,52 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "vault-agent";
+
+  nodes.machine = { config, pkgs, ... }: {
+    services.vault-agent.instances.example.settings = {
+      vault.address = config.environment.variables.VAULT_ADDR;
+
+      auto_auth = [{
+        method = [{
+          type = "token_file";
+          config.token_file_path = pkgs.writeText "vault-token" config.environment.variables.VAULT_TOKEN;
+        }];
+      }];
+
+      template = [{
+        contents = ''
+          {{- with secret "secret/example" }}
+          {{ .Data.data.key }}"
+          {{- end }}
+        '';
+        perms = "0600";
+        destination = "/example";
+      }];
+    };
+
+    services.vault = {
+      enable = true;
+      dev = true;
+      devRootTokenID = config.environment.variables.VAULT_TOKEN;
+    };
+
+    environment = {
+      systemPackages = [ pkgs.vault ];
+      variables = {
+        VAULT_ADDR = "http://localhost:8200";
+        VAULT_TOKEN = "root";
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("vault.service")
+    machine.wait_for_open_port(8200)
+
+    machine.wait_until_succeeds('vault kv put secret/example key=example')
+
+    machine.wait_for_unit("vault-agent-example.service")
+
+    machine.wait_for_file("/example")
+    machine.succeed('grep "example" /example')
+  '';
+})

nixos/tests/web-servers/stargazer.nix

@@ -7,13 +7,14 @@
     geminiserver = { pkgs, ... }: {
       services.stargazer = {
         enable = true;
-        routes = {
+        routes = [
-          "localhost" = {
+          {
+            route = "localhost";
             root = toString (pkgs.writeTextDir "index.gmi" ''
               # Hello NixOS!
             '');
-          };
+          }
-        };
+        ];
       };
     };
   };

pkgs/applications/audio/mousai/default.nix

@@ -21,19 +21,19 @@
 
 stdenv.mkDerivation rec {
   pname = "mousai";
-  version = "0.7.0";
+  version = "0.7.3";
 
   src = fetchFromGitHub {
     owner = "SeaDve";
     repo = "Mousai";
     rev = "v${version}";
-    hash = "sha256-dL+ZBv97T0sN7mPoOKsp5f6Dl9aarBYm2RRUfOclb+s=";
+    hash = "sha256-VAP2ENgI0Ge1JJEfNtw8dgOLZ1g0sEaoZHICFKI3hXM=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    hash = "sha256-qAtMpYVZwyay1KGYlH40T0HambrWh4CaZnwjvqev44g=";
+    hash = "sha256-vbMfIk/fXmAHgouzyeceP7jAc/OIyUxFDu/+31aB1F4=";
   };
 
   nativeBuildInputs = [

pkgs/applications/editors/vim/plugins/overrides.nix

@@ -36,6 +36,7 @@
 , openscad
 , pandoc
 , parinfer-rust
+, phpactor
 , ripgrep
 , skim
 , sqlite
@@ -777,6 +778,14 @@ self: super: {
 
   inherit parinfer-rust;
 
+  phpactor = buildVimPluginFrom2Nix {
+    inherit (phpactor) pname src meta version;
+    postPatch = ''
+      substituteInPlace plugin/phpactor.vim \
+        --replace "g:phpactorpath = expand('<sfile>:p:h') . '/..'" "g:phpactorpath = '${phpactor}'"
+    '';
+  };
+
   playground = super.playground.overrideAttrs (old: {
     dependencies = with self; [
       # we need the 'query' grammer to make

pkgs/applications/misc/dbx/default.nix

@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "dbx";
-  version = "0.8.8";
+  version = "0.8.11";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "databrickslabs";
     repo = "dbx";
     rev = "refs/tags/v${version}";
-    hash = "sha256-nx6fz+atlnB/KxdznnZArHpyv41cuBDQauG0irq1Zyc=";
+    hash = "sha256-dArR1z3wkGDd3Y1WHK0sLjhuaKHAcsx6cCH2rgVdUGs=";
   };
 
   postPatch = ''
@@ -36,6 +36,7 @@ python3.pkgs.buildPythonApplication rec {
     requests
     retry
     rich
+    tenacity
     typer
     watchdog
   ] ++ typer.optional-dependencies.all;

pkgs/applications/misc/todoist/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "todoist";
-  version = "0.19.0";
+  version = "0.20.0";
 
   src = fetchFromGitHub {
     owner = "sachaos";
     repo = "todoist";
     rev = "v${version}";
-    sha256 = "sha256-i8q9L8x9LNodL3ilFK5kiq744yclRfsexxS7E0i9JSo=";
+    sha256 = "sha256-mdh+DOqlxcAqWIxEiKXmtvlsaaRCnRWEvrn56IFhBwk=";
   };
 
   vendorHash = "sha256-fWFFWFVnLtZivlqMRIi6TjvticiKlyXF2Bx9Munos8M=";

pkgs/applications/networking/cluster/rke2/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "rke2";
-  version = "1.26.3+rke2r1";
+  version = "1.26.4+rke2r1";
 
   src = fetchFromGitHub {
     owner = "rancher";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-MC3INsuXV2JmazdXOAAslFlApvql6uOnOkWV8u0diOw=";
+    hash = "sha256-orxRyCgj3pGLlBoUEjVpyWKw4zfvN4DtaymYKEBXNbs=";
   };
 
-  vendorHash = "sha256-W9Phc1JYa3APAKvI34RWqMy4xfmwgX3BaOh4bQYFEnU=";
+  vendorHash = "sha256-YeWyMEwatKuT4FWIpaDK6/xo5TG5IOecoYR+uVidOW4=";
 
   subPackages = [ "." ];
 

pkgs/applications/networking/cluster/starboard/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "starboard";
-  version = "0.15.11";
+  version = "0.15.12";
 
   src = fetchFromGitHub {
     owner = "aquasecurity";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-HgMGwumLL0z3l1/UEoJleoKsErFvznddFc9mJuco9fA=";
+    sha256 = "sha256-q4TucVRsRH8XRiudU6lRT5R9jAXg6AjEKezUElCCTbQ=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
@@ -20,7 +20,7 @@ buildGoModule rec {
       find "$out" -name .git -print0 | xargs -0 rm -rf
     '';
   };
-  vendorSha256 = "sha256-WThZpum6sEYyDkwGKo3onMLy6hpmMJ/o6+5olX5nEjk=";
+  vendorHash = "sha256-gDBMGn3gKbAvMU3V88tjAZJlAiUXXnXGzyCT06l+DZ8=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/applications/networking/cluster/talosctl/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "talosctl";
-  version = "1.4.0";
+  version = "1.4.1";
 
   src = fetchFromGitHub {
     owner = "siderolabs";
     repo = "talos";
     rev = "v${version}";
-    hash = "sha256-EJrzq6fChNA1N3TTkwD5/1TdLDso9jGuTgWUG4RwqGA=";
+    hash = "sha256-ZnVqpJ62X6JlL/yAjpdh8e3U6Lvs/GncCkKU42GRI/Q=";
   };
 
-  vendorHash = "sha256-Thkj8Zhj/HXAnRcFxuCEVd94CMrt8Bsq2FHx6siH6Ww=";
+  vendorHash = "sha256-1YHYDC22yvtADOIuYxzonV7yaLsQOFELwEEXvu77JdE=";
 
   ldflags = [ "-s" "-w" ];
 

pkgs/applications/version-management/lefthook/default.nix

@@ -6,7 +6,7 @@
 
 let
   pname = "lefthook";
-  version = "1.3.10";
+  version = "1.3.12";
 in
 buildGoModule rec {
   inherit pname version;
@@ -15,7 +15,7 @@ buildGoModule rec {
     owner = "evilmartians";
     repo = "lefthook";
     rev = "v${version}";
-    hash = "sha256-dV8Zs62I61SXTX3NQs0n1P0LKNfyfZNHvdKzvJ3r5Z8=";
+    hash = "sha256-M0FwFDtZazVjj/IUEN8vo2PcgpnGSIKRPc8jHfGE9t8=";
   };
 
   vendorHash = "sha256-UMT39If9Oa7vgpkW2oltCUkaNQ0Qf1nCO5Z8F8SaajA=";

pkgs/applications/virtualization/seabios/default.nix

@@ -3,12 +3,12 @@
 stdenv.mkDerivation rec {
 
   pname = "seabios";
-  version = "1.16.1";
+  version = "1.16.2";
 
   src = fetchgit {
     url = "https://git.seabios.org/seabios.git";
     rev = "rel-${version}";
-    sha256 = "sha256-oIl2ZbhgSiVJPMBGbVt6N074vOifAoZL6VdKcBwM8D4=";
+    sha256 = "sha256-J2FuT+FXn9YoFLSfxDOxyKZvKrys59a6bP1eYvEXVNU=";
   };
 
   nativeBuildInputs = [ python3 ];

pkgs/development/libraries/libnbd/default.nix

@@ -12,11 +12,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libnbd";
-  version = "1.14.1";
+  version = "1.16.0";
 
   src = fetchurl {
     url = "https://download.libguestfs.org/libnbd/${lib.versions.majorMinor version}-stable/${pname}-${version}.tar.gz";
-    hash = "sha256-LwgXVWOWwyc9OUJEKHkDQEfGBy41XsdbRuG+zluFc3E=";
+    hash = "sha256-Tkd46NxLvGe+RpCSFdCsYrFWc3PAtXI1aCq8177jla0=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/mimalloc/default.nix

@@ -7,13 +7,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname   = "mimalloc";
-  version = "2.0.9";
+  version = "2.1.2";
 
   src = fetchFromGitHub {
     owner  = "microsoft";
     repo   = pname;
     rev    = "v${version}";
-    sha256 = "sha256-0gX0rEOWT6Lp5AyRyrK5GPTBvAqc5SxSaNJOc5GIgKc=";
+    sha256 = "sha256-kYhfufffM4r+ZVgcjnulqFlf1756pirlPysGZnUBzt8=";
   };
 
   doCheck = !stdenv.hostPlatform.isStatic;

pkgs/development/libraries/qcoro/default.nix

@@ -11,13 +11,13 @@
 
 gcc12Stdenv.mkDerivation rec {
   pname = "qcoro";
-  version = "0.7.0";
+  version = "0.9.0";
 
   src = fetchFromGitHub {
     owner = "danvratil";
     repo = "qcoro";
     rev = "v${version}";
-    sha256 = "cHd2CwzP4oD/gy9qsDWIMgvlfBQq1p9C4G7JNAs4XW4=";
+    sha256 = "sha256-kf2W/WAZCpLkq1UIy7iZri4vNaqjGjotB/Xsb+byZV4=";
   };
 
   outputs = [ "out" "dev" ];

pkgs/development/libraries/quazip/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "quazip";
-  version = "1.3";
+  version = "1.4";
 
   src = fetchFromGitHub {
     owner = "stachenov";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-CtjjHJgUEmGg066D/wey3wyq8boX1sJiP7fUNmpbT1o=";
+    sha256 = "sha256-JPpkYvndjDcHVChAyWhpb/XiUPu/qHqDZFh5XmonXMs=";
   };
 
   buildInputs = [ zlib qtbase ];

pkgs/development/python-modules/bc-detect-secrets/default.nix

@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "bc-detect-secrets";
-  version = "1.4.23";
+  version = "1.4.24";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -24,7 +24,7 @@ buildPythonPackage rec {
     owner = "bridgecrewio";
     repo = "detect-secrets";
     rev = "refs/tags/${version}";
-    hash = "sha256-lMsGcCD7Qz8OMge6URtrARiR6YPRZRN87dbIlpFdvhY=";
+    hash = "sha256-roqViqEOw5Mx+LFCdJHNDWrZ5wVCuzMxugnOCbuS7nY=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/imageio/default.nix

@@ -16,12 +16,12 @@
 
 buildPythonPackage rec {
   pname = "imageio";
-  version = "2.27.0";
+  version = "2.28.0";
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-7iaclXeF7wNzzHpzIxhZVtg+wF5s3yC0KgO6e3SsWMY=";
+    hash = "sha256-RndjvbbmFNHqi0Vl5CxT+y6y/UMHpGAelxAqlYwJgSo=";
   };
 
   patches = [

pkgs/development/python-modules/mlflow/default.nix

@@ -38,14 +38,14 @@
 
 buildPythonPackage rec {
   pname = "mlflow";
-  version = "2.3.0";
+  version = "2.3.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-KnumCix5DH6nQvSGg4cG1Yb6twH+wwjqTHMvS7rdhAk=";
+    hash = "sha256-Y0OTl7JxjOV0cojvVHX0azcWs3ClF74+PGe3maJHoYY=";
   };
 
   # Remove currently broken dependency `shap`, a model explainability package.

pkgs/development/python-modules/pycep-parser/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "pycep-parser";
-  version = "0.3.9";
+  version = "0.4.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "gruebel";
     repo = "pycep";
     rev = "refs/tags/${version}";
-    hash = "sha256-CghTNdZZJJOakMySNPRCTYx+1aEY8ROUvS9loc9JcPo=";
+    hash = "sha256-ZKvFurD5DzByeqDJZdJHpkaUh00UoitCGYDh+TmF/Yc=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/tenacity/default.nix

@@ -12,14 +12,14 @@
 
 buildPythonPackage rec {
   pname = "tenacity";
-  version = "8.2.1";
+  version = "8.2.2";
   format = "pyproject";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-x7tLhkJbl3cmp7SZcVQtT2e69yCWWX0oPz/9AfM7kt8=";
+    hash = "sha256-Q68DeCK9ACkCWHfzstl8xNe7DCmRAAo9WdcVF8XJaeA=";
   };
 
   nativeBuildInputs = [

pkgs/development/tools/analysis/checkov/default.nix

@@ -22,14 +22,14 @@ with py.pkgs;
 
 buildPythonApplication rec {
   pname = "checkov";
-  version = "2.3.205";
+  version = "2.3.209";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-vs7gUYIw7n6PO5hjHFFtfM3gxjUxlmSOEJr8uJmeI6g=";
+    hash = "sha256-7Aj8uAO4/sy1GvG52KPdPXcV6eIjrX14bvTJvqDsWQQ=";
   };
 
   patches = [

pkgs/development/tools/analysis/checkstyle/default.nix

@@ -1,12 +1,12 @@
 { lib, stdenv, fetchurl, makeWrapper, jre }:
 
 stdenv.mkDerivation rec {
-  version = "10.9.3";
+  version = "10.10.0";
   pname = "checkstyle";
 
   src = fetchurl {
     url = "https://github.com/checkstyle/checkstyle/releases/download/checkstyle-${version}/checkstyle-${version}-all.jar";
-    sha256 = "sha256-728SBtKcYTRA8ogNMX6XD3aFbz14GjyNvBVkjdiASPE=";
+    sha256 = "sha256-L9ww8vVSkVQc/2utpMYiPEbbS9l2WzR9HEKmok9R7UI=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/development/tools/continuous-integration/cirrus-cli/default.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "cirrus-cli";
-  version = "0.96.0";
+  version = "0.97.0";
 
   src = fetchFromGitHub {
     owner = "cirruslabs";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-gX1c10oDGt3n+W6/s4k5JX7V6SuYL8lNRewAmJf8gqQ=";
+    sha256 = "sha256-6MkQUnqHn96S4+hGuHHfJojZUJXNxWTkmLkahVZWQTA=";
   };
 
-  vendorHash = "sha256-Qirv06KhisEmQ+v9Z5jgkJFV4McnH+5r2xbU3wRc0DI=";
+  vendorHash = "sha256-gqpcGEbvfVMkAQ3c6EwW9xTTeMH9VOlMiuCz7uZUbnw=";
 
   ldflags = [
     "-X github.com/cirruslabs/cirrus-cli/internal/version.Version=v${version}"

pkgs/development/tools/continuous-integration/github-runner/default.nix

@@ -15,13 +15,13 @@
 }:
 buildDotnetModule rec {
   pname = "github-runner";
-  version = "2.303.0";
+  version = "2.304.0";
 
   src = fetchFromGitHub {
     owner = "actions";
     repo = "runner";
     rev = "v${version}";
-    hash = "sha256-gGIYlYM4Rf7Ils2rThsQHWIkLDt5Htg4NDuJhxvl1rU=";
+    hash = "sha256-w5MqFIPTCAqQjdsWdscNnH2KNwUOp5SPFesyprXUvNE=";
     # Required to obtain HEAD's Git commit hash
     leaveDotGit = true;
   };

pkgs/development/tools/go-jet/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "go-jet";
-  version = "2.9.0";
+  version = "2.10.0";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = "jet";
     rev = "v${version}";
-    sha256 = "sha256-1kJaBLZIunexjxjOy55Nw0WMEhrSu+ptMbWVOJ1e5iA=";
+    sha256 = "sha256-Dj/Bq7MEM2sIhz1ThvRpO9wYCasISvd8icP68LVXEx0=";
   };
 
-  vendorSha256 = "sha256-mhH9P3waINZhP+jNg3zKlssIL1ZO5xOBHp19Bzq/pSQ=";
+  vendorHash = "sha256-AwrtLTzKqKjFf5fV3JWYWyaqzHJjMNrYuSXhHXyV5HE=";
 
   subPackages = [ "cmd/jet" ];
 

pkgs/development/tools/pscale/default.nix

@@ -8,16 +8,16 @@
 
 buildGoModule rec {
   pname = "pscale";
-  version = "0.138.0";
+  version = "0.140.0";
 
   src = fetchFromGitHub {
     owner = "planetscale";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-MoZN1zvOdRoVSEemH+h64k7kID2g0KyHHXWhr2wc914=";
+    sha256 = "sha256-qW+heUi39H0qe6lfYEJW1/LlfsqBuVeXwfxW0q3nIxw=";
   };
 
-  vendorHash = "sha256-kgLSUC+koGLfbxvwwsHzJXzL+4xrtZsraoKDLzGzrEA=";
+  vendorHash = "sha256-4DV2VjSfGHKxLa4W8WNft9BmQKids+yvc3Gb+upLBo4=";
 
   ldflags = [
     "-s" "-w"

pkgs/development/tools/rstfmt/default.nix

@@ -0,0 +1,37 @@
+{ lib
+, python3
+, fetchFromGitHub
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "rstfmt";
+  version = "0.0.13";
+  format = "pyproject";
+
+  src = fetchFromGitHub {
+    owner = "dzhu";
+    repo = "rstfmt";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-SJRA14CfoT8XMt3hMB7cLdmuLwsJnBSwhKkD1pJvQCI=";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [
+    black
+    docutils
+    sphinx
+  ];
+
+  # Project has no unittest just sample files
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "rstfmt"
+  ];
+
+  meta = with lib; {
+    description = "A formatter for reStructuredText";
+    homepage = "https://github.com/dzhu/rstfmt";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/games/nanosaur/default.nix

@@ -25,8 +25,10 @@ stdenv.mkDerivation rec {
   installPhase = ''
     runHook preInstall
     mkdir -p "$out/bin"
-    mv Nanosaur Data ReadMe.txt "$out/"
+    mkdir -p "$out/share/Nanosaur"
-    makeWrapper $out/Nanosaur $out/bin/Nanosaur --chdir "$out"
+    mv Data ReadMe.txt "$out/share/Nanosaur/"
+    install -Dm755 {.,$out/bin}/Nanosaur
+    wrapProgram $out/bin/Nanosaur --chdir "$out/share/Nanosaur"
     install -Dm644 $src/packaging/nanosaur.desktop $out/share/applications/nanosaur.desktop
     install -Dm644 $src/packaging/nanosaur-desktopicon.png $out/share/pixmaps/nanosaur-desktopicon.png
     runHook postInstall

pkgs/games/nanosaur2/default.nix

@@ -25,8 +25,10 @@ stdenv.mkDerivation rec {
   installPhase = ''
     runHook preInstall
     mkdir -p "$out/bin"
-    mv Nanosaur2 Data ReadMe.txt "$out/"
+    mkdir -p "$out/share/Nanosaur2"
-    makeWrapper $out/Nanosaur2 $out/bin/Nanosaur2 --chdir "$out"
+    mv Data ReadMe.txt "$out/share/Nanosaur2/"
+    install -Dm755 {.,$out/bin}/Nanosaur2
+    wrapProgram $out/bin/Nanosaur2 --chdir "$out/share/Nanosaur2"
     install -Dm644 $src/packaging/nanosaur2.desktop $out/share/applications/nanosaur2.desktop
     install -Dm644 $src/packaging/nanosaur2-desktopicon.png $out/share/pixmaps/nanosaur2-desktopicon.png
     runHook postInstall

pkgs/games/otto-matic/default.nix

@@ -27,8 +27,10 @@ stdenv.mkDerivation rec {
     runHook preInstall
 
     mkdir -p "$out/bin"
-    mv OttoMatic Data ReadMe.txt "$out/"
+    mkdir -p "$out/share/OttoMatic"
-    makeWrapper $out/OttoMatic $out/bin/OttoMatic --chdir "$out"
+    mv Data ReadMe.txt "$out/share/OttoMatic/"
+    install -Dm755 {.,$out/bin}/OttoMatic
+    wrapProgram $out/bin/OttoMatic --chdir "$out/share/OttoMatic"
     install -Dm644 $src/packaging/io.jor.ottomatic.desktop $out/share/applications/io.jor.ottomatic.desktop
     install -Dm644 $src/packaging/io.jor.ottomatic.png $out/share/pixmaps/io.jor.ottomatic.png
     runHook postInstall

pkgs/servers/gortr/default.nix

@@ -1,4 +1,7 @@
-{ lib, fetchFromGitHub, buildGoModule }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
 
 buildGoModule rec {
   pname = "gortr";
@@ -13,10 +16,16 @@ buildGoModule rec {
 
   vendorHash = null;
 
+  ldflags = [
+    "-s"
+    "-w"
+    "-X=main.version=${version}"
+  ];
+
   meta = with lib; {
     description = "The RPKI-to-Router server used at Cloudflare";
     homepage = "https://github.com/cloudflare/gortr/";
-    license = licenses.gpl3;
+    license = licenses.bsd3;
     maintainers = with maintainers; [ ];
   };
 }

pkgs/servers/jackett/default.nix

@@ -9,13 +9,13 @@
 
 buildDotnetModule rec {
   pname = "jackett";
-  version = "0.20.3990";
+  version = "0.20.4029";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    hash = "sha512-eewv7QkGUE66PNJh31WjxeAN+x/M9vr2qfFaF6T+W7esMv2EoHZb9FcRwzZ8GmpT/bd9LFNNahSJ3jIHdKg8KA==";
+    hash = "sha512-ldciP2TAq8qN754NGcwkZ+NnjrvfhiVLFW8WyAgL77agfpwgps1BxlPM5s9rCXKJoOaFQdmLoYMBsImApU9i4A==";
   };
 
   projectFile = "src/Jackett.Server/Jackett.Server.csproj";

pkgs/servers/traefik/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "traefik";
-  version = "2.10.0";
+  version = "2.10.1";
 
   # Archive with static assets for webui
   src = fetchzip {
     url = "https://github.com/traefik/traefik/releases/download/v${version}/traefik-v${version}.src.tar.gz";
-    sha256 = "sha256-KeV7JOIbQoCwmulMzKpse7GA+/p5uPRR8UpMYizuGYU=";
+    sha256 = "sha256-KvbWto3erR7ylYk59sKKZwZ961aLFi8KyZhLQJitmng=";
     stripRoot = false;
   };
 
-  vendorSha256 = "sha256-o+xri6vyUbInwmk+hhi6YDRo8ICASMj+ah3nBqQWnO8=";
+  vendorHash = "sha256-Wa3Pm+5Knhua18IHME8S4PIdgt94QdhU1jY5pudlwp0=";
 
   subPackages = [ "cmd/traefik" ];
 

pkgs/servers/uxplay/default.nix

@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "uxplay";
-  version = "1.63.2";
+  version = "1.64";
 
   src = fetchFromGitHub {
     owner = "FDH2";
     repo = "UxPlay";
     rev = "v${version}";
-    sha256 = "sha256-K1DlGpamX+MkVpevhZBINtNawkPfN5ofHOcsiBHgnC4=";
+    sha256 = "sha256-zCjAXQMA5QvcpmkSYb9FST4xzK1cjZZDGcBGc1CacVo=";
   };
 
   postPatch = ''

pkgs/tools/admin/kics/default.nix

@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "kics";
-  version = "1.6.14";
+  version = "1.7.0";
 
   src = fetchFromGitHub {
     owner = "Checkmarx";
     repo = "kics";
     rev = "v${version}";
-    sha256 = "sha256-kh8lTiGbbhH2jZYhfyfThKQE170tvRADUa+7dvVy3QU=";
+    sha256 = "sha256-T9dO8OGlbEvjM+9P7cbCCgXkJXXtkR+5zrXRoGZg08c=";
   };
 
   vendorHash = "sha256-Sg8f6fqe7DAsNsEGU1Ml42qgSuE5CrD+YrFqZKpNKtU=";

pkgs/tools/networking/bore-cli/default.nix

@@ -7,16 +7,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "bore-cli";
-  version = "0.4.1";
+  version = "0.5.0";
 
   src = fetchFromGitHub {
     owner = "ekzhang";
     repo = "bore";
     rev = "v${version}";
-    hash = "sha256-h5Xwsr61h52zb5HNPySKVjfYW96Fff7nwZUAL6vK9ko=";
+    hash = "sha256-fHCWK/GI/MDbBPCpkgKJlWjFEsl8Ey6IdUZQPnYUfjg=";
   };
 
-  cargoSha256 = "sha256-QyaQM8z5v0LgskkmZ/8ekZwxNrt8sq91BbnjvIqa2nI=";
+  cargoHash = "sha256-/k/7/mCD0abspPr+GGk/8ovnWl85OsmJtzirmfVxDNo=";
 
   buildInputs = lib.optionals stdenv.isDarwin [
     Security

pkgs/tools/networking/brook/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "brook";
-  version = "20230404";
+  version = "20230404.5.1";
 
   src = fetchFromGitHub {
     owner = "txthinking";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-nh59sfOWLk4evuIxa35bWu0J6xSUIzrPv4oQHWSZInA=";
+    sha256 = "sha256-79fH5Bmpg9qMyec1GtyGqme+QBw/Yfs5xMEo9tJXHuU=";
   };
 
-  vendorHash = "sha256-PYdR0vfgOgRheHDvoIC9jCFmfzCSOhxqcPFm+MqirsQ=";
+  vendorHash = "sha256-uKlO1x5sGM8B1htmvRt9kND7tuH36iLN/Mev77vwZ6M=";
 
   meta = with lib; {
     homepage = "https://github.com/txthinking/brook";

pkgs/tools/security/ssh-audit/default.nix

@@ -2,13 +2,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "ssh-audit";
-  version = "2.5.0";
+  version = "2.9.0";
 
   src = fetchFromGitHub {
     owner = "jtesta";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0ks1zr0ksma285sm2dyy0nsbrkpssdk4mdzc3srr4mcyd6v927jd";
+    sha256 = "sha256-WrED2cSoqR276iOma+pZq/Uu1vQWJmtJvsI73r8ivJA=";
   };
 
   nativeCheckInputs = with python3Packages; [

pkgs/tools/security/vault/default.nix

@@ -38,7 +38,7 @@ buildGoModule rec {
       --prefix PATH ${lib.makeBinPath [ gawk glibc ]}
   '';
 
-  passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev; };
+  passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
 
   meta = with lib; {
     homepage = "https://www.vaultproject.io/";

pkgs/tools/system/consul-template/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, nixosTests }:
 
 buildGoModule rec {
   pname = "consul-template";
@@ -17,6 +17,10 @@ buildGoModule rec {
   # execute tests so we skip them here
   doCheck = false;
 
+  passthru.tests = {
+    inherit (nixosTests) consul-template;
+  };
+
   meta = with lib; {
     homepage = "https://github.com/hashicorp/consul-template/";
     description = "Generic template rendering and notifications with Consul";

pkgs/tools/text/rosie/default.nix

@@ -7,12 +7,12 @@
 
 stdenv.mkDerivation rec {
   pname = "rosie";
-  version = "unstable-2020-01-11";
+  version = "1.3.0";
 
   src = fetchgit {
     url = "https://gitlab.com/rosie-pattern-language/rosie";
-    rev = "670e9027563609ba2ea31e14e2621a1302742795";
+    rev = "9303e04ae2cffabdda6ccc4e2a351a47218615ff";
-    sha256 = "0jc512dbn62a1fniknhbp6q0xa1p7xi3hn5v60is8sy9jgi3afxv";
+    sha256 = "1smh760baf43hr56p6rh4khz3shyzda5lqva4ffxwchl7yy7r82j";
     fetchSubmodules = true;
   };
 
@@ -23,17 +23,31 @@ stdenv.mkDerivation rec {
 
   preConfigure = ''
     patchShebangs src/build_info.sh
+    # rosie is ran as part of `make check`,
+    # and so needs to be patched in preConfigure.
+    patchShebangs rosie
     # Part of the same Makefile target which calls git to update submodules
     ln -s src submodules/lua/include
+    # ldconfig is irrelevant, disable it inside `make installforce`.
+    sed -iE 's/ldconfig/echo skippin ldconfig/' Makefile
+    sed -iE '/ld.so.conf.d/d' Makefile
+  '';
+
+  preInstall = lib.optionalString stdenv.isDarwin ''
+    install_name_tool -add_rpath $out/lib build/bin/rosie
+    install_name_tool -id $out/lib/librosie.dylib build/lib/librosie.dylib
   '';
 
   postInstall = ''
     mkdir -p $out/share/emacs/site-lisp $out/share/vim-plugins $out/share/nvim
-    mv $out/lib/rosie/extra/extra/emacs/* $out/share/emacs/site-lisp/
+    mv $out/lib/rosie/extra/emacs/* $out/share/emacs/site-lisp/
-    mv $out/lib/rosie/extra/extra/vim $out/share/vim-plugins/rosie
+    mv $out/lib/rosie/extra/vim $out/share/vim-plugins/rosie
     ln -s $out/share/vim-plugins/rosie $out/share/nvim/site
   '';
 
+  # librosie.so is dlopen'ed , so we disable ELF patching to preserve RUNPATH .
+  dontPatchELF = true;
+
   makeFlags = [ "DESTDIR=${placeholder "out"}" ];
 
   buildInputs = [ libbsd readline ];

pkgs/top-level/all-packages.nix

@@ -11717,6 +11717,8 @@ with pkgs;
 
   rstcheck = with python3Packages; toPythonApplication rstcheck;
 
+  rstfmt = callPackage ../development/tools/rstfmt { };
+
   rt = callPackage ../servers/rt { };
 
   rtmpdump = callPackage ../tools/video/rtmpdump { };