Merge staging-next into staging

maintainers/maintainer-list.nix

@@ -6186,6 +6186,12 @@
     github = "meutraa";
     githubId = 68550871;
   };
+  mephistophiles = {
+    email = "mussitantesmortem@gmail.com";
+    name = "Maxim Zhukov";
+    github = "Mephistophiles";
+    githubId = 4850908;
+  };
   mfossen = {
     email = "msfossen@gmail.com";
     github = "mfossen";

nixos/doc/manual/release-notes/rl-2105.xml

@@ -23,6 +23,9 @@
      Support is planned until the end of December 2021, handing over to 21.11.
     </para>
    </listitem>
+   <listitem>
+    <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para>
+   </listitem>
    <listitem>
     <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
    </listitem>

nixos/modules/hardware/all-firmware.nix

@@ -49,7 +49,7 @@ in {
         rt5677-firmware
         rtl8723bs-firmware
         rtl8761b-firmware
-        rtlwifi_new-firmware
+        rtw88-firmware
         zd1211fw
         alsa-firmware
         sof-firmware

nixos/modules/module-list.nix

@@ -949,6 +949,7 @@
   ./services/web-servers/nginx/default.nix
   ./services/web-servers/nginx/gitweb.nix
   ./services/web-servers/phpfpm/default.nix
+  ./services/web-servers/pomerium.nix
   ./services/web-servers/unit/default.nix
   ./services/web-servers/shellinabox.nix
   ./services/web-servers/tomcat.nix

nixos/modules/services/web-servers/pomerium.nix

@@ -0,0 +1,131 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  format = pkgs.formats.yaml {};
+in
+{
+  options.services.pomerium = {
+    enable = mkEnableOption "the Pomerium authenticating reverse proxy";
+
+    configFile = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      description = "Path to Pomerium config YAML. If set, overrides services.pomerium.settings.";
+    };
+
+    useACMEHost = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = ''
+        If set, use a NixOS-generated ACME certificate with the specified name.
+
+        Note that this will require you to use a non-HTTP-based challenge, or
+        disable Pomerium's in-built HTTP redirect server by setting
+        http_redirect_addr to null and use a different HTTP server for serving
+        the challenge response.
+
+        If you're using an HTTP-based challenge, you should use the
+        Pomerium-native autocert option instead.
+      '';
+    };
+
+    settings = mkOption {
+      description = ''
+        The contents of Pomerium's config.yaml, in Nix expressions.
+
+        Specifying configFile will override this in its entirety.
+
+        See <link xlink:href="https://pomerium.io/reference/">the Pomerium
+        configuration reference</link> for more information about what to put
+        here.
+      '';
+      default = {};
+      type = format.type;
+    };
+
+    secretsFile = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      description = ''
+        Path to file containing secrets for Pomerium, in systemd
+        EnvironmentFile format. See the systemd.exec(5) man page.
+      '';
+    };
+  };
+
+  config = let
+    cfg = config.services.pomerium;
+    cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
+  in mkIf cfg.enable ({
+    systemd.services.pomerium = {
+      description = "Pomerium authenticating reverse proxy";
+      wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
+      after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
+      wantedBy = [ "multi-user.target" ];
+      environment = optionalAttrs (cfg.useACMEHost != null) {
+        CERTIFICATE_FILE = "fullchain.pem";
+        CERTIFICATE_KEY_FILE = "key.pem";
+      };
+      startLimitIntervalSec = 60;
+
+      serviceConfig = {
+        DynamicUser = true;
+        StateDirectory = [ "pomerium" ];
+        ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
+
+        PrivateUsers = false;  # breaks CAP_NET_BIND_SERVICE
+        MemoryDenyWriteExecute = false;  # breaks LuaJIT
+
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectKernelLogs = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        LockPersonality = true;
+        SystemCallArchitectures = "native";
+
+        EnvironmentFile = cfg.secretsFile;
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+
+        WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
+        LoadCredential = optionals (cfg.useACMEHost != null) [
+          "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
+          "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
+        ];
+      };
+    };
+
+    # postRun hooks on cert renew can't be used to restart Nginx since renewal
+    # runs as the unprivileged acme user. sslTargets are added to wantedBy + before
+    # which allows the acme-finished-$cert.target to signify the successful updating
+    # of certs end-to-end.
+    systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
+      # TODO(lukegb): figure out how to make config reloading work with credentials.
+
+      wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
+      # Before the finished targets, after the renew services.
+      before = [ "acme-finished-${cfg.useACMEHost}.target" ];
+      after = [ "acme-${cfg.useACMEHost}.service" ];
+      # Block reloading if not all certs exist yet.
+      unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
+      serviceConfig = {
+        Type = "oneshot";
+        TimeoutSec = 60;
+        ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
+        ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
+      };
+    };
+  });
+}

nixos/tests/all-tests.nix

@@ -319,6 +319,7 @@ in
   plikd = handleTest ./plikd.nix {};
   plotinus = handleTest ./plotinus.nix {};
   podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
+  pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
   postfix = handleTest ./postfix.nix {};
   postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
   postgis = handleTest ./postgis.nix {};

nixos/tests/pomerium.nix

@@ -0,0 +1,102 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "pomerium";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ lukegb ];
+  };
+
+  nodes = let base = myIP: { pkgs, lib, ... }: {
+    virtualisation.vlans = [ 1 ];
+    networking = {
+      dhcpcd.enable = false;
+      firewall.allowedTCPPorts = [ 80 443 ];
+      hosts = {
+        "192.168.1.1" = [ "pomerium" "pom-auth" ];
+        "192.168.1.2" = [ "backend" "dummy-oidc" ];
+      };
+      interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
+        { address = myIP; prefixLength = 24; }
+      ];
+    };
+  }; in {
+    pomerium = { pkgs, lib, ... }: {
+      imports = [ (base "192.168.1.1") ];
+      services.pomerium = {
+        enable = true;
+        settings = {
+          address = ":80";
+          insecure_server = true;
+          authenticate_service_url = "http://pom-auth";
+
+          idp_provider = "oidc";
+          idp_scopes = [ "oidc" ];
+          idp_client_id = "dummy";
+          idp_provider_url = "http://dummy-oidc";
+
+          policy = [{
+            from = "https://my.website";
+            to = "http://192.168.1.2";
+            allow_public_unauthenticated_access = true;
+            preserve_host_header = true;
+          } {
+            from = "https://login.required";
+            to = "http://192.168.1.2";
+            allowed_domains = [ "my.domain" ];
+            preserve_host_header = true;
+          }];
+        };
+        secretsFile = pkgs.writeText "pomerium-secrets" ''
+          # 12345678901234567890123456789012 in base64
+          COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
+          IDP_CLIENT_SECRET=dummy
+        '';
+      };
+    };
+    backend = { pkgs, lib, ... }: {
+      imports = [ (base "192.168.1.2") ];
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."my.website" = {
+        root = pkgs.runCommand "testdir" {} ''
+          mkdir "$out"
+          echo hello world > "$out/index.html"
+        '';
+      };
+      services.nginx.virtualHosts."dummy-oidc" = {
+        root = pkgs.runCommand "testdir" {} ''
+          mkdir -p "$out/.well-known"
+          cat <<EOF >"$out/.well-known/openid-configuration"
+            {
+              "issuer": "http://dummy-oidc",
+              "authorization_endpoint": "http://dummy-oidc/auth.txt",
+              "token_endpoint": "http://dummy-oidc/token",
+              "jwks_uri": "http://dummy-oidc/jwks.json",
+              "userinfo_endpoint": "http://dummy-oidc/userinfo",
+              "id_token_signing_alg_values_supported": ["RS256"]
+            }
+          EOF
+          echo hello I am login page >"$out/auth.txt"
+        '';
+      };
+    };
+  };
+
+  testScript = { ... }: ''
+    backend.wait_for_unit("nginx")
+    backend.wait_for_open_port(80)
+
+    pomerium.wait_for_unit("pomerium")
+    pomerium.wait_for_open_port(80)
+
+    with subtest("no authentication required"):
+        pomerium.succeed(
+            "curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'"
+        )
+
+    with subtest("login required"):
+        pomerium.succeed(
+            "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth"
+        )
+        pomerium.succeed(
+            "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'"
+        )
+  '';
+})

pkgs/applications/backup/pika-backup/default.nix

@@ -19,20 +19,20 @@
 
 stdenv.mkDerivation rec {
   pname = "pika-backup";
-  version = "0.2.2";
+  version = "0.2.3";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "pika-backup";
     rev = "v${version}";
-    sha256 = "16284gv31wdwmb99056962d1gh6xz26ami6synr47nsbbp5l0s6k";
+    sha256 = "sha256-jy22eyuzM2y7vByT3TOlAUuTKtPepkB9iiHQT1YGQ88=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    sha256 = "12ymjwpxx3sdna8w5j9fnwwfk8ynk9ziwl0lkpq68y0vyllln5an";
+    sha256 = "1ndcpgw18w3l5f7vv5vw8lxhgd5y1zxfarwnyfx13m7kcv8m3vyj";
   };
 
   patches = [

pkgs/applications/blockchains/crypto-org-wallet.nix

@@ -0,0 +1,33 @@
+{ lib, fetchurl, makeDesktopItem, appimageTools, imagemagick }:
+
+let
+  pname = "chain-desktop-wallet";
+  version = "0.1.1";
+  name = "${pname}-${version}";
+
+  src = fetchurl {
+    url = "https://github.com/crypto-com/${pname}/releases/download/v${version}/${name}-x86_64.AppImage";
+    sha256 = "12076hf8dlz0hg1pb2ixwlslrh8gi6s1iawnvhnn6vz4jmjvq356";
+  };
+
+  appimageContents = appimageTools.extractType2 { inherit name src; };
+in appimageTools.wrapType2 rec {
+  inherit name src;
+
+  extraInstallCommands = ''
+    mv $out/bin/${name} $out/bin/${pname}
+    install -m 444 -D ${appimageContents}/${pname}.desktop $out/share/applications/${pname}.desktop
+    ${imagemagick}/bin/convert ${appimageContents}/${pname}.png -resize 512x512 ${pname}_512.png
+    install -m 444 -D ${pname}_512.png $out/share/icons/hicolor/512x512/apps/${pname}.png
+    substituteInPlace $out/share/applications/${pname}.desktop \
+      --replace 'Exec=AppRun --no-sandbox %U' "Exec=$out/bin/${pname}"
+  '';
+
+  meta = with lib; {
+    description = "Crypto.org Chain desktop wallet (Beta)";
+    homepage = "https://github.com/crypto-com/chain-desktop-wallet";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ th0rgal ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -1,8 +1,8 @@
 {
   "stable": {
-    "version": "89.0.4389.90",
+    "version": "89.0.4389.114",
-    "sha256": "16i7bgk2jbcqs2p28nk5mlf0k6wah594pcsfm8b154nxbyf0iihi",
+    "sha256": "007df9p78bbmk3iyfi8qn57mmn68qqrdhx6z8n2hl8ksd7lspw7j",
-    "sha256bin64": "1hgpx7isp9krarj7jpbhs97ym4i9j9a1srywv9pdfzbhw6cid2pk",
+    "sha256bin64": "06wblyvyr93032fbzwm6qpzz4jjm6adziq4i4n6kmfdix2ajif8a",
     "deps": {
       "gn": {
         "version": "2021-01-07",

pkgs/applications/networking/browsers/lagrange/default.nix

@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation rec {
   pname = "lagrange";
-  version = "1.2.2";
+  version = "1.3.0";
 
   src = fetchFromGitHub {
     owner = "skyjake";
     repo = "lagrange";
     rev = "v${version}";
-    sha256 = "sha256-Y+BiXKxlUSZXaLcz75l333ZBkKyII9IyTmKQwjshBkE=";
+    sha256 = "sha256-85KshJEL7ri10mSm/KgcT03WLEwRMMTGczb6mGx66Jw=";
     fetchSubmodules = true;
   };
 

pkgs/applications/networking/instant-messengers/slack/default.nix

@@ -26,6 +26,7 @@
 , libuuid
 , libxcb
 , libxkbcommon
+, libxshmfence
 , mesa
 , nspr
 , nss
@@ -117,6 +118,7 @@ let
       xorg.libXi
       xorg.libXrandr
       xorg.libXrender
+      xorg.libxshmfence
       xorg.libXtst
       xorg.libxkbfile
     ] + ":${stdenv.cc.cc.lib}/lib64";

pkgs/applications/window-managers/i3/auto-layout.nix

@@ -0,0 +1,26 @@
+{ lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "i3-auto-layout";
+  version = "0.2";
+
+  src = fetchFromGitHub {
+    owner = "chmln";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0ps08lga6qkgc8cgf5cx2lgwlqcnd2yazphh9xd2fznnzrllfxxz";
+  };
+
+  cargoSha256 = "1ch5mh515rlqmr65x96xcvrx6iaigqgjxc7sbwbznzkc5kmvwhc0";
+
+  # Currently no tests are implemented, so we avoid building the package twice
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Automatic, optimal tiling for i3wm";
+    homepage = "https://github.com/chmln/i3-auto-layout";
+    license = licenses.mit;
+    maintainers = with maintainers; [ mephistophiles ];
+    platforms = platforms.linux;
+  };
+}

pkgs/development/libraries/qt-5/5.15/default.nix

@@ -203,7 +203,9 @@ let
       qtvirtualkeyboard = callPackage ../modules/qtvirtualkeyboard.nix {};
       qtwayland = callPackage ../modules/qtwayland.nix {};
       qtwebchannel = callPackage ../modules/qtwebchannel.nix {};
-      qtwebengine = callPackage ../modules/qtwebengine.nix {};
+      qtwebengine = callPackage ../modules/qtwebengine.nix {
+        inherit (srcs.qtwebengine) version;
+      };
       qtwebglplugin = callPackage ../modules/qtwebglplugin.nix {};
       qtwebkit = callPackage ../modules/qtwebkit.nix {};
       qtwebsockets = callPackage ../modules/qtwebsockets.nix {};

pkgs/development/libraries/qt-5/modules/qtwebengine.nix

@@ -17,6 +17,7 @@
 , cups, darwin, openbsm, runCommand, xcbuild, writeScriptBin
 , ffmpeg_3 ? null
 , lib, stdenv, fetchpatch
+, version ? null
 , qtCompatVersion
 }:
 
@@ -230,6 +231,9 @@ qtModule {
     [Paths]
     Prefix = ..
     EOF
+  '' + lib.optionalString (lib.versions.majorMinor qtCompatVersion == "5.15") ''
+    # Fix for out-of-sync QtWebEngine and Qt releases (since 5.15.3)
+    sed 's/${lib.head (lib.splitString "-" version)} /${qtCompatVersion} /' -i "$out"/lib/cmake/*/*Config.cmake
   '';
 
   meta = with lib; {

pkgs/development/libraries/zlib-ng/default.nix

@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub
+, cmake, pkg-config
+, withZlibCompat ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "zlib-ng";
+  version = "2.0.2";
+
+  src = fetchFromGitHub {
+    owner = "zlib-ng";
+    repo = "zlib-ng";
+    rev = version;
+    sha256 = "1cl6asrav2512j7p02zcpibywjljws0m7aazvb3q2r9qiyvyswji";
+  };
+
+  outputs = [ "out" "dev" "bin" ];
+
+  nativeBuildInputs = [ cmake pkg-config ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_PREFIX=/"
+    "-DBUILD_SHARED_LIBS=ON"
+    "-DINSTALL_UTILS=ON"
+  ] ++ lib.optionals withZlibCompat [ "-DZLIB_COMPAT=ON" ];
+
+  meta = with lib; {
+    description = "zlib data compression library for the next generation systems";
+    homepage    = "https://github.com/zlib-ng/zlib-ng";
+    license     = licenses.zlib;
+    platforms   = platforms.all;
+    maintainers = with maintainers; [ izorkin ];
+  };
+}

pkgs/development/python-modules/boto3/default.nix

@@ -13,11 +13,11 @@
 
 buildPythonPackage rec {
   pname = "boto3";
-  version = "1.17.40"; # N.B: if you change this, change botocore and awscli to a matching version
+  version = "1.17.41"; # N.B: if you change this, change botocore and awscli to a matching version
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-7pmbRrLGMOUOewUtbf4iQgOjSNg7AOFoylAAmvDydsE=";
+    sha256 = "sha256-2FsOBdfelhabACS3aykr5isB729cqFOlElBjRrgtKrs=";
   };
 
   propagatedBuildInputs = [ botocore jmespath s3transfer ] ++ lib.optionals (!isPy3k) [ futures ];

pkgs/development/python-modules/botocore/default.nix

@@ -13,11 +13,11 @@
 
 buildPythonPackage rec {
   pname = "botocore";
-  version = "1.20.40"; # N.B: if you change this, change boto3 and awscli to a matching version
+  version = "1.20.41"; # N.B: if you change this, change boto3 and awscli to a matching version
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-ajWpl3zb16g52UjdX549JgwZt93nTgqETJcgaITTu6A=";
+    sha256 = "sha256-Y/ZQ/Ja84UHoGUp2HmiQ/qL7puASU676Ma5p8UUBXCE=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/sagemaker/default.nix

@@ -10,6 +10,7 @@
 , protobuf3-to-dict
 , smdebug-rulesconfig
 , pandas
+, packaging
 }:
 
 buildPythonPackage rec {
@@ -32,6 +33,7 @@ buildPythonPackage rec {
     google-pasta
     importlib-metadata
     numpy
+    packaging
     protobuf
     protobuf3-to-dict
     smdebug-rulesconfig

pkgs/development/tools/heroku/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "heroku";
-  version = "7.47.11";
+  version = "7.51.0";
 
   src = fetchurl {
     url = "https://cli-assets.heroku.com/heroku-v${version}/heroku-v${version}.tar.xz";
-    sha256 = "1inf2radpkd9jndap91cw0wbb2qmi71i287vyydl492372cf3cs2";
+    sha256 = "0wcqk4iy4r57k6fd6l0732yp5mclqfla1lfvx96ay45jnhh7rknx";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/games/empty-epsilon/default.nix

@@ -2,21 +2,23 @@
 
 let
 
-  major = "2020";
+  major = "2021";
-  minor = "11";
+  minor = "03";
-  patch = "23";
+  patch.seriousproton = "30";
+  patch.emptyepsilon = "31";
 
-  version = "${major}.${minor}.${patch}";
+  version.seriousproton = "${major}.${minor}.${patch.seriousproton}";
+  version.emptyepsilon = "${major}.${minor}.${patch.emptyepsilon}";
 
   serious-proton = stdenv.mkDerivation {
     pname = "serious-proton";
-    inherit version;
+    version = version.seriousproton;
 
     src = fetchFromGitHub {
       owner = "daid";
       repo = "SeriousProton";
-      rev = "EE-${version}";
+      rev = "EE-${version.seriousproton}";
-      sha256 = "sha256-/gwJPlvvOCv5XIsiVgZ8Eb/7vgwG/V+s/soGVCfYrwo=";
+      sha256 = "sha256-wxb/CxJ/HKsVngeahjygZFPMMxitkHdVD0EQ3svxgIU=";
     };
 
     nativeBuildInputs = [ cmake ];
@@ -36,13 +38,13 @@ in
 
 stdenv.mkDerivation {
   pname = "empty-epsilon";
-  inherit version;
+  version = version.emptyepsilon;
 
   src = fetchFromGitHub {
     owner = "daid";
     repo = "EmptyEpsilon";
-    rev = "EE-${version}";
+    rev = "EE-${version.emptyepsilon}";
-    sha256 = "sha256-HbF6xThR+ogNHbAcXF03DaBhwVhNEr5BJO7jeeVZH/o=";
+    sha256 = "sha256-x0XJPMU0prubTb4ti/W/dH5P9abNwbjqkeUhKQpct9o=";
   };
 
   nativeBuildInputs = [ cmake ];
@@ -50,10 +52,10 @@ stdenv.mkDerivation {
 
   cmakeFlags = [
     "-DSERIOUS_PROTON_DIR=${serious-proton.src}"
-    "-DCPACK_PACKAGE_VERSION=${version}"
+    "-DCPACK_PACKAGE_VERSION=${version.emptyepsilon}"
     "-DCPACK_PACKAGE_VERSION_MAJOR=${major}"
     "-DCPACK_PACKAGE_VERSION_MINOR=${minor}"
-    "-DCPACK_PACKAGE_VERSION_PATCH=${patch}"
+    "-DCPACK_PACKAGE_VERSION_PATCH=${patch.emptyepsilon}"
   ];
 
   meta = with lib; {

pkgs/games/steam/fhsenv.nix

@@ -106,6 +106,7 @@ in buildFHSUserEnv rec {
     gst_all_1.gst-plugins-ugly
     gst_all_1.gst-plugins-base
     libdrm
+    libxkbcommon # paradox launcher
     mono
     xorg.xkeyboardconfig
     xorg.libpciaccess
@@ -205,7 +206,6 @@ in buildFHSUserEnv rec {
     libidn
     tbb
     wayland
-    libxkbcommon
 
     # Other things from runtime
     flac

pkgs/os-specific/linux/kernel/hardened/patches.json

@@ -13,15 +13,15 @@
     },
     "5.10": {
         "extra": "-hardened1",
-        "name": "linux-hardened-5.10.25-hardened1.patch",
+        "name": "linux-hardened-5.10.26-hardened1.patch",
-        "sha256": "0d5fid229769frifr7g20ly553gxdqqvajfwyzqwjpr82jjzxlis",
+        "sha256": "08f4yks3fjv5zi85zbxa3aqfllb6nbr58hm6kchd83l6rknnix4r",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.25-hardened1/linux-hardened-5.10.25-hardened1.patch"
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.26-hardened1/linux-hardened-5.10.26-hardened1.patch"
     },
     "5.11": {
         "extra": "-hardened1",
-        "name": "linux-hardened-5.11.9-hardened1.patch",
+        "name": "linux-hardened-5.11.10-hardened1.patch",
-        "sha256": "169jcalr81ckad08vx489h8j6k42s0rzxbpkr6knyrd7rv06ddk0",
+        "sha256": "16083fvl5km751dps7mzjc2fl1qp9jqnyn7lg8jlfxc8w32bbxwv",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.9-hardened1/linux-hardened-5.11.9-hardened1.patch"
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.10-hardened1/linux-hardened-5.11.10-hardened1.patch"
     },
     "5.4": {
         "extra": "-hardened1",

pkgs/os-specific/linux/kernel/linux-5.11.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.11.9";
+  version = "5.11.10";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0dcqn6s85sd4zl7rv8ay88p5z12xvy2rma0dx6g6b480rg68sxal";
+    sha256 = "07fw48sy8p17jmm24x3rl99cwxiwhwjrxnmy3g542w9kzawaqwnk";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-rt-5.10.nix

@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.10.21-rt34"; # updated by ./update-rt.sh
+  version = "5.10.25-rt35"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1bz2gmyvpl4vsk0r6fsnh451fzvvfbv63rw8ia75gfv52vzyczwy";
+    sha256 = "1p8s8vp5b6vjmvhj3plm0pr0d9qp5lrwm6l40a4bjr1vk9myf2lk";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "12c2qpifcgij7hilhd7xrnqaz04gqf41m93pmlm8cv4nxz58cy36";
+      sha256 = "0kvawcyxg0xzhx73xs9g9s0hr7bs44sy4zvfzvcg2m9hdyafry0k";
     };
   }; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;
 

pkgs/servers/http/envoy/default.nix

@@ -6,6 +6,7 @@
 , go
 , ninja
 , python3
+, nixosTests
 }:
 
 let
@@ -110,6 +111,11 @@ buildBazelPackage rec {
     "--cxxopt=-Wno-uninitialized"
   ];
 
+  passthru.tests = {
+    # No tests for Envoy itself (yet), but it's tested as a core component of Pomerium.
+    inherit (nixosTests) pomerium;
+  };
+
   meta = with lib; {
     homepage = "https://envoyproxy.io";
     description = "Cloud-native edge and service proxy";

pkgs/servers/http/nginx/mainline.nix

@@ -1,6 +1,6 @@
 { callPackage, ... }@args:
 
 callPackage ./generic.nix args {
-  version = "1.19.8";
+  version = "1.19.9";
-  sha256 = "01cb6hsaik1sfjihbrldmwrcn54gk4plfy350sl1b4rml6qik29h";
+  sha256 = "0hfqqyfgqa6wqazmb3d434nb3r5p8szfisa0m6nfh9lqdbqdyd9f";
 }

pkgs/servers/http/pomerium/default.nix

@@ -0,0 +1,80 @@
+{ buildGoModule
+, fetchFromGitHub
+, lib
+, envoy
+, zip
+, nixosTests
+}:
+
+let
+  inherit (lib) concatStringsSep mapAttrsToList;
+in
+buildGoModule rec {
+  pname = "pomerium";
+  version = "0.13.3";
+  src = fetchFromGitHub {
+    owner = "pomerium";
+    repo = "pomerium";
+    rev = "v${version}";
+    hash = "sha256-g0w1aIHvf2rJANvGWHeUxdnyCDsvy/PQ9Kp8nDdT/0w=";
+  };
+
+  vendorSha256 = "sha256-grihU85OcGyf9/KKrv87xZonX5r+Z1oHQTf84Ya61fg=";
+  subPackages = [
+    "cmd/pomerium"
+    "cmd/pomerium-cli"
+  ];
+
+  buildFlagsArray = let
+    # Set a variety of useful meta variables for stamping the build with.
+    setVars = {
+      Version = "v${version}";
+      BuildMeta = "nixpkgs";
+      ProjectName = "pomerium";
+      ProjectURL = "github.com/pomerium/pomerium";
+    };
+    varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
+  in [
+    "-ldflags=${varFlags}"
+  ];
+
+  nativeBuildInputs = [
+    zip
+  ];
+
+  # Pomerium expects to have envoy append to it in a zip.
+  # We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
+  postBuild = ''
+    # Append Envoy
+    pushd $NIX_BUILD_TOP
+    mkdir -p envoy
+    cd envoy
+    cp ${envoy}/bin/envoy envoy
+    zip -0 envoy.zip envoy
+    popd
+
+    mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
+    cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
+    zip --adjust-sfx $GOPATH/bin/pomerium
+  '';
+
+  # We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
+  dontStrip = true;
+
+  installPhase = ''
+    install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
+    install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) pomerium;
+  };
+
+  meta = with lib; {
+    homepage = "https://pomerium.io";
+    description = "Authenticating reverse proxy";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lukegb ];
+    platforms = [ "x86_64-linux" ];  # Envoy derivation is x86_64-linux only.
+  };
+}

pkgs/shells/zsh/oh-my-zsh/default.nix

@@ -5,15 +5,15 @@
 , git, nix, nixfmt, jq, coreutils, gnused, curl, cacert }:
 
 stdenv.mkDerivation rec {
-  version = "2021-03-28";
+  version = "2021-03-31";
   pname = "oh-my-zsh";
-  rev = "69507c9518f7c7889d8f47ec8e67bfda02405817";
+  rev = "2b1d4122796fea12dcaa7545cfca59fb43e6393e";
 
   src = fetchFromGitHub {
     inherit rev;
     owner = "ohmyzsh";
     repo = "ohmyzsh";
-    sha256 = "0p5jjynwnf6yh2n0z46avavy7kb7dlqd145hd1qakig7csaclphd";
+    sha256 = "1c1hcmvfrfwds1zn165vpfh11a19s6kb20bxy2dzpby5cs15g6bc";
   };
 
   installPhase = ''

pkgs/tools/admin/awscli/default.nix

@@ -21,11 +21,11 @@ let
 in
 with py.pkgs; buildPythonApplication rec {
   pname = "awscli";
-  version = "1.19.40"; # N.B: if you change this, change botocore and boto3 to a matching version too
+  version = "1.19.41"; # N.B: if you change this, change botocore and boto3 to a matching version too
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-J1IuTA/DrBCDclRA3cjAU71Um4Eygjgo+rMTyvT/my4=";
+    sha256 = "sha256-DKKE2iMn6BHmcohHY6Uv7q9Om8FkbTbsk0CaxueBJHA=";
   };
 
   # https://github.com/aws/aws-cli/issues/4837

pkgs/tools/audio/abcmidi/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "abcMIDI";
-  version = "2021.03.27";
+  version = "2021.03.30";
 
   src = fetchzip {
     url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
-    sha256 = "sha256-dOUdxH1jJUr9MkU6mf0nwbjY5NYUJpHGkjUZWbRSGsw=";
+    sha256 = "sha256-eOQbvs/mtFn7AmvSezO/jRm8+cO5tF7ggcF9DwwfqVc=";
   };
 
   meta = with lib; {

pkgs/tools/networking/oneshot/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "oneshot";
-  version = "1.3.1";
+  version = "1.4.1";
 
   src = fetchFromGitHub {
     owner = "raphaelreyna";
     repo = "oneshot";
     rev = "v${version}";
-    sha256 = "047mncv9abs4xj7bh9lhc3wan37cldjjyrpkis7pvx6zhzml74kf";
+    sha256 = "sha256-UD67xYBb1rvGMSPurte5z2Hcd7+JtXDPbgp3BVBdLuk=";
   };
 
-  vendorSha256 = "1cxr96yrrmz37r542mc5376jll9lqjqm18k8761h9jqfbzmh9rkp";
+  vendorSha256 = "sha256-d+YE618OywSDOWiiULHENFEqzRmFVUFKPuPXnL1JubM=";
 
   doCheck = false;
 

pkgs/tools/security/prs/default.nix

@@ -12,16 +12,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "prs";
-  version = "0.2.6";
+  version = "0.2.7";
 
   src = fetchFromGitLab {
     owner = "timvisee";
     repo = "prs";
     rev = "v${version}";
-    sha256 = "sha256-2fpR9XCcKby+hI7Dzpr2qi1QgOzdgJp0Um57tQmi01A=";
+    sha256 = "sha256-1Jrgf5UW6k0x3q6kQIB6Q7moOhConEnUU9r+21W5Uu8=";
   };
 
-  cargoSha256 = "sha256-0oWNGrJ24gPkPp5PR/pQ1tIYkXztQJFAdPz162V5THY=";
+  cargoSha256 = "sha256-N3pLW/OGeurrl+AlwdfbZ3T7WzEOAuyUMdIR164Xp7k=";
 
   postPatch = ''
     # The GPGME backend is recommended

pkgs/tools/video/play-with-mpv/default.nix

@@ -0,0 +1,35 @@
+{ lib, python3Packages, fetchFromGitHub, fetchurl, youtube-dl, git }:
+
+let
+  install_freedesktop = fetchurl {
+    url = "https://github.com/thann/install_freedesktop/tarball/2673e8da4a67bee0ffc52a0ea381a541b4becdd4";
+    sha256 = "0j8d5jdcyqbl5p6sc1ags86v3hr2sghmqqi99d1mvc064g90ckrv";
+  };
+in
+python3Packages.buildPythonApplication rec {
+  pname = "play-with-mpv";
+  version = "unstable-2020-05-18";
+
+  src = fetchFromGitHub {
+      owner = "thann";
+      repo = "play-with-mpv";
+      rev = "656448e03fe9de9e8bd21959f2a3b47c4acb8c3e";
+      sha256 = "1qma8b3lnkdhxdjsnrq7n9zgy53q62j4naaqqs07kjxbn72zb4p4";
+  };
+
+  nativeBuildInputs = [ git ];
+  propagatedBuildInputs = [ youtube-dl ];
+
+  postPatch = ''
+    substituteInPlace setup.py --replace \
+    '"https://github.com/thann/install_freedesktop/tarball/master#egg=install_freedesktop-0.2.0"' \
+    '"file://${install_freedesktop}#egg=install_freedesktop-0.2.0"'
+  '';
+
+  meta = with lib; {
+    description = "Chrome extension and python server that allows you to play videos in webpages with MPV instead";
+    homepage = "https://github.com/Thann/play-with-mpv";
+    license = licenses.mit;
+    maintainers = with maintainers; [ dawidsowa ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1496,6 +1496,8 @@ in
 
   pebble = callPackage ../tools/admin/pebble { };
 
+  play-with-mpv = callPackage ../tools/video/play-with-mpv { };
+
   reattach-to-user-namespace = callPackage ../os-specific/darwin/reattach-to-user-namespace {};
 
   skhd = callPackage ../os-specific/darwin/skhd {
@@ -17785,6 +17787,8 @@ in
 
   zlib = callPackage ../development/libraries/zlib { };
 
+  zlib-ng = callPackage ../development/libraries/zlib-ng { };
+
   libdynd = callPackage ../development/libraries/libdynd { };
 
   zlog = callPackage ../development/libraries/zlog { };
@@ -18539,6 +18543,8 @@ in
   };
   pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
 
+  pomerium = callPackage ../servers/http/pomerium { };
+
   postgrey = callPackage ../servers/mail/postgrey { };
 
   pshs = callPackage ../servers/http/pshs { };
@@ -19893,7 +19899,7 @@ in
   });
 
   # The current default kernel / kernel modules.
-  linuxPackages = linuxPackages_5_4;
+  linuxPackages = linuxPackages_5_10;
   linux = linuxPackages.kernel;
 
   # Update this when adding the newest kernel major version!
@@ -23368,6 +23374,8 @@ in
     xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor;
   };
 
+  i3-auto-layout = callPackage ../applications/window-managers/i3/auto-layout.nix { };
+
   i3-gaps = callPackage ../applications/window-managers/i3/gaps.nix { };
 
   i3altlayout = callPackage ../applications/window-managers/i3/altlayout.nix { };
@@ -28628,6 +28636,8 @@ in
 
   cryptoverif = callPackage ../applications/science/logic/cryptoverif { };
 
+  crypto-org-wallet = callPackage ../applications/blockchains/crypto-org-wallet.nix { };
+
   caprice32 = callPackage ../misc/emulators/caprice32 { };
 
   cubicle = callPackage ../applications/science/logic/cubicle {