Merge remote-tracking branch 'origin/staging-next' into staging

Conflicts:
- pkgs/os-specific/windows/mingw-w64/default.nix

.github/CODEOWNERS

@@ -67,6 +67,9 @@
 /nixos/lib/make-disk-image.nix                 @raitobezarius
 
 # Nix, the package manager
+# @raitobezarius is not "code owner", but is listed here to be notified of changes
+# pertaining to the Nix package manager.
+# i.e. no authority over those files.
 pkgs/tools/package-management/nix/                    @raitobezarius
 nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 

doc/build-helpers/special/makesetuphook.section.md

@@ -9,22 +9,40 @@ pkgs.makeSetupHook {
   name = "something-hook";
   propagatedBuildInputs = [ pkgs.commandsomething ];
   depsTargetTargetPropagated = [ pkgs.libsomething ];
-} ./script.sh
+} ./script.sh;
 ```
 
 ### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
 
 ```nix
-pkgs.makeSetupHook {
+pkgs.makeSetupHook
+  {
     name = "run-hello-hook";
-    propagatedBuildInputs = [ pkgs.hello ];
-    substitutions = { shell = "${pkgs.bash}/bin/bash"; };
-    passthru.tests.greeting = callPackage ./test { };
-    meta.platforms = lib.platforms.linux;
-} (writeScript "run-hello-hook.sh" ''
-    #!@shell@
-    hello
-'')
+    # Put dependencies here if they have hooks or necessary dependencies propagated
+    # otherwise prefer direct paths to executables.
+    propagatedBuildInputs = [
+      pkgs.hello
+      pkgs.cowsay
+    ];
+    substitutions = {
+      shell = "${pkgs.bash}/bin/bash";
+      cowsay = "${pkgs.cowsay}/bin/cowsay";
+    };
+  }
+  (
+    writeScript "run-hello-hook.sh" ''
+      #!@shell@
+      # the direct path to the executable has to be here because
+      # this will be run when the file is sourced
+      # at which point '$PATH' has not yet been populated with inputs
+      @cowsay@ cow
+
+      _printHelloHook() {
+        hello
+      }
+      preConfigureHooks+=(_printHelloHook)
+    ''
+  );
 ```
 
 ## Attributes {#sec-pkgs.makeSetupHook-attributes}

lib/default.nix

@@ -64,37 +64,38 @@ let
     # linux kernel configuration
     kernel = callLibs ./kernel.nix;
 
-    inherit (builtins) add addErrorContext attrNames concatLists
-      deepSeq elem elemAt filter genericClosure genList getAttr
-      hasAttr head isAttrs isBool isInt isList isPath isString length
-      lessThan listToAttrs pathExists readFile replaceStrings seq
-      stringLength sub substring tail trace;
+    # TODO: For consistency, all builtins should also be available from a sub-library;
+    # these are the only ones that are currently not
+    inherit (builtins) addErrorContext isPath trace;
     inherit (self.trivial) id const pipe concat or and xor bitAnd bitOr bitXor
       bitNot boolToString mergeAttrs flip mapNullable inNixShell isFloat min max
       importJSON importTOML warn warnIf warnIfNot throwIf throwIfNot checkListOfEnum
       info showWarnings nixpkgsVersion version isInOldestRelease
-      mod compare splitByAndCompare
+      mod compare splitByAndCompare seq deepSeq lessThan add sub
       functionArgs setFunctionArgs isFunction toFunction mirrorFunctionArgs
-      toHexString toBaseDigits inPureEvalMode;
+      toHexString toBaseDigits inPureEvalMode isBool isInt pathExists
+      genericClosure readFile;
     inherit (self.fixedPoints) fix fix' converge extends composeExtensions
       composeManyExtensions makeExtensible makeExtensibleWithCustomName;
     inherit (self.attrsets) attrByPath hasAttrByPath setAttrByPath
-      getAttrFromPath attrVals attrValues getAttrs catAttrs filterAttrs
+      getAttrFromPath attrVals attrNames attrValues getAttrs catAttrs filterAttrs
       filterAttrsRecursive foldlAttrs foldAttrs collect nameValuePair mapAttrs
       mapAttrs' mapAttrsToList attrsToList concatMapAttrs mapAttrsRecursive
       mapAttrsRecursiveCond genAttrs isDerivation toDerivation optionalAttrs
       zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
       recursiveUpdate matchAttrs mergeAttrsList overrideExisting showAttrPath getOutput
       getBin getLib getDev getMan chooseDevOutputs zipWithNames zip
       recurseIntoAttrs dontRecurseIntoAttrs cartesianProduct cartesianProductOfSets
-      mapCartesianProduct updateManyAttrsByPath intersectAttrs removeAttrs;
+      mapCartesianProduct updateManyAttrsByPath listToAttrs hasAttr getAttr isAttrs intersectAttrs removeAttrs;
     inherit (self.lists) singleton forEach map foldr fold foldl foldl' imap0 imap1
-      ifilter0 concatMap flatten remove findSingle findFirst any all count
+      filter ifilter0 concatMap flatten remove findSingle findFirst any all count
       optional optionals toList range replicate partition zipListsWith zipLists
       reverseList listDfs toposort sort sortOn naturalSort compareLists take
       drop sublist last init crossLists unique allUnique intersectLists
-      subtractLists mutuallyExclusive groupBy groupBy';
+      subtractLists mutuallyExclusive groupBy groupBy' concatLists genList
+      length head tail elem elemAt isList;
     inherit (self.strings) concatStrings concatMapStrings concatImapStrings
+      stringLength substring isString replaceStrings
       intersperse concatStringsSep concatMapStringsSep
       concatImapStringsSep concatLines makeSearchPath makeSearchPathOutput
       makeLibraryPath makeIncludePath makeBinPath optionalString

lib/licenses.nix

@@ -530,6 +530,13 @@ in mkLicense lset) ({
     fullName = "Unspecified free software license";
   };
 
+  fsl11Mit = {
+    fullName = "Functional Source License, Version 1.1, MIT Future License";
+    url = "https://fsl.software/FSL-1.1-MIT.template.md";
+    free = false;
+    redistributable = true;
+  };
+
   ftl = {
     spdxId = "FTL";
     fullName = "Freetype Project License";

maintainers/maintainer-list.nix

@@ -1977,6 +1977,12 @@
     githubId = 12958979;
     name = "Mika Naylor";
   };
+  autra = {
+    email = "[email protected]";
+    github = "autra";
+    githubId = 1576598;
+    name = "Augustin Trancart";
+  };
   autrimpo = {
     email = "[email protected]";
     github = "autrimpo";
@@ -3956,6 +3962,12 @@
     githubId = 40290417;
     name = "Seb Blair";
   };
+  CompileTime = {
+    email = "[email protected]";
+    github = "Compile-Time";
+    githubId = 18414241;
+    name = "Andreas Erdes";
+  };
   confus = {
     email = "[email protected]";
     github = "con-f-use";
@@ -9971,6 +9983,12 @@
     githubId = 5802758;
     name = "Joshua Trees";
   };
+  jtszalay = {
+    email = "[email protected]";
+    github = "jtszalay";
+    githubId = 589502;
+    name = "James Szalay";
+  };
   juancmuller = {
     email = "[email protected]";
     githubId = 208500;
@@ -11636,6 +11654,13 @@
     githubId = 10626;
     name = "Andreas Wagner";
   };
+  lpchaim = {
+    email = "[email protected]";
+    matrix = "@lpchaim:matrix.org";
+    github = "lpchaim";
+    githubId = 4030336;
+    name = "Lucas Chaim";
+  };
   lpostula = {
     email = "[email protected]";
     github = "loispostula";
@@ -15797,6 +15822,12 @@
     githubId = 4303706;
     keys = [ { fingerprint = "B00F E582 FD3F 0732 EA48  3937 F558 14E4 D687 4375"; } ];
   };
+  pladypus = {
+    name = "Peter Loftus";
+    email = "[email protected]";
+    github = "pladypus";
+    githubId = 56337621;
+  };
   plchldr = {
     email = "[email protected]";
     github = "plchldr";
@@ -21539,12 +21570,6 @@
     githubId = 11740700;
     name = "Andrei Pampu";
   };
-  wolfangaukang = {
-    email = "[email protected]";
-    github = "WolfangAukang";
-    githubId = 8378365;
-    name = "P. R. d. O.";
-  };
   wolfgangwalther = {
     name = "Wolfgang Walther";
     email = "[email protected]";

nixos/doc/manual/release-notes/rl-2205.section.md

@@ -453,7 +453,7 @@ In addition to numerous new and upgraded packages, this release has the followin
 
     The new names are as follows:
     - `bindAddress`: [`services.keycloak.settings.http-host`](#opt-services.keycloak.settings.http-host)
-    - `forceBackendUrlToFrontendUrl`: [`services.keycloak.settings.hostname-strict-backchannel`](#opt-services.keycloak.settings.hostname-strict-backchannel)
+    - `forceBackendUrlToFrontendUrl`: `services.keycloak.settings.hostname-strict-backchannel`
     - `httpPort`: [`services.keycloak.settings.http-port`](#opt-services.keycloak.settings.http-port)
     - `httpsPort`: [`services.keycloak.settings.https-port`](#opt-services.keycloak.settings.https-port)
 

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -23,6 +23,10 @@
 
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 
+- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
+  - `transmission-gtk`: `~/.config/transmission`
+  - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
+
 - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
 
 - `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
@@ -35,11 +39,19 @@
   Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`,
   that those might have been removed or modified upstream.
 
+- `clang-tools_<version>` packages have been moved into `llvmPackages_<version>` (i.e. `clang-tools_18` is now `llvmPackages_18.clang-tools`).
+  - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`.
+  - Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release.
+
 - `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.
 
 - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
   use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
 
+- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
+  it is set, instead of the previous hardcoded default of
+  `${networking.hostName}.${security.ipa.domain}`.
+
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
   nvimpager settings: user commands in `-c` and `--cmd` now override the
   respective default settings because they are executed later.
@@ -71,10 +83,19 @@
   for information on working around `output '...' is not allowed to refer to
   the following paths` errors caused by this change.
 
+- The `stalwart-mail` service now runs under the `stalwart-mail` system user
+  instead of a dynamically created one via `DynamicUser`, to avoid automatic
+  ownership changes on its large file store each time the service was started.
+  This change requires to manually move the state directory from
+  `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to
+  change the ownership of the directory and its content to `stalwart-mail`.
+
 - The `stalwart-mail` module now uses RocksDB as the default storage backend
   for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
   data and the filesystem for blobs).
 
+- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
+
 - `zx` was updated to v8, which introduces several breaking changes.
   See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
 
@@ -87,6 +108,9 @@
   services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
   ```
 
+- `keycloak` was updated to version 25, which introduces new hostname related options.
+  See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
+
 - The `tracy` package no longer works on X11, since it's moved to Wayland
   support, which is the intended default behavior by Tracy maintainers.
   X11 users have to switch to the new package `tracy-x11`.

nixos/lib/make-disk-image.nix

@@ -603,10 +603,11 @@ let format' = format; in let
       ${lib.optionalString installBootLoader ''
         # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb
         # Use this option to create a symlink from vda to any arbitrary device you want.
-        ${optionalString (config.boot.loader.grub.enable && config.boot.loader.grub.device != "/dev/vda") ''
-            mkdir -p $(dirname ${config.boot.loader.grub.device})
-            ln -s /dev/vda ${config.boot.loader.grub.device}
-        ''}
+        ${optionalString (config.boot.loader.grub.enable) (lib.concatMapStringsSep " " (device:
+          lib.optionalString (device != "/dev/vda") ''
+            mkdir -p "$(dirname ${device})"
+            ln -s /dev/vda ${device}
+          '') config.boot.loader.grub.devices)}
 
         # Set up core system link, bootloader (sd-boot, GRUB, uboot, etc.), etc.
 

nixos/modules/programs/wayland/hyprland.nix

@@ -63,7 +63,7 @@ in
 
       systemd = lib.mkIf cfg.systemd.setPath.enable {
         user.extraConfig = ''
-          DefaultEnvironment="PATH=$PATH:/run/current-system/sw/bin:/etc/profiles/per-user/%u/bin:/run/wrappers/bin"
+          DefaultEnvironment="PATH=/run/wrappers/bin:/etc/profiles/per-user/%u/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:$PATH"
         '';
       };
     }

nixos/modules/programs/xonsh.nix

@@ -23,7 +23,7 @@ in
       };
 
       package = lib.mkPackageOption pkgs "xonsh" {
-        example = "xonsh.override { extraPackages = ps: [ ps.requests ]; }";
+        example = "xonsh.wrapper.override { extraPackages = ps: [ ps.requests ]; }";
       };
 
       config = lib.mkOption {
@@ -61,17 +61,14 @@ in
               aliases['ls'] = _ls_alias
           del _ls_alias
 
-
       ${cfg.config}
     '';
 
     environment.systemPackages = [ cfg.package ];
 
-    environment.shells =
-      [ "/run/current-system/sw/bin/xonsh"
-        "${cfg.package}/bin/xonsh"
-      ];
-
+    environment.shells = [
+      "/run/current-system/sw/bin/xonsh"
+      "${lib.getExe cfg.package}"
+    ];
   };
-
 }

nixos/modules/security/ipa.nix

@@ -85,6 +85,18 @@ in {
         description = "Whether to cache credentials.";
       };
 
+      ipaHostname = mkOption {
+        type = types.str;
+        example = "myworkstation.example.com";
+        default = if config.networking.domain != null then config.networking.fqdn
+                  else "${config.networking.hostName}.${cfg.domain}";
+        defaultText = literalExpression ''
+          if config.networking.domain != null then config.networking.fqdn
+          else "''${networking.hostName}.''${security.ipa.domain}"
+        '';
+        description = "Fully-qualified hostname used to identify this host in the IPA domain.";
+      };
+
       ifpAllowedUids = mkOption {
         type = types.listOf types.str;
         default = ["root"];
@@ -218,7 +230,7 @@ in {
 
       ipa_domain = ${cfg.domain}
       ipa_server = _srv_, ${cfg.server}
-      ipa_hostname = ${config.networking.hostName}.${cfg.domain}
+      ipa_hostname = ${cfg.ipaHostname}
 
       cache_credentials = ${pyBool cfg.cacheCredentials}
       krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
@@ -232,7 +244,6 @@ in {
       ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
 
       [sssd]
-      debug_level = 65510
       services = nss, sudo, pam, ssh, ifp
       domains = ${cfg.domain}
 
@@ -244,7 +255,6 @@ in {
       pam_verbosity = 3
 
       [sudo]
-      debug_level = 65510
 
       [autofs]
 

nixos/modules/services/cluster/kubernetes/default.nix

@@ -261,7 +261,7 @@ in {
           name = "service-account";
           CN = "system:service-account-signer";
           action = ''
-            systemctl reload \
+            systemctl restart \
               kube-apiserver.service \
               kube-controller-manager.service
           '';

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -237,6 +237,8 @@ in {
       serviceConfig = {
         User = cfg.user;
         StateDirectory = mkIf (hasPrefix "/var/lib/jenkins" cfg.home) "jenkins";
+        # For (possible) socket use
+        RuntimeDirectory = "jenkins";
       };
     };
   };