Merge branch 'master' into staging-next

Fixes eval on darwin after #69072

Resolved conflict in pkgs/tools/security/thc-hydra/default.nix
Basically had to revert a1c0e10564 which
adapts #69210 to master that doesn't yet have
329a88efa7

Tested using maintainers/scripts/eval-release.sh before and after to see
that the fix works

maintainers/maintainer-list.nix

@@ -1480,6 +1480,16 @@
     github = "davidrusu";
     name = "David Rusu";
   };
+  davidtwco = {
+    email = "nix@david.davidtw.co";
+    github = "davidtwco";
+    githubId = 1295100;
+    name = "David Wood";
+    keys = [{
+      longkeyid = "rsa4096/0x01760B4F9F53F154";
+      fingerprint = "5B08 313C 6853 E5BF FA91  A817 0176 0B4F 9F53 F154";
+    }];
+  };
   davorb = {
     email = "davor@davor.se";
     github = "davorb";
@@ -5370,6 +5380,12 @@
     github = "rickynils";
     name = "Rickard Nilsson";
   };
+  rileyinman = {
+    email = "rileyminman@gmail.com";
+    github = "rileyinman";
+    githubId = 37246692;
+    name = "Riley Inman";
+  };
   ris = {
     email = "code@humanleg.org.uk";
     github = "risicle";

maintainers/scripts/nix-generate-from-cpan.pl

@@ -226,7 +226,7 @@ sub pkg_to_attr {
 
 sub get_pkg_name {
     my ($module) = @_;
-    return $module->package_name . '-' . $module->package_version;
+    return ( $module->package_name, $module->package_version =~ s/^v(\d)/$1/r );
 }
 
 sub read_meta {
@@ -375,13 +375,13 @@ die "module $module_name not found\n" if scalar @modules == 0;
 die "multiple packages that match module $module_name\n" if scalar @modules > 1;
 my $module = $modules[0];
 
-my $pkg_name  = get_pkg_name $module;
+my ($pkg_name, $pkg_version) = get_pkg_name $module;
 my $attr_name = pkg_to_attr $module;
 
 INFO( "attribute name: ", $attr_name );
 INFO( "module: ",         $module->module );
 INFO( "version: ",        $module->version );
-INFO( "package: ", $module->package, " (", $pkg_name, ", ", $attr_name, ")" );
+INFO( "package: ", $module->package, " (", "$pkg_name-$pkg_version", ", ", $attr_name, ")" );
 INFO( "path: ",    $module->path );
 
 my $tar_path = $module->fetch();
@@ -436,10 +436,11 @@ my $build_fun = -e "$pkg_path/Build.PL"
 print STDERR "===\n";
 
 print <<EOF;
-  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun rec {
-    name = "$pkg_name";
+  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun {
+    pname = "$pkg_name";
+    version = "$pkg_version";
     src = fetchurl {
-      url = "mirror://cpan/${\$module->path}/\${name}.${\$module->package_extension}";
+      url = "mirror://cpan/${\$module->path}/${\$module->package}";
       sha256 = "${\$module->status->checksum_value}";
     };
 EOF

nixos/doc/manual/installation/installing-nspawn-container.xml

@@ -0,0 +1,37 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         version="5.0"
+         xml:id="sec-installing-nspawn-container">
+ <title>Installing into a nspawn container</title>
+
+ <para>
+  For installing a NixOS into a systemd nspawn container the NixOS installation tools are needed.
+  If you run another distribution than NixOS on your host,
+  please follow <xref linkend="sec-installing-from-other-distro"/> steps 1, 2, and 3.
+ </para>
+
+ <para>
+  Create a NixOS configuration file <filename>/var/lib/machines/my-container/etc/nixos/configuration.nix</filename>.
+  It is important that the container root file system is under <filename>/var/lib/machines</filename>.
+  This is the standard location where <command>machinectl</command> will look for containers.
+  If you choose place the root into another location you need to start the container directly with <command>systemd-nspawn</command>.
+  The file needs to have at least following options enabled:
+<programlisting>
+<xref linkend="opt-boot.isContainer"/> = true;
+<xref linkend="opt-boot.loader.initScript.enable"/> = true;
+</programlisting>
+  If your host uses <command>systemd-networkd</command> to configure the network,
+  you can also enable <xref linkend="opt-networking.useNetworkd"/> to use networkd default network configuration for your host and container.
+ </para>
+
+ <para>
+  Install the container by running following command:
+   <screen>nixos-install --root /var/lib/machines/my-container \
+     --no-channel-copy --no-root-passwd --no-bootloader</screen>
+ </para>
+
+ <para>
+  Start the container by running following command:
+  <screen>machinectl start my-container</screen>
+ </para>
+
+</section>

nixos/doc/manual/installation/installing.xml

@@ -563,5 +563,8 @@ Retype new UNIX password: ***</screen>
   <xi:include href="installing-from-other-distro.xml" />
 
   <xi:include href="installing-behind-a-proxy.xml" />
+
+  <xi:include href="installing-nspawn-container.xml" />
+
  </section>
 </chapter>

nixos/doc/manual/release-notes/rl-1909.xml

@@ -484,6 +484,35 @@
        (<literal>citrix_workspace</literal>).
      </para>
    </listitem>
+   <listitem>
+     <para>
+       The <literal>services.gitlab</literal> module has had its literal secret options (<option>services.gitlab.smtp.password</option>,
+       <option>services.gitlab.databasePassword</option>,
+       <option>services.gitlab.initialRootPassword</option>,
+       <option>services.gitlab.secrets.secret</option>,
+       <option>services.gitlab.secrets.db</option>,
+       <option>services.gitlab.secrets.otp</option> and
+       <option>services.gitlab.secrets.jws</option>) replaced by file-based versions (<option>services.gitlab.smtp.passwordFile</option>,
+       <option>services.gitlab.databasePasswordFile</option>,
+       <option>services.gitlab.initialRootPasswordFile</option>,
+       <option>services.gitlab.secrets.secretFile</option>,
+       <option>services.gitlab.secrets.dbFile</option>,
+       <option>services.gitlab.secrets.otpFile</option> and
+       <option>services.gitlab.secrets.jwsFile</option>). This was done so that secrets aren't stored
+       in the world-readable nix store, but means that for each option you'll have to create a file with
+       the same exact string, add "File" to the end of the option name, and change the definition to a
+       string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal>
+       becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> where the
+       file <literal>secret_file</literal> contains the string <literal>supersecurepassword</literal>.
+     </para>
+     <para>
+       The state path (<option>services.gitlab.statePath</option>) now has the following restriction:
+       no parent directory can be owned by any other user than <literal>root</literal> or the user
+       specified in <option>services.gitlab.user</option>; i.e. if <option>services.gitlab.statePath</option>
+       is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories
+       must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/installer/tools/nixos-install.sh

@@ -132,8 +132,9 @@ if [[ -z $noBootLoader ]]; then
     echo "installing the boot loader..."
     # Grub needs an mtab.
     ln -sfn /proc/mounts $mountPoint/etc/mtab
-    NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot
+    export NIXOS_INSTALL_BOOTLOADER=1
 fi
+nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot
 
 # Ask the user to set a root password, but only if the passwd command
 # exists (i.e. when mutable user accounts are enabled).

nixos/modules/module-list.nix

@@ -328,6 +328,7 @@
   ./services/hardware/bluetooth.nix
   ./services/hardware/bolt.nix
   ./services/hardware/brltty.nix
+  ./services/hardware/fancontrol.nix
   ./services/hardware/freefall.nix
   ./services/hardware/fwupd.nix
   ./services/hardware/illum.nix

nixos/modules/rename.nix

@@ -66,6 +66,8 @@ with lib;
 
     (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
 
+    (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead")
+
     (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
     (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
 

nixos/modules/services/amqp/rabbitmq.nix

@@ -80,12 +80,10 @@ in {
       configItems = mkOption {
         default = {};
         type = types.attrsOf types.str;
-        example = ''
-          {
-            "auth_backends.1.authn" = "rabbit_auth_backend_ldap";
-            "auth_backends.1.authz" = "rabbit_auth_backend_internal";
-          }
-        '';
+        example = {
+          "auth_backends.1.authn" = "rabbit_auth_backend_ldap";
+          "auth_backends.1.authz" = "rabbit_auth_backend_internal";
+        };
         description = ''
           Configuration options in RabbitMQ's new config file format,
           which is a simple key-value format that can not express nested

nixos/modules/services/hardware/fancontrol.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.hardware.fancontrol;
+  configFile = pkgs.writeText "fan.conf" cfg.config;
+
+in {
+
+  options.hardware.fancontrol = {
+    enable = mkEnableOption "fancontrol (requires fancontrol.config)";
+
+    config = mkOption {
+      type = types.lines;
+      default = null;
+      example = ''
+        # Configuration file generated by pwmconfig
+        INTERVAL=1
+        DEVPATH=hwmon0=devices/platform/nct6775.656 hwmon1=devices/pci0000:00/0000:00:18.3
+        DEVNAME=hwmon0=nct6779 hwmon1=k10temp
+        FCTEMPS=hwmon0/pwm2=hwmon1/temp1_input
+        FCFANS=hwmon0/pwm2=hwmon0/fan2_input
+        MINTEMP=hwmon0/pwm2=25
+        MAXTEMP=hwmon0/pwm2=60
+        MINSTART=hwmon0/pwm2=25
+        MINSTOP=hwmon0/pwm2=10
+        MINPWM=hwmon0/pwm2=0
+        MAXPWM=hwmon0/pwm2=255
+      '';
+      description = "Contents for configuration file. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>.";
+    };
+  };
+
+
+  config = mkIf cfg.enable {
+    systemd.services.fancontrol = {
+      description = "Fan speed control from lm_sensors";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.lm_sensors}/bin/fancontrol ${configFile}";
+      };
+    };
+  };
+}

nixos/modules/services/misc/gitlab.nix

@@ -223,7 +223,15 @@ in {
       statePath = mkOption {
         type = types.str;
         default = "/var/gitlab/state";
-        description = "Gitlab state directory, logs are stored here.";
+        description = ''
+          Gitlab state directory. Configuration, repositories and
+          logs, among other things, are stored here.
+
+          The directory will be created automatically if it doesn't
+          exist already. Its parent directories must be owned by
+          either <literal>root</literal> or the user set in
+          <option>services.gitlab.user</option>.
+        '';
       };
 
       backupPath = mkOption {

nixos/modules/services/misc/home-assistant.nix

@@ -224,6 +224,7 @@ in {
         KillSignal = "SIGINT";
         PrivateTmp = true;
         RemoveIPC = true;
+        AmbientCapabilities = "cap_net_raw,cap_net_admin+eip";
       };
       path = [
         "/run/wrappers" # needed for ping

nixos/modules/services/misc/pykms.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.services.pykms;
+  libDir = "/var/lib/pykms";
 
 in {
   meta.maintainers = with lib.maintainers; [ peterhoeg ];
@@ -28,12 +29,6 @@ in {
         description = "The port on which to listen.";
       };
 
-      verbose = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Show verbose output.";
-      };
-
       openFirewallPort = mkOption {
         type = types.bool;
         default = false;
@@ -45,30 +40,44 @@ in {
         default = "64M";
         description = "How much memory to use at most.";
       };
+
+      logLevel = mkOption {
+        type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MINI" ];
+        default = "INFO";
+        description = "How much to log";
+      };
+
+      extraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "Additional arguments";
+      };
     };
   };
 
   config = mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ];
 
-    systemd.services.pykms = let
-      home = "/var/lib/pykms";
-    in {
+    systemd.services.pykms = {
       description = "Python KMS";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       # python programs with DynamicUser = true require HOME to be set
-      environment.HOME = home;
+      environment.HOME = libDir;
       serviceConfig = with pkgs; {
         DynamicUser = true;
-        StateDirectory = baseNameOf home;
-        ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db";
+        StateDirectory = baseNameOf libDir;
+        ExecStartPre = "${getBin pykms}/libexec/create_pykms_db.sh ${libDir}/clients.db";
         ExecStart = lib.concatStringsSep " " ([
-          "${getBin pykms}/bin/server.py"
+          "${getBin pykms}/bin/server"
+          "--logfile STDOUT"
+          "--loglevel ${cfg.logLevel}"
+        ] ++ cfg.extraArgs ++ [
           cfg.listenAddress
           (toString cfg.port)
-        ] ++ lib.optional cfg.verbose "--verbose");
-        WorkingDirectory = home;
+        ]);
+        ProtectHome = "tmpfs";
+        WorkingDirectory = libDir;
         Restart = "on-failure";
         MemoryLimit = cfg.memoryLimit;
       };

nixos/modules/services/monitoring/zabbix-server.nix

@@ -30,6 +30,7 @@ let
     DBUser = ${cfg.database.user}
     ${optionalString (cfg.database.passwordFile != null) "Include ${passwordFile}"}
     ${optionalString (mysqlLocal && cfg.database.socket != null) "DBSocket = ${cfg.database.socket}"}
+    PidFile = ${runtimeDir}/zabbix_server.pid
     SocketDir = ${runtimeDir}
     FpingLocation = /run/wrappers/bin/fping
     ${optionalString (cfg.modules != {}) "LoadModulePath = ${moduleEnv}/lib"}

nixos/modules/system/activation/activation-script.nix

@@ -184,7 +184,14 @@ in
         find /var/empty -mindepth 1 -delete
         chmod 0555 /var/empty
         chown root:root /var/empty
+
+        ${ # reasons for not setting immutable flag:
+           # 1. flag is not changeable inside a container
+           # 2. systemd-nspawn can not perform chown in case of --private-users-chown
+           #    then the owner is nobody and ssh will not start
+          optionalString (!config.boot.isContainer) ''
         ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+          ''}
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null

nixos/modules/tasks/network-interfaces-systemd.nix

@@ -12,7 +12,7 @@ let
     i.ipv4.addresses
     ++ optionals cfg.enableIPv6 i.ipv6.addresses;
 
-  dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no";
+  dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "yes" else "no";
 
   slaves =
     concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds))

nixos/modules/virtualisation/container-config.nix

@@ -10,7 +10,7 @@ with lib;
     services.udisks2.enable = mkDefault false;
     powerManagement.enable = mkDefault false;
 
-    networking.useHostResolvConf = mkDefault true;
+    networking.useHostResolvConf = mkDefault (!config.services.resolved.enable);
 
     # Containers should be light-weight, so start sshd on demand.
     services.openssh.startWhenNeeded = mkDefault true;

nixos/tests/all-tests.nix

@@ -262,6 +262,7 @@ in
   syncthing-relay = handleTest ./syncthing-relay.nix {};
   systemd = handleTest ./systemd.nix {};
   systemd-confinement = handleTest ./systemd-confinement.nix {};
+  systemd-machinectl = handleTest ./systemd-machinectl.nix {};
   systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
   systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
   pdns-recursor = handleTest ./pdns-recursor.nix {};

nixos/tests/systemd-machinectl.nix

@@ -0,0 +1,52 @@
+import ./make-test.nix (let
+
+  container = { ... }: {
+    boot.isContainer = true;
+
+    # use networkd to obtain systemd network setup
+    networking.useNetworkd = true;
+
+    # systemd-nspawn expects /sbin/init
+    boot.loader.initScript.enable = true;
+
+    imports = [ ../modules/profiles/minimal.nix ];
+  };
+
+  containerSystem = (import ../lib/eval-config.nix {
+    modules = [ container ];
+  }).config.system.build.toplevel;
+
+  containerName = "container";
+  containerRoot = "/var/lib/machines/${containerName}";
+
+in {
+  name = "systemd-machinectl";
+
+  machine = { lib, ... }: {
+    # use networkd to obtain systemd network setup
+    networking.useNetworkd = true;
+
+    # open DHCP server on interface to container
+    networking.firewall.trustedInterfaces = [ "ve-+" ];
+
+    # do not try to access cache.nixos.org
+    nix.binaryCaches = lib.mkForce [];
+
+    virtualisation.pathsInNixDB = [ containerSystem ];
+  };
+
+  testScript = ''
+    startAll;
+
+    $machine->waitForUnit("default.target");
+    $machine->succeed("mkdir -p ${containerRoot}");
+    $machine->succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd --no-bootloader");
+
+    $machine->succeed("machinectl start ${containerName}");
+    $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target");
+    $machine->succeed("ping -n -c 1 ${containerName}");
+    $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00");
+
+    $machine->succeed("machinectl stop ${containerName}");
+  '';
+})

pkgs/applications/audio/paulstretch/default.nix

@@ -1,5 +1,7 @@
-{ stdenv, fetchFromGitHub, audiofile, libvorbis, fltk, fftw, fftwFloat,
-minixml, pkgconfig, libmad, libjack2, portaudio, libsamplerate }:
+{ stdenv, fetchFromGitHub, fetchpatch
+, audiofile, libvorbis, fltk, fftw, fftwFloat
+, minixml, pkgconfig, libmad, libjack2, portaudio, libsamplerate
+}:
 
 stdenv.mkDerivation {
   pname = "paulstretch";
@@ -27,6 +29,13 @@ stdenv.mkDerivation {
     libsamplerate
   ];
 
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/paulnasca/paulstretch_cpp/pull/12.patch";
+      sha256 = "0lx1rfrs53afkiz1drp456asqgj5yv6hx3lkc01165cv1jsbw6q4";
+    })
+  ];
+
   buildPhase = ''
     bash compile_linux_fftw_jack.sh
   '';

pkgs/applications/audio/picard/default.nix

@@ -4,13 +4,13 @@ let
   pythonPackages = python3Packages;
 in pythonPackages.buildPythonApplication rec {
   pname = "picard";
-  version = "2.1.3";
+  version = "2.2.1";
 
   src = fetchFromGitHub {
     owner = "metabrainz";
     repo = pname;
     rev = "release-${version}";
-    sha256 = "1armg8vpvnbpk7rrfk9q7nj5gm56rza00ni9qwdyqpxp1xaz6apj";
+    sha256 = "1g7pbicf65hswbqmhrwlba9jm4r2vnggy7vy75z4256y7qcpwdfd";
   };
 
   nativeBuildInputs = [ gettext qt5.wrapQtAppsHook qt5.qtbase ];

pkgs/applications/editors/jetbrains/default.nix

@@ -201,11 +201,11 @@ let
         platforms = platforms.linux;
       };
     }) (attrs: {
-      patchPhase = attrs.patchPhase + ''
+      patchPhase = lib.optionalString (!stdenv.isDarwin) (attrs.patchPhase + ''
         # Patch built-in mono for ReSharperHost to start successfully
         interpreter=$(echo ${stdenv.glibc.out}/lib/ld-linux*.so.2)
         patchelf --set-interpreter "$interpreter" lib/ReSharperHost/linux-x64/mono/bin/mono-sgen
-      '';
+      '');
     });
 
   buildRubyMine = { name, version, src, license, description, wmClass, ... }:

pkgs/applications/graphics/djview/default.nix

@@ -1,8 +1,16 @@
-{ stdenv, fetchurl, pkgconfig
-, djvulibre, qt4, xorg, libtiff
-, darwin }:
+{ stdenv
+, mkDerivation
+, fetchurl
+, pkgconfig
+, djvulibre
+, qtbase
+, qttools
+, xorg
+, libtiff
+, darwin
+}:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "djview";
   version = "4.10.6";
 
@@ -11,20 +19,56 @@ stdenv.mkDerivation rec {
     sha256 = "08bwv8ppdzhryfcnifgzgdilb12jcnivl4ig6hd44f12d76z6il4";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [
+    pkgconfig
+    qttools
+  ];
 
-  buildInputs = [ djvulibre qt4 xorg.libXt libtiff ]
-  ++ stdenv.lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.AGL ];
+  buildInputs = [
+    djvulibre
+    qtbase
+    xorg.libXt
+    libtiff
+  ] ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.AGL;
+
+  configureFlags = [
+    "--disable-silent-rules"
+    "--disable-dependency-tracking"
+    "--with-x"
+    "--with-tiff"
+    # NOTE: 2019-09-19: experimental "--enable-npdjvu" fails
+  ] ++ stdenv.lib.optional stdenv.isDarwin "--enable-mac";
 
   passthru = {
     mozillaPlugin = "/lib/mozilla/plugins";
   };
 
   meta = with stdenv.lib; {
-    homepage = http://djvu.sourceforge.net/djview4.html;
-    description = "A portable DjVu viewer and browser plugin";
+    description = "A portable DjVu viewer (Qt5) and browser (nsdejavu) plugin";
+    homepage = "http://djvu.sourceforge.net/djview4.html";
     license = licenses.gpl2;
     platforms = platforms.unix;
-    maintainers = [ ];
+    maintainers = with maintainers; [ Anton-Latukha ];
+    longDescription = ''
+      The portable DjVu viewer (Qt5) and browser (nsdejavu) plugin.
+
+      Djview highlights:
+        - entirely based on the public DjVulibre api.
+        - entirely written in portable Qt5.
+        - works natively under Unix/X11, MS Windows, and macOS X.
+        - continuous scrolling of pages
+        - side-by-side display of pages
+        - ability to specify a url to the djview command
+        - all plugin and cgi options available from the command line
+        - all silly annotations implemented
+        - display thumbnails as a grid
+        - display outlines
+        - page names supported (see djvused command set-page-title)
+        - metadata dialog (see djvused command set-meta)
+        - implemented as reusable Qt widgets
+
+      nsdejavu: browser plugin for DjVu. It internally uses djview.
+      Has CGI-style arguments to configure the view of document (see man).
+    '';
   };
 }

pkgs/applications/misc/dbeaver/default.nix

@@ -7,7 +7,7 @@
 
 stdenv.mkDerivation rec {
   pname = "dbeaver-ce";
-  version = "6.1.5";
+  version = "6.2.1";
 
   desktopItem = makeDesktopItem {
     name = "dbeaver";
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://dbeaver.io/files/${version}/dbeaver-ce-${version}-linux.gtk.x86_64.tar.gz";
-    sha256 = "0lkycm1152wd56i1hjq7q3sd05h51fyz99qr2n65lwi33vz2qk9m";
+    sha256 = "1ix6isahpk7zk741wdx5cf4i13wc5gp0j1gj4ja80bzfswbc38na";
   };
 
   installPhase = ''

pkgs/applications/misc/ipmiview/default.nix

@@ -1,33 +1,72 @@
-{ stdenv, fetchurl, patchelf, makeWrapper, xorg, gcc, gcc-unwrapped }:
+{ stdenv
+, fetchurl
+, makeDesktopItem
+, makeWrapper
+, patchelf
+, fontconfig
+, freetype
+, gcc
+, gcc-unwrapped
+, iputils
+, psmisc
+, xorg }:
 
 stdenv.mkDerivation rec {
-   pname = "IPMIView";
-   version = "2.14.0";
-   buildVersion = "180213";
+  pname = "IPMIView";
+  version = "2.16.0";
+  buildVersion = "190815";
 
-   src = fetchurl {
-    url = "ftp://ftp.supermicro.com/utility/IPMIView/Linux/IPMIView_${version}_build.${buildVersion}_bundleJRE_Linux_x64.tar.gz";
-    sha256 = "1wp22wm7smlsb25x0cck4p660cycfczxj381930crd1qrf68mw4h";
+  src = fetchurl {
+    url = "https://www.supermicro.com/wftp/utility/IPMIView/Linux/IPMIView_${version}_build.${buildVersion}_bundleJRE_Linux_x64.tar.gz";
+    sha256 = "0qw9zfnj0cyvab7ndamlw2y0gpczjhh1jkz8340kl42r2xmhkvpl";
   };
 
-   nativeBuildInputs = [ patchelf makeWrapper ];
+  nativeBuildInputs = [ patchelf makeWrapper ];
+  buildPhase = with xorg;
+    let
+      stunnelBinary = if stdenv.hostPlatform.system == "x86_64-linux" then "linux/stunnel64"
+      else if stdenv.hostPlatform.system == "i686-linux" then "linux/stunnel32"
+      else throw "IPMIView is not supported on this platform";
+    in
+  ''
+    patchelf --set-rpath "${stdenv.lib.makeLibraryPath [ libX11 libXext libXrender libXtst libXi ]}" ./jre/lib/amd64/libawt_xawt.so
+    patchelf --set-rpath "${stdenv.lib.makeLibraryPath [ freetype ]}" ./jre/lib/amd64/libfontmanager.so
+    patchelf --set-rpath "${gcc-unwrapped.lib}/lib" ./libiKVM64.so
+    patchelf --set-rpath "${gcc.cc}/lib:$out/jre/lib/amd64/jli" --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" ./jre/bin/java
+    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" ./BMCSecurity/${stunnelBinary}
+  '';
 
-   buildPhase = with xorg; ''
-     patchelf --set-rpath "${stdenv.lib.makeLibraryPath [ libX11 libXext libXrender libXtst libXi ]}" ./jre/lib/amd64/xawt/libmawt.so
-     patchelf --set-rpath "${gcc-unwrapped.lib}/lib" ./libiKVM64.so
-     patchelf --set-rpath "${stdenv.lib.makeLibraryPath [ libXcursor libX11 libXext libXrender libXtst libXi ]}" --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" ./jre/bin/javaws
-     patchelf --set-rpath "${gcc.cc}/lib:$out/jre/lib/amd64/jli" --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" ./jre/bin/java
-   '';
+  desktopItem = makeDesktopItem rec {
+    name = "IPMIView";
+    exec = "IPMIView";
+    desktopName = name;
+    genericName = "Supermicro BMC manager";
+    categories = "Network;Configuration";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -R . $out/
 
-   installPhase = ''
-     mkdir -p $out/bin
-     cp -R . $out/
-     makeWrapper $out/jre/bin/java $out/bin/IPMIView \
-       --prefix PATH : "$out/jre/bin" \
-       --add-flags "-jar $out/IPMIView20.jar"
-   '';
+    ln -s ${desktopItem}/share $out/share
 
-   meta = with stdenv.lib; {
+    # LD_LIBRARY_PATH: fontconfig is used from java code
+    # PATH: iputils is used for ping, and psmisc is for killall
+    # WORK_DIR: unfortunately the ikvm related binaries are loaded from
+    #           and user configuration is written to files in the CWD
+    makeWrapper $out/jre/bin/java $out/bin/IPMIView \
+      --set LD_LIBRARY_PATH "${stdenv.lib.makeLibraryPath [ fontconfig ]}" \
+      --prefix PATH : "$out/jre/bin:${iputils}/bin:${psmisc}/bin" \
+      --add-flags "-jar $out/IPMIView20.jar" \
+      --run 'WORK_DIR=''${XDG_DATA_HOME:-~/.local/share}/ipmiview
+             mkdir -p $WORK_DIR
+             ln -snf '$out'/iKVM.jar '$out'/libiKVM* '$out'/libSharedLibrary* $WORK_DIR
+             cd $WORK_DIR'
+  '';
+
+  meta = with stdenv.lib; {
     license = licenses.unfree;
-   };
-  }
+    maintainers = with maintainers; [ vlaci ];
+    platforms = [ "x86_64-linux" "i686-linux" ];
+  };
+}

pkgs/applications/misc/pastel/default.nix

@@ -0,0 +1,25 @@
+{ stdenv, fetchFromGitHub, rustPlatform, Security }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "pastel";
+  version = "0.5.3";
+
+  src = fetchFromGitHub {
+    owner = "sharkdp";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0f54p3pzfp7xrwlqn61l7j41vmgcfph3bhq2khxh5apfwwdx9nng";
+  };
+
+  cargoSha256 = "05yvlm7z3zfn8qd8nb9zpch9xsfzidrpyrgg2vij3h3q095mdm66";
+
+  buildInputs = stdenv.lib.optional stdenv.isDarwin Security;
+
+  meta = with stdenv.lib; {
+    description = "A command-line tool to generate, analyze, convert and manipulate colors";
+    homepage = https://github.com/sharkdp/pastel;
+    license = with licenses; [ asl20 /* or */ mit ];
+    maintainers = with maintainers; [ davidtwco ];
+    platforms = platforms.all;
+  };
+}

pkgs/applications/networking/browsers/vivaldi/default.nix

@@ -17,11 +17,11 @@ let
   vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
 in stdenv.mkDerivation rec {
   pname = "vivaldi";
-  version = "2.8.1664.35-1";
+  version = "2.8.1664.38-1";
 
   src = fetchurl {
     url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}_amd64.deb";
-    sha256 = "0wrpn2figljvq9xldpqb1wf81fpwj91ppi2lzvcg5ycpl2a90x7j";
+    sha256 = "1znhlwwgq4k0fplr4l8ixgn6g5k26ns77j2dm0pjg3a2jgjq6rdr";
   };
 
   unpackPhase = ''

pkgs/applications/networking/cluster/kops/default.nix

@@ -43,7 +43,7 @@ let
           description = "Easiest way to get a production Kubernetes up and running";
           homepage = https://github.com/kubernetes/kops;
           license = licenses.asl20;
-          maintainers = with maintainers; [offline zimbatm];
+          maintainers = with maintainers; [offline zimbatm kampka];
           platforms = platforms.unix;
         };
       } // attrs';
@@ -57,7 +57,7 @@ in rec {
   };
 
   kops_1_13 = mkKops {
-    version = "1.13.0";
-    sha256 = "04kbbg3gqzwzzzq1lmnpw2gqky3pfwfk7pc0laxv2yssk9wac5k1";
+    version = "1.13.1";
+    sha256 = "0knypbrpipxplgdg6r0r6ycsj7w46virmzwn5s4sdim0y8d2ppyb";
   };
 }

pkgs/applications/networking/instant-messengers/gajim/default.nix

@@ -44,7 +44,7 @@ python3.pkgs.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = with python3.pkgs; [
-    nbxmpp pyasn1 pygobject3 dbus-python pillow cssutils precis-i18n keyring
+    nbxmpp pyasn1 pygobject3 dbus-python pillow cssutils precis-i18n keyring setuptools
   ] ++ lib.optionals enableE2E [ pycrypto python-gnupg ]
     ++ lib.optional enableRST docutils
     ++ lib.optionals enableOmemoPluginDependencies [ python-axolotl qrcode ]

pkgs/applications/networking/instant-messengers/teamspeak/client.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, makeWrapper, makeDesktopItem, zlib, glib, libpng, freetype, openssl
 , xorg, fontconfig, qtbase, qtwebengine, qtwebchannel, qtsvg, xkeyboard_config, alsaLib
-, libpulseaudio ? null, libredirect, quazip, less, which, unzip, llvmPackages
+, libpulseaudio ? null, libredirect, quazip, which, unzip, llvmPackages, writeShellScriptBin
 }:
 
 let
@@ -26,6 +26,8 @@ let
     categories = "Network";
   };
 
+  fakeLess = writeShellScriptBin "less" "cat";
+
 in
 
 stdenv.mkDerivation rec {
@@ -46,11 +48,11 @@ stdenv.mkDerivation rec {
     sha256 = "1bywmdj54glzd0kffvr27r84n4dsd0pskkbmh59mllbxvj0qwy7f";
   };
 
-  buildInputs = [ makeWrapper less which unzip ];
+  nativeBuildInputs = [ makeWrapper fakeLess which unzip ];
 
   unpackPhase =
     ''
-      echo -e 'q\ny' | sh -xe $src
+      echo -e '\ny' | sh -xe $src
       cd TeamSpeak*
     '';
 

pkgs/applications/networking/mailreaders/trojita/default.nix

@@ -1,37 +1,50 @@
-{ mkDerivation
-, lib
-, fetchurl
+{ akonadi-contacts
 , cmake
+, fetchgit
+, gpgme
+, kcontacts
+, lib
+, mimetic
+, mkDerivation
+, pkgconfig
+, qgpgme
 , qtbase
-, qtwebkit
+, qtkeychain
 , qttools
+, qtwebkit
 }:
 
 mkDerivation rec {
   pname = "trojita";
-  version = "0.7";
+  version = "0.7.20190618";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/trojita/trojita/${pname}-${version}.tar.xz";
-    sha256 = "1n9n07md23ny6asyw0xpih37vlwzp7vawbkprl7a1bqwfa0si3g0";
+  src = fetchgit {
+    url = "https://anongit.kde.org/trojita.git";
+    rev = "90b417b131853553c94ff93aef62abaf301aa8f1";
+    sha256 = "0xpxq5bzqaa68lkz90wima5q2m0mdcn0rvnigb66lylb4n20mnql";
   };
 
   buildInputs = [
+    akonadi-contacts
+    gpgme
+    kcontacts
+    mimetic
+    qgpgme
     qtbase
+    qtkeychain
     qtwebkit
   ];
 
   nativeBuildInputs = [
     cmake
+    pkgconfig
     qttools
   ];
 
-
   meta = with lib; {
     description = "A Qt IMAP e-mail client";
-    homepage = http://trojita.flaska.net/;
+    homepage = "http://trojita.flaska.net/";
     license = with licenses; [ gpl2 gpl3 ];
     platforms = platforms.linux;
   };
-
 }

pkgs/applications/science/logic/tamarin-prover/default.nix

@@ -104,4 +104,6 @@ mkDerivation (common "tamarin-prover" src // {
           tamarin-prover-term
           tamarin-prover-theory
         ];
+
+  broken = true;
 })

pkgs/applications/video/shotcut/default.nix

@@ -1,10 +1,23 @@
-{ stdenv, fetchFromGitHub, SDL2, frei0r, gettext, mlt, jack1, mkDerivation
-, pkgconfig, qtbase, qtmultimedia, qtwebkit, qtx11extras, qtwebsockets
-, qtquickcontrols, qtgraphicaleffects, libmlt, qmake, qttools }:
+{ stdenv, fetchFromGitHub, fetchpatch, mkDerivation, SDL2, frei0r, gettext, mlt
+, jack1, pkgconfig, qtbase, qtmultimedia, qtwebkit, qtx11extras, qtwebsockets
+, qtquickcontrols, qtgraphicaleffects, libmlt, qmake, qttools
+}:
 
 assert stdenv.lib.versionAtLeast libmlt.version "6.8.0";
 assert stdenv.lib.versionAtLeast mlt.version "6.8.0";
 
+let
+  # https://github.com/mltframework/shotcut/issues/771
+  fixVaapiRendering1 = fetchpatch {
+    url = "https://github.com/peti/shotcut/commit/038f6839298fc1e9e80ddf84fe168a78118bc625.patch";
+    sha256 = "153z1g6criszd6gdkw4f5zk0gmh0jar6l2g8fzwjhhcvkdz30vbp";
+  };
+  fixVaapiRendering2 = fetchpatch {
+    url = "https://github.com/peti/shotcut/commit/653c485f92d2847fdac517e3f797c9254826ffab.patch";
+    sha256 = "1qd0zgyahda72xh3avlg7lg0jq94wq5847154qlrgzj8b4n7vizw";
+  };
+in
+
 mkDerivation rec {
   pname = "shotcut";
   version = "19.09.14";
@@ -16,6 +29,8 @@ mkDerivation rec {
     sha256 = "1cl8ba1n0h450r4n5mfqmyjaxvczs3m19blwxslqskvmxy5my3cn";
   };
 
+  patches = [ fixVaapiRendering1 fixVaapiRendering2 ];
+
   enableParallelBuilding = true;
   nativeBuildInputs = [ pkgconfig qmake ];
   buildInputs = [
@@ -33,8 +48,6 @@ mkDerivation rec {
     sed 's_qApp->applicationDirPath(), "ffmpeg"_"${mlt.ffmpeg}/bin/ffmpeg"_' -i src/docks/encodedock.cpp
     NICE=$(type -P nice)
     sed "s_/usr/bin/nice_''${NICE}_" -i src/jobs/meltjob.cpp src/jobs/ffmpegjob.cpp
-    # Fix VAAPI auto-config: https://github.com/mltframework/shotcut/issues/771
-    sed 's#"-vaapi_device" << ":0"#"-vaapi_device" << "/dev/dri/renderD128"#' -i src/docks/encodedock.cpp
   '';
 
   qtWrapperArgs = [

pkgs/applications/virtualization/virtualbox/default.nix

@@ -92,6 +92,9 @@ in stdenv.mkDerivation {
     })
   ++ [
     ./qtx11extras.patch
+    # Kernel 5.3 fix, should be fixed with VirtualBox 6.0.14
+    # https://www.virtualbox.org/ticket/18911
+    ./kernel-5.3-fix.patch
   ];
 
   postPatch = ''

pkgs/applications/virtualization/virtualbox/guest-additions/default.nix

@@ -12,9 +12,16 @@ let
   # It's likely to work again in some future update.
   xserverABI = let abi = xserverVListFunc 0 + xserverVListFunc 1;
     in if abi == "119" || abi == "120" then "118" else abi;
-in
 
-stdenv.mkDerivation {
+  # Specifies how to patch binaries to make sure that libraries loaded using
+  # dlopen are found. We grep binaries for specific library names and patch
+  # RUNPATH in matching binaries to contain the needed library paths.
+  dlopenLibs = [
+    { name = "libdbus-1.so"; pkg = dbus; }
+    { name = "libXfixes.so"; pkg = xorg.libXfixes; }
+  ];
+
+in stdenv.mkDerivation {
   name = "VirtualBox-GuestAdditions-${version}-${kernel.version}";
 
   src = fetchurl {
@@ -134,13 +141,13 @@ stdenv.mkDerivation {
   # Stripping breaks these binaries for some reason.
   dontStrip = true;
 
-  # Some code dlopen() libdbus, patch RUNPATH in fixupPhase so it isn't stripped.
-  postFixup = ''
-    for i in $(grep -F libdbus-1.so -l -r $out/{lib,bin}); do
+  # Patch RUNPATH according to dlopenLibs (see the comment there).
+  postFixup = lib.concatMapStrings (library: ''
+    for i in $(grep -F ${lib.escapeShellArg library.name} -l -r $out/{lib,bin}); do
       origRpath=$(patchelf --print-rpath "$i")
-      patchelf --set-rpath "$origRpath:${lib.makeLibraryPath [ dbus ]}" "$i"
+      patchelf --set-rpath "$origRpath:${lib.makeLibraryPath [ library.pkg ]}" "$i"
     done
-  '';
+  '') dlopenLibs;
 
   meta = {
     description = "Guest additions for VirtualBox";

pkgs/applications/virtualization/virtualbox/kernel-5.3-fix.patch

@@ -0,0 +1,72 @@
+--- a/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c
++++ b/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c
+@@ -2123,7 +2123,9 @@
+ #endif
+     if (in_dev != NULL)
+     {
+-        for_ifa(in_dev) {
++        struct in_ifaddr *ifa;
++
++        for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) {
+             if (VBOX_IPV4_IS_LOOPBACK(ifa->ifa_address))
+                 return NOTIFY_OK;
+
+@@ -2137,7 +2139,7 @@
+
+             pThis->pSwitchPort->pfnNotifyHostAddress(pThis->pSwitchPort,
+                 /* :fAdded */ true, kIntNetAddrType_IPv4, &ifa->ifa_address);
+-        } endfor_ifa(in_dev);
++        }
+     }
+
+     /*
+--- a/src/VBox/Runtime/r0drv/linux/mp-r0drv-linux.c
++++ a/src/VBox/Runtime/r0drv/linux/mp-r0drv-linux.c
+@@ -283,12 +283,15 @@
+     if (RTCpuSetCount(&OnlineSet) > 1)
+     {
+         /* Fire the function on all other CPUs without waiting for completion. */
+-# if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
++        smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* wait */);
++# elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
+         int rc = smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* wait */);
++        Assert(!rc); NOREF(rc);
+ # else
+         int rc = smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* retry */, 0 /* wait */);
+-# endif
+         Assert(!rc); NOREF(r