Merge branch 'staging-next' into staging

maintainers/maintainer-list.nix

@@ -2304,6 +2304,12 @@
     githubId = 99703210;
     name = "Katherine Jamison";
   };
+  axka = {
+    name = "Axel Karjalainen";
+    email = "[email protected]";
+    github = "axelkar";
+    githubId = 120189068;
+  };
   ayazhafiz = {
     email = "[email protected]";
     github = "hafiz";
@@ -10513,6 +10519,18 @@
     githubId = 1476865;
     name = "jigglycrumb";
   };
+  jiriks74 = {
+    name = "Jiří Štefka";
+    email = "[email protected]";
+    github = "jiriks74";
+    githubId = 54378412;
+    matrix = "@jiriks74:matrix.org";
+    keys = [
+      {
+        fingerprint = "563AC7887FD6414714A6ACAC1D5E30D3DB2264DE";
+      }
+    ];
+  };
   jirkamarsik = {
     email = "[email protected]";
     github = "jirkamarsik";
@@ -13768,6 +13786,17 @@
     githubId = 28183516;
     name = "Mateusz Słodkowicz";
   };
+  mateusauler = {
+    email = "[email protected]";
+    github = "mateusauler";
+    githubId = 24767687;
+    name = "Mateus Auler";
+    keys = [
+      {
+        fingerprint = "A09D C093 3C37 4BFC 2B5A  269F 80A5 D62F 6EB7 D9F0";
+      }
+    ];
+  };
   math-42 = {
     email = "[email protected]";
     github = "Math-42";

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -45,6 +45,8 @@
 
 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).
 
+- [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable)
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
@@ -67,6 +69,8 @@
 
 - `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
 
+- `nodePackages.vls` has been deprecated, as the upstream consumer of it, vetur, has been deprecated by upstream. Upstream suggests migrating to Volar for Vue LSP tooling instead.
+
 - `nodePackages.create-react-native-app` has been removed, as it is deprecated. Upstream suggests using a framework for React Native apps instead.
 
 - `nodePackages.insect` has been removed, as it's deprecated by upstream. The suggested replacement is `numbat`.
@@ -132,7 +136,7 @@
 
 - Cinnamon has been updated to 6.4.
 
-- `networking.wireguard` now has an optional networkd backend, enabled with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. Before upgrading, make sure the `privateKeyFile` and `presharedKeyFile` paths are readable by the `systemd-network` user if using the networkd backend.
+- `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
 
 - `services.avahi.ipv6` now defaults to true.
 

nixos/modules/config/networking.nix

@@ -163,8 +163,6 @@ in
         ++ lib.optional (cfg.hostName != "") cfg.hostName; # Then the hostname (without the domain)
     in {
       "127.0.0.2" = hostnames;
-    } // lib.optionalAttrs cfg.enableIPv6 {
-      "::1" = hostnames;
     };
 
     networking.hostFiles = let

nixos/modules/config/qt.nix

@@ -18,6 +18,7 @@ let
       qt6Packages.qt6gtk2
     ];
     kde = [
+      libsForQt5.kio
       libsForQt5.plasma-integration
       libsForQt5.systemsettings
     ];

nixos/modules/module-list.nix

@@ -207,6 +207,7 @@
   ./programs/gdk-pixbuf.nix
   ./programs/geary.nix
   ./programs/git.nix
+  ./programs/git-worktree-switcher.nix
   ./programs/gnome-disks.nix
   ./programs/gnome-terminal.nix
   ./programs/gnupg.nix

nixos/modules/programs/git-worktree-switcher.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.programs.git-worktree-switcher;
+
+  initScript =
+    shell:
+    if (shell == "fish") then
+      ''
+        ${lib.getExe pkgs.git-worktree-switcher} init ${shell} | source
+      ''
+    else
+      ''
+        eval "$(${lib.getExe pkgs.git-worktree-switcher} init ${shell})"
+      '';
+in
+{
+  options = {
+    programs.git-worktree-switcher = {
+      enable = lib.mkEnableOption "git-worktree-switcher, switch between git worktrees with speed.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ git-worktree-switcher ];
+
+    programs.bash.interactiveShellInit = initScript "bash";
+    programs.zsh.interactiveShellInit = lib.optionalString config.programs.zsh.enable (
+      initScript "zsh"
+    );
+    programs.fish.interactiveShellInit = lib.optionalString config.programs.fish.enable (
+      initScript "fish"
+    );
+  };
+}

nixos/modules/programs/yubikey-touch-detector.nix

@@ -55,6 +55,7 @@ in
       };
 
       wantedBy = [ "graphical-session.target" ];
+      partOf = [ "graphical-session.target" ];
     };
     systemd.user.sockets.yubikey-touch-detector = {
       wantedBy = [ "sockets.target" ];

nixos/modules/services/home-automation/ebusd.nix

@@ -155,7 +155,11 @@ in
 
   config =
     let
-      usesDev = lib.hasPrefix "/" cfg.device;
+      usesDev = lib.any (prefix: lib.hasPrefix prefix cfg.device) [
+        "/"
+        "ens:/"
+        "enh:/"
+      ];
     in
     lib.mkIf cfg.enable {
       systemd.services.ebusd = {
@@ -200,12 +204,14 @@ in
 
           # Hardening
           CapabilityBoundingSet = "";
-          DeviceAllow = lib.optionals usesDev [ cfg.device ];
+          DeviceAllow = lib.optionals usesDev [
+            (lib.removePrefix "ens:" (lib.removePrefix "enh:" cfg.device))
+          ];
           DevicePolicy = "closed";
           LockPersonality = true;
           MemoryDenyWriteExecute = false;
           NoNewPrivileges = true;
-          PrivateDevices = usesDev;
+          PrivateDevices = !usesDev;
           PrivateUsers = true;
           PrivateTmp = true;
           ProtectClock = true;

nixos/modules/services/monitoring/librenms.nix

@@ -514,7 +514,7 @@ in
     systemd.services.librenms-setup = {
       description = "Preparation tasks for LibreNMS";
       before = [ "phpfpm-librenms.service" ];
-      after = [ "systemd-tmpfiles-setup.service" ]
+      after = [ "systemd-tmpfiles-setup.service" "network.target" ]
         ++ (lib.optional (cfg.database.host == "localhost") "mysql.service");
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ package configFile ];

nixos/modules/services/networking/v2ray.nix

@@ -2,7 +2,9 @@
 
 with lib;
 
-{
+let
+  json = pkgs.formats.json { };
+in {
   options = {
 
     services.v2ray = {
@@ -32,7 +34,7 @@ with lib;
       };
 
       config = mkOption {
-        type = types.nullOr (types.attrsOf types.unspecified);
+        type = types.nullOr json.type;
         default = null;
         example = {
           inbounds = [{

nixos/modules/services/networking/wireguard-networkd.nix

@@ -14,14 +14,26 @@ let
     mapAttrsToList
     nameValuePair
     ;
-  inherit (lib.lists) concatMap concatLists;
+  inherit (lib.lists) concatMap concatLists filter;
   inherit (lib.modules) mkIf;
   inherit (lib.options) literalExpression mkOption;
   inherit (lib.strings) hasInfix;
-  inherit (lib.trivial) flip;
+  inherit (lib.trivial) flip pipe;
 
   removeNulls = filterAttrs (_: v: v != null);
 
+  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";
+  presharedKeyCredential =
+    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";
+
+  interfaceCredentials =
+    interfaceName: interface:
+    [ "${privateKeyCredential interfaceName}:${interface.privateKeyFile}" ]
+    ++ pipe interface.peers [
+      (filter (peer: peer.presharedKeyFile != null))
+      (map (peer: "${presharedKeyCredential interfaceName peer}:${peer.presharedKeyFile}"))
+    ];
+
   generateNetdev =
     name: interface:
     nameValuePair "40-${name}" {
@@ -31,20 +43,20 @@ let
         MTUBytes = interface.mtu;
       };
       wireguardConfig = removeNulls {
-        PrivateKeyFile = interface.privateKeyFile;
+        PrivateKey = "@${privateKeyCredential name}";
         ListenPort = interface.listenPort;
         FirewallMark = interface.fwMark;
         RouteTable = if interface.allowedIPsAsRoutes then interface.table else null;
         RouteMetric = interface.metric;
       };
-      wireguardPeers = map generateWireguardPeer interface.peers;
+      wireguardPeers = map (generateWireguardPeer name) interface.peers;
     };
 
   generateWireguardPeer =
-    peer:
+    interfaceName: peer:
     removeNulls {
       PublicKey = peer.publicKey;
-      PresharedKeyFile = peer.presharedKeyFile;
+      PresharedKey = "@${presharedKeyCredential interfaceName peer}";
       AllowedIPs = peer.allowedIPs;
       Endpoint = peer.endpoint;
       PersistentKeepalive = peer.persistentKeepalive;
@@ -96,7 +108,8 @@ in
 
   options.networking.wireguard = {
     useNetworkd = mkOption {
-      default = false;
+      default = config.networking.useNetworkd;
+      defaultText = literalExpression "config.networking.useNetworkd";
       type = types.bool;
       description = ''
         Whether to use networkd as the network configuration backend for
@@ -201,6 +214,8 @@ in
     };
 
     systemd.timers = mapAttrs' generateRefreshTimer refreshEnabledInterfaces;
-    systemd.services = mapAttrs' generateRefreshService refreshEnabledInterfaces;
+    systemd.services = (mapAttrs' generateRefreshService refreshEnabledInterfaces) // {
+      systemd-networkd.serviceConfig.LoadCredential = mapAttrsToList interfaceCredentials cfg.interfaces;
+    };
   };
 }

nixos/modules/services/networking/wireguard.nix

@@ -49,9 +49,6 @@ let
         default = null;
         description = ''
           Private key file as generated by {command}`wg genkey`.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
         '';
       };
 
@@ -259,9 +256,6 @@ let
           Optional, and may be omitted. This option adds an additional layer of
           symmetric-key cryptography to be mixed into the already existing
           public-key cryptography, for post-quantum resistance.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
         '';
       };
 

nixos/tests/hostname.nix

@@ -62,6 +62,8 @@ let
             fqdn_and_host_name
             == machine.succeed("getent hosts 127.0.0.2 | awk '{print $2,$3}'").strip()
         )
+
+        assert "${fqdn}" == machine.succeed("getent hosts ${hostName} | awk '{print $2}'").strip()
       '';
     };
 

pkgs/applications/audio/bitwig-studio/bitwig-wrapper.nix

@@ -30,7 +30,12 @@ stdenv.mkDerivation {
         chmod -R u+w $TMPDIR/VampTransforms
 
         echo "Starting Bitwig Studio in Bubblewrap Environment"
-        ${bubblewrap}/bin/bwrap --bind / / --bind $TMPDIR/VampTransforms ${bitwig-studio-unwrapped}/libexec/resources/VampTransforms ${bitwig-studio-unwrapped}/bin/bitwig-studio || true
+        ${bubblewrap}/bin/bwrap \
+          --bind / / \
+          --bind $TMPDIR/VampTransforms ${bitwig-studio-unwrapped}/libexec/resources/VampTransforms \
+          --dev-bind /dev /dev \
+          ${bitwig-studio-unwrapped}/bin/bitwig-studio \
+          || true
 
         echo "Bitwig exited, removing temporary directory"
         rm -rf $TMPDIR

pkgs/applications/editors/vim/plugins/blink-cmp/default.nix

@@ -7,12 +7,12 @@
   nix-update-script,
 }:
 let
-  version = "0.7.3";
+  version = "0.7.6";
   src = fetchFromGitHub {
     owner = "Saghen";
     repo = "blink.cmp";
     rev = "refs/tags/v${version}";
-    hash = "sha256-nxiODLKgGeXzN5sqkLWU0PcsuSSB1scSzTC5qyCxLCI=";
+    hash = "sha256-fzAqUqMx4zqN9dtTYRAibhWd5CKh2pvai9g7E/xxnE8=";
   };
   libExt = if stdenv.hostPlatform.isDarwin then "dylib" else "so";
   blink-fuzzy-lib = rustPlatform.buildRustPackage {

pkgs/applications/editors/vscode/extensions/ms-toolsai.jupyter/default.nix

@@ -9,8 +9,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
   mktplcRef = {
     name = "jupyter";
     publisher = "ms-toolsai";
-    version = "2024.10.0";
-    hash = "sha256-4b3aE1RgqxEKHMEMlhIjRk4WR3DZRWmqMfGGFQi43J0=";
+    version = "2024.11.0";
+    hash = "sha256-BwZLF52ilEaLU6swUFEa+PtrxzsFOLIYd8TVD7xRgPg=";
   };
 
   nativeBuildInputs = [

pkgs/applications/emulators/libretro/cores/beetle-wswan.nix

@@ -5,13 +5,13 @@
 }:
 mkLibretroCore {
   core = "mednafen-wswan";
-  version = "0-unstable-2024-06-28";
+  version = "0-unstable-2024-10-21";
 
   src = fetchFromGitHub {
     owner = "libretro";
     repo = "beetle-wswan-libretro";
-    rev = "440e9228592a3f603d7d09e8bee707b0163f545f";
-    hash = "sha256-+98gCDBYeqUlFGzX83lwTGqSezLnzWRwapZCn4T37uE=";
+    rev = "2aeb47d3a58bf0360c686f842d9bb5bd201306fe";
+    hash = "sha256-LrF9p5tPtUamVLC41bJxcYDKvHmhVfwMieyIAdHaGmU=";
   };
 
   makefile = "Makefile";

pkgs/applications/emulators/libretro/cores/bluemsx.nix

@@ -5,13 +5,13 @@
 }:
 mkLibretroCore {
   core = "bluemsx";
-  version = "0-unstable-2024-10-22";
+  version = "0-unstable-2024-12-04";
 
   src = fetchFromGitHub {
     owner = "libretro";
     repo = "bluemsx-libretro";
-    rev = "01ce142ccb85c302420cb962d1b6e6a68a6ce076";
-    hash = "sha256-h3Zpv+h6CbM1pdSOXsjN0pFUjXLn5T/R5W55VZXpMVM=";
+    rev = "572c91856a5288b7433c619af651e31f00f3ce7e";
+    hash = "sha256-fN5zjQGIyx3yIEgIhC50gD3O2F6WPJ/ssiauQ5Z/t9s=";
   };
 
   meta = {