Merge branch 'NixOS:master' into patch-2

lib/filesystem.nix

@@ -18,7 +18,10 @@ let
     ;
 
   inherit (lib.filesystem)
+    pathIsDirectory
+    pathIsRegularFile
     pathType
+    packagesFromDirectoryRecursive
     ;
 
   inherit (lib.strings)
@@ -386,51 +389,29 @@ in
       ...
     }:
     let
-      # Determine if a directory entry from `readDir` indicates a package or
-      # directory of packages.
-      directoryEntryIsPackage = basename: type:
-        type == "directory" || hasSuffix ".nix" basename;
-
-      # List directory entries that indicate packages in the given `path`.
-      packageDirectoryEntries = path:
-        filterAttrs directoryEntryIsPackage (readDir path);
-
-      # Transform a directory entry (a `basename` and `type` pair) into a
-      # package.
-      directoryEntryToAttrPair = subdirectory: basename: type:
-        let
-          path = subdirectory + "/${basename}";
-        in
-        if type == "regular"
-        then
-        {
-          name = removeSuffix ".nix" basename;
-          value = callPackage path { };
-        }
-        else
-        if type == "directory"
-        then
-        {
-          name = basename;
-          value = packagesFromDirectory path;
-        }
-        else
-        throw
-          ''
-            lib.filesystem.packagesFromDirectoryRecursive: Unsupported file type ${type} at path ${toString subdirectory}
-          '';
-
-      # Transform a directory into a package (if there's a `package.nix`) or
-      # set of packages (otherwise).
-      packagesFromDirectory = path:
-        let
-          defaultPackagePath = path + "/package.nix";
-        in
-        if pathExists defaultPackagePath
-        then callPackage defaultPackagePath { }
-        else mapAttrs'
-          (directoryEntryToAttrPair path)
-          (packageDirectoryEntries path);
+      inherit (lib) concatMapAttrs removeSuffix;
+      inherit (lib.path) append;
+      defaultPath = append directory "package.nix";
     in
-    packagesFromDirectory directory;
+    if pathExists defaultPath then
+      # if `${directory}/package.nix` exists, call it directly
+      callPackage defaultPath {}
+    else concatMapAttrs (name: type:
+      # otherwise, for each directory entry
+      let path = append directory name; in
+      if type == "directory" then {
+        # recurse into directories
+        "${name}" = packagesFromDirectoryRecursive {
+          inherit callPackage;
+          directory = path;
+        };
+      } else if type == "regular" && hasSuffix ".nix" name then {
+        # call .nix files
+        "${removeSuffix ".nix" name}" = callPackage path {};
+      } else if type == "regular" then {
+        # ignore non-nix files
+      } else throw ''
+        lib.filesystem.packagesFromDirectoryRecursive: Unsupported file type ${type} at path ${toString path}
+      ''
+    ) (builtins.readDir directory);
 }

maintainers/maintainer-list.nix

@@ -254,6 +254,14 @@
     githubId = 3417013;
     name = "Eske Nielsen";
   };
+  _4r7if3x = {
+    email = "[email protected]";
+    matrix = "@4r7if3x:matrix.org";
+    github = "4r7if3x";
+    githubId = 8606282;
+    name = "4r7if3x";
+    keys = [ { fingerprint = "013C ED4B E769 745A CFC3  0F3C F23C 2613 2266 7A12"; } ];
+  };
   _6543 = {
     email = "[email protected]";
     github = "6543";
@@ -604,6 +612,12 @@
     githubId = 25236206;
     name = "Adrian Dole";
   };
+  adrian-gierakowski = {
+    email = "[email protected]";
+    github = "adrian-gierakowski";
+    githubId = 330177;
+    name = "Adrian Gierakowski";
+  };
   adriangl = {
     email = "[email protected]";
     matrix = "@adriangl:pvv.ntnu.no";
@@ -5762,6 +5776,12 @@
     githubId = 11946442;
     name = "Dipin Hora";
   };
+  diredocks = {
+    email = "[email protected]";
+    github = "diredocks";
+    githubId = 26994007;
+    name = "Chen Xin";
+  };
   dirkx = {
     email = "[email protected]";
     github = "dirkx";
@@ -10335,6 +10355,14 @@
     githubId = 938744;
     name = "John Chadwick";
   };
+  jcollie = {
+    email = "[email protected]";
+    github = "jcollie";
+    githubId = 740022;
+    matrix = "@jeff:ocjtech.us";
+    name = "Jeffrey C. Ollie";
+    keys = [ { fingerprint = "A8CF 5B72 ABC3 9A17 3FEA  620E 6F86 035A 6D97 044E"; } ];
+  };
   jcouyang = {
     email = "[email protected]";
     github = "jcouyang";
@@ -18078,6 +18106,13 @@
     github = "potb";
     githubId = 10779093;
   };
+  pouya = {
+    email = "[email protected]";
+    github = "pouya-abbassi";
+    githubId = 8519318;
+    name = "Pouya Abbasi";
+    keys = [ { fingerprint = "8CC7 EB15 3563 4205 E9C2  AAD9 AF5A 5A4A D4FD 8797"; } ];
+  };
   poweredbypie = {
     name = "poweredbypie";
     github = "poweredbypie";
@@ -23143,6 +23178,12 @@
     githubId = 504580;
     name = "Thibaut Robert";
   };
+  tropf = {
+    name = "tropf";
+    matrix = "@tropf:matrix.org";
+    github = "tropf";
+    githubId = 29873239;
+  };
   troydm = {
     email = "[email protected]";
     github = "troydm";

maintainers/team-list.nix

@@ -44,6 +44,19 @@ with lib.maintainers;
     enableFeatureFreezePing = true;
   };
 
+  android = {
+    members = [
+      numinit
+      hadilq
+      RossComputerGuy
+      adrian-gierakowski
+    ];
+    scope = "Maintain Android-related tooling in nixpkgs.";
+    githubTeams = [ "android" ];
+    shortName = "Android";
+    enableFeatureFreezePing = true;
+  };
+
   bazel = {
     members = [
       mboes

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -87,6 +87,8 @@
 
 ## New Modules {#sec-release-24.11-new-modules}
 
+- [KMonad](https://github.com/kmonad/kmonad), an advanced keyboard remapping utility. Available as [services.kmonad](#opt-services.kmonad.enable).
+
 - [Coral](https://coral.ai/), hardware support for Coral.ai Edge TPU devices. Available as [hardware.coral.usb.enable](#opt-hardware.coral.usb.enable) and [hardware.coral.pcie.enable](#opt-hardware.coral.pcie.enable).
 
 - [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service.

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -200,6 +200,8 @@
 
 - `matomo` now defaults to version 5 (previously available as `matomo_5`). Version 4 has been removed as it reached EOL on December 19, 2024.
 
+- `docker_24` has been removed, as it was EOL with vulnerabilites since June 08, 2024.
+
 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd
   2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for more
   details.
@@ -254,6 +256,9 @@
 
 - `programs.clash-verge.tunMode` was deprecated and removed because now service mode is neccessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start.
 
+- `siduck76-st` has been renamed to `st-snazzy`, like the project's [flake](https://github.com/siduck/st/blob/main/flake.nix).
+
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Other Notable Changes {#sec-release-25.05-notable-changes}
@@ -269,6 +274,8 @@
   - Overriding Wayland compositor is possible using `enableWaylandSession` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup.
   - For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog.
 
+- GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.
+
 - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
 
 - `services.avahi.ipv6` now defaults to true.

nixos/modules/config/terminfo.nix

@@ -43,6 +43,7 @@
           alacritty
           contour
           foot
+          ghostty
           kitty
           mtm
           rio

nixos/modules/services/backup/zfs-replication.nix

@@ -92,7 +92,7 @@ in
             ++ (lib.optional cfg.followDelete "--follow-delete")
           );
         in
-        "${lib.getExe cfg.package} ${lib.concatStringSep " " args}";
+        "${lib.getExe cfg.package} ${lib.concatStringsSep " " args}";
       wantedBy = [
         "zfs-snapshot-daily.service"
         "zfs-snapshot-frequent.service"

nixos/modules/services/hardware/sane.nix

@@ -184,6 +184,12 @@ in
       environment.etc."sane-config".source = config.hardware.sane.configDir;
       environment.etc."sane-libs".source = "${saneConfig}/lib/sane";
       services.udev.packages = backends;
+      # sane sets up udev rules that tag scanners with `uaccess`. This way, physically logged in users
+      # can access them without belonging to the `scanner` group. However, the `scanner` user used by saned
+      # does not have a real logind seat, so `uaccess` is not enough.
+      services.udev.extraRules = ''
+        ENV{DEVNAME}!="", ENV{libsane_matched}=="yes", RUN+="${pkgs.acl}/bin/setfacl -m g:scanner:rw $env{DEVNAME}"
+      '';
 
       users.groups.scanner.gid = config.ids.gids.scanner;
       networking.firewall.allowedUDPPorts = lib.mkIf config.hardware.sane.openFirewall [ 8612 ];

nixos/modules/services/mail/stalwart-mail.nix

@@ -119,6 +119,10 @@ in
       };
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' - stalwart-mail stalwart-mail - -"
+    ];
+
     systemd = {
       packages = [ cfg.package ];
       services.stalwart-mail = {
@@ -147,6 +151,9 @@ in
           StandardOutput = "journal";
           StandardError = "journal";
 
+          ReadWritePaths = [
+            cfg.dataDir
+          ];
           CacheDirectory = "stalwart-mail";
           StateDirectory = "stalwart-mail";
 

nixos/modules/services/monitoring/librenms.nix

@@ -603,15 +603,10 @@ in
         ''
       )
       + ''
-        # clear cache after update and regenerate optimizations
+        # clear cache after update (before migrations)
         OLD_VERSION=$(cat ${cfg.dataDir}/version)
         if [[ $OLD_VERSION != "${package.version}" ]]; then
           rm -r ${cfg.dataDir}/cache/*
-          ${artisanWrapper}/bin/librenms-artisan view:clear
-          ${artisanWrapper}/bin/librenms-artisan optimize:clear
-          ${artisanWrapper}/bin/librenms-artisan view:cache
-          ${artisanWrapper}/bin/librenms-artisan optimize
-          echo "${package.version}" > ${cfg.dataDir}/version
         fi
 
         # convert rrd files when the oneMinutePolling option is changed
@@ -623,6 +618,15 @@ in
 
         # migrate db
         ${artisanWrapper}/bin/librenms-artisan migrate --force --no-interaction
+
+        # regenerate cache after migrations after update
+        if [[ $OLD_VERSION != "${package.version}" ]]; then
+          ${artisanWrapper}/bin/librenms-artisan view:clear
+          ${artisanWrapper}/bin/librenms-artisan optimize:clear
+          ${artisanWrapper}/bin/librenms-artisan view:cache
+          ${artisanWrapper}/bin/librenms-artisan optimize
+          echo "${package.version}" > ${cfg.dataDir}/version
+        fi
       '';
     };
 

nixos/modules/services/networking/networkmanager.nix

@@ -598,7 +598,7 @@ in
     ];
 
     systemd.services.NetworkManager = {
-      wantedBy = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
       restartTriggers = [ configFile ];
 
       aliases = [ "dbus-org.freedesktop.NetworkManager.service" ];
@@ -614,7 +614,7 @@ in
     };
 
     systemd.services.NetworkManager-dispatcher = {
-      wantedBy = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
       restartTriggers = [
         configFile
         overrideNameserversScript

nixos/modules/services/networking/wireguard-networkd.nix

@@ -22,14 +22,16 @@ let
     ;
   inherit (lib.modules) mkIf;
   inherit (lib.options) literalExpression mkOption;
-  inherit (lib.strings) hasInfix;
+  inherit (lib.strings) hasInfix replaceStrings;
   inherit (lib.trivial) flip pipe;
 
   removeNulls = filterAttrs (_: v: v != null);
 
-  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";
+  escapeCredentialName = input: replaceStrings [ "\\" ] [ "_" ] input;
+
+  privateKeyCredential = interfaceName: escapeCredentialName "wireguard-${interfaceName}-private-key";
   presharedKeyCredential =
-    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";
+    interfaceName: peer: escapeCredentialName "wireguard-${interfaceName}-${peer.name}-preshared-key";
 
   interfaceCredentials =
     interfaceName: interface:
@@ -61,7 +63,8 @@ let
     interfaceName: peer:
     removeNulls {
       PublicKey = peer.publicKey;
-      PresharedKey = "@${presharedKeyCredential interfaceName peer}";
+      PresharedKey =
+        if peer.presharedKeyFile == null then null else "@${presharedKeyCredential interfaceName peer}";
       AllowedIPs = peer.allowedIPs;
       Endpoint = peer.endpoint;
       PersistentKeepalive = peer.persistentKeepalive;