Merge staging-next into staging

nixos/modules/system/boot/luksroot.nix

@@ -140,24 +140,27 @@ let
     umount /crypt-ramfs 2>/dev/null
   '';
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, preOpenCommands, postOpenCommands,... }: assert name' == name;
+  openCommand = name: dev: assert name == dev.name;
   let
-    csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
-    cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
+    csopen = "cryptsetup luksOpen ${dev.device} ${dev.name}"
+           + optionalString dev.allowDiscards " --allow-discards"
+           + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
+           + optionalString (dev.header != null) " --header=${dev.header}";
+    cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
   in ''
     # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
     # if on a USB drive.
-    wait_target "device" ${device} || die "${device} is unavailable"
+    wait_target "device" ${dev.device} || die "${dev.device} is unavailable"
 
-    ${optionalString (header != null) ''
-      wait_target "header" ${header} || die "${header} is unavailable"
+    ${optionalString (dev.header != null) ''
+      wait_target "header" ${dev.header} || die "${dev.header} is unavailable"
     ''}
 
     do_open_passphrase() {
         local passphrase
 
         while true; do
-            echo -n "Passphrase for ${device}: "
+            echo -n "Passphrase for ${dev.device}: "
             passphrase=
             while true; do
                 if [ -e /crypt-ramfs/passphrase ]; then
@@ -166,7 +169,7 @@ let
                     break
                 else
                     # ask cryptsetup-askpass
-                    echo -n "${device}" > /crypt-ramfs/device
+                    echo -n "${dev.device}" > /crypt-ramfs/device
 
                     # and try reading it from /dev/console with a timeout
                     IFS= read -t 1 -r passphrase
@@ -182,7 +185,7 @@ let
                     fi
                 fi
             done
-            echo -n "Verifying passphrase for ${device}..."
+            echo -n "Verifying passphrase for ${dev.device}..."
             echo -n "$passphrase" | ${csopen} --key-file=-
             if [ $? == 0 ]; then
                 echo " - success"
@@ -202,13 +205,13 @@ let
 
     # LUKS
     open_normally() {
-        ${if (keyFile != null) then ''
-        if wait_target "key file" ${keyFile}; then
-            ${csopen} --key-file=${keyFile} \
-              ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"} \
-              ${optionalString (keyFileOffset != null) "--keyfile-offset=${toString keyFileOffset}"}
+        ${if (dev.keyFile != null) then ''
+        if wait_target "key file" ${dev.keyFile}; then
+            ${csopen} --key-file=${dev.keyFile} \
+              ${optionalString (dev.keyFileSize != null) "--keyfile-size=${toString dev.keyFileSize}"} \
+              ${optionalString (dev.keyFileOffset != null) "--keyfile-offset=${toString dev.keyFileOffset}"}
         else
-            ${if fallbackToPassword then "echo" else "die"} "${keyFile} is unavailable"
+            ${if dev.fallbackToPassword then "echo" else "die"} "${dev.keyFile} is unavailable"
             echo " - failing back to interactive password prompt"
             do_open_passphrase
         fi
@@ -217,7 +220,7 @@ let
         ''}
     }
 
-    ${optionalString (luks.yubikeySupport && (yubikey != null)) ''
+    ${optionalString (luks.yubikeySupport && (dev.yubikey != null)) ''
     # YubiKey
     rbtohex() {
         ( od -An -vtx1 | tr -d ' \n' )
@@ -243,16 +246,16 @@ let
         local new_response
         local new_k_luks
 
-        mount -t ${yubikey.storage.fsType} ${yubikey.storage.device} /crypt-storage || \
+        mount -t ${dev.yubikey.storage.fsType} ${dev.yubikey.storage.device} /crypt-storage || \
           die "Failed to mount YubiKey salt storage device"
 
-        salt="$(cat /crypt-storage${yubikey.storage.path} | sed -n 1p | tr -d '\n')"
-        iterations="$(cat /crypt-storage${yubikey.storage.path} | sed -n 2p | tr -d '\n')"
+        salt="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 1p | tr -d '\n')"
+        iterations="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 2p | tr -d '\n')"
         challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
-        response="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
+        response="$(ykchalresp -${toString dev.yubikey.slot} -x $challenge 2>/dev/null)"
 
         for try in $(seq 3); do
-            ${optionalString yubikey.twoFactor ''
+            ${optionalString dev.yubikey.twoFactor ''
             echo -n "Enter two-factor passphrase: "
             k_user=
             while true; do
@@ -278,9 +281,9 @@ let
             ''}
 
             if [ ! -z "$k_user" ]; then
-                k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
+                k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $iterations $response | rbtohex)"
             else
-                k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
+                k_luks="$(echo | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $iterations $response | rbtohex)"
             fi
 
             echo -n "$k_luks" | hextorb | ${csopen} --key-file=-
@@ -302,7 +305,7 @@ let
         [ "$opened" == false ] && die "Maximum authentication errors reached"
 
         echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
-        for i in $(seq ${toString yubikey.saltLength}); do
+        for i in $(seq ${toString dev.yubikey.saltLength}); do
             byte="$(dd if=/dev/random bs=1 count=1 2>/dev/null | rbtohex)";
             new_salt="$new_salt$byte";
             echo -n .
@@ -310,25 +313,25 @@ let
         echo "ok"
 
         new_iterations="$iterations"
-        ${optionalString (yubikey.iterationStep > 0) ''
-        new_iterations="$(($new_iterations + ${toString yubikey.iterationStep}))"
+        ${optionalString (dev.yubikey.iterationStep > 0) ''
+        new_iterations="$(($new_iterations + ${toString dev.yubikey.iterationStep}))"
         ''}
 
         new_challenge="$(echo -n $new_salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
 
-        new_response="$(ykchalresp -${toString yubikey.slot} -x $new_challenge 2>/dev/null)"
+        new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)"
 
         if [ ! -z "$k_user" ]; then
-            new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
+            new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)"
         else
-            new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
+            new_k_luks="$(echo | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)"
         fi
 
         echo -n "$new_k_luks" | hextorb > /crypt-ramfs/new_key
         echo -n "$k_luks" | hextorb | ${cschange} --key-file=- /crypt-ramfs/new_key
 
         if [ $? == 0 ]; then
-            echo -ne "$new_salt\n$new_iterations" > /crypt-storage${yubikey.storage.path}
+            echo -ne "$new_salt\n$new_iterations" > /crypt-storage${dev.yubikey.storage.path}
         else
             echo "Warning: Could not update LUKS key, current challenge persists!"
         fi
@@ -338,7 +341,7 @@ let
     }
 
     open_with_hardware() {
-        if wait_yubikey ${toString yubikey.gracePeriod}; then
+        if wait_yubikey ${toString dev.yubikey.gracePeriod}; then
             do_open_yubikey
         else
             echo "No YubiKey found, falling back to non-YubiKey open procedure"
@@ -347,7 +350,7 @@ let
     }
     ''}
 
-    ${optionalString (luks.gpgSupport && (gpgCard != null)) ''
+    ${optionalString (luks.gpgSupport && (dev.gpgCard != null)) ''
 
     do_open_gpg_card() {
         # Make all of these local to this function
@@ -355,12 +358,12 @@ let
         local pin
         local opened
 
-        gpg --import /gpg-keys/${device}/pubkey.asc > /dev/null 2> /dev/null
+        gpg --import /gpg-keys/${dev.device}/pubkey.asc > /dev/null 2> /dev/null
 
         gpg --card-status > /dev/null 2> /dev/null
 
         for try in $(seq 3); do
-            echo -n "PIN for GPG Card associated with device ${device}: "
+            echo -n "PIN for GPG Card associated with device ${dev.device}: "
             pin=
             while true; do
                 if [ -e /crypt-ramfs/passphrase ]; then
@@ -382,8 +385,8 @@ let
                     fi
                 fi
             done
-            echo -n "Verifying passphrase for ${device}..."
-            echo -n "$pin" | gpg -q --batch --passphrase-fd 0 --pinentry-mode loopback -d /gpg-keys/${device}/cryptkey.gpg 2> /dev/null | ${csopen} --key-file=- > /dev/null 2> /dev/null
+            echo -n "Verifying passphrase for ${dev.device}..."
+            echo -n "$pin" | gpg -q --batch --passphrase-fd 0 --pinentry-mode loopback -d /gpg-keys/${dev.device}/cryptkey.gpg 2> /dev/null | ${csopen} --key-file=- > /dev/null 2> /dev/null
             if [ $? == 0 ]; then
                 echo " - success"
                 ${if luks.reusePassphrases then ''
@@ -403,7 +406,7 @@ let
     }
 
     open_with_hardware() {
-        if wait_gpgcard ${toString gpgCard.gracePeriod}; then
+        if wait_gpgcard ${toString dev.gpgCard.gracePeriod}; then
             do_open_gpg_card
         else
             echo "No GPG Card found, falling back to normal open procedure"
@@ -412,15 +415,15 @@ let
     }
     ''}
 
-    ${optionalString (luks.fido2Support && (fido2.credential != null)) ''
+    ${optionalString (luks.fido2Support && (dev.fido2.credential != null)) ''
 
     open_with_hardware() {
       local passsphrase
 
-        ${if fido2.passwordLess then ''
+        ${if dev.fido2.passwordLess then ''
           export passphrase=""
         '' else ''
-          read -rsp "FIDO2 salt for ${device}: " passphrase
+          read -rsp "FIDO2 salt for ${dev.device}: " passphrase
           echo
         ''}
         ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
@@ -428,7 +431,7 @@ let
           echo "Please move your mouse to create needed randomness."
         ''}
           echo "Waiting for your FIDO2 device..."
-          fido2luks open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
+          fido2luks open ${dev.device} ${dev.name} ${dev.fido2.credential} --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase
         if [ $? -ne 0 ]; then
           echo "No FIDO2 key found, falling back to normal open procedure"
           open_normally
@@ -437,16 +440,16 @@ let
     ''}
 
     # commands to run right before we mount our device
-    ${preOpenCommands}
+    ${dev.preOpenCommands}
 
-    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then ''
+    ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && (dev.fido2.credential != null)) then ''
     open_with_hardware
     '' else ''
     open_normally
     ''}
 
     # commands to run right after we mounted our device
-    ${postOpenCommands}
+    ${dev.postOpenCommands}
   '';
 
   askPass = pkgs.writeScriptBin "cryptsetup-askpass" ''
@@ -621,6 +624,17 @@ in
             '';
           };
 
+          bypassWorkqueues = mkOption {
+            default = false;
+            type = types.bool;
+            description = ''
+              Whether to bypass dm-crypt's internal read and write workqueues.
+              Enabling this should improve performance on SSDs; see
+              <link xlink:href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance">here</link>
+              for more information. Needs Linux 5.9 or later.
+            '';
+          };
+
           fallbackToPassword = mkOption {
             default = false;
             type = types.bool;
@@ -833,6 +847,11 @@ in
         { assertion = !(luks.fido2Support && luks.yubikeySupport);
           message = "FIDO2 and YubiKey may not be used at the same time.";
         }
+
+        { assertion = any (dev: dev.bypassWorkqueues) (attrValues luks.devices)
+                      -> versionAtLeast kernelPackages.kernel.version "5.9";
+          message = "boot.initrd.luks.devices.<name>.bypassWorkqueues is not supported for kernels older than 5.9";
+        }
       ];
 
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested

pkgs/applications/editors/neovim/utils.nix

@@ -29,6 +29,11 @@ let
     , withNodeJs ? false
     , withRuby ? true
 
+    # expects a list of plugin configuration
+    # expects { plugin=far-vim; config = "let g:far#source='rg'"; optional = false; }
+    , plugins ? []
+    # forwarded to configure.customRC
+    , customRC ? ""
     # same values as in vimUtils.vimrcContent
     , configure ? { }
 
@@ -44,7 +49,33 @@ let
         '';
       };
 
-      requiredPlugins = vimUtils.requiredPlugins configure;
+      # transform all plugins into an attrset
+      pluginsNormalized = map (x: if x ? plugin then { optional = false; } // x else { plugin = x; optional = false;}) plugins;
+
+
+      configurePatched = configure // {
+        packages.nix = {
+          start = lib.filter (f: f != null)
+            (map (x: if x.optional == false then x.plugin else null)
+              pluginsNormalized);
+          opt = lib.filter (f: f != null)
+            (map (x: if x.optional == true then x.plugin else null)
+              pluginsNormalized);
+        };
+        customRC = pluginRc + customRC;
+      };
+
+      # A function to get the configuration string (if any) from an element of 'plugins'
+      pluginConfig = p:
+        if (p.config or "") != "" then ''
+          " ${p.plugin.pname or p.plugin.name} {{{
+          ${p.config}
+          " }}}
+        '' else "";
+
+      pluginRc = lib.concatMapStrings pluginConfig pluginsNormalized;
+
+      requiredPlugins = vimUtils.requiredPlugins configurePatched;
       getDeps = attrname: map (plugin: plugin.${attrname} or (_: [ ]));
 
       pluginPython3Packages = getDeps "python3Dependencies" requiredPlugins;
@@ -89,12 +120,13 @@ let
           "--suffix" "PATH" ":" binPath
         ];
 
-      manifestRc = vimUtils.vimrcContent (configure // { customRC = ""; });
-      neovimRcContent = vimUtils.vimrcContent configure;
+
+      manifestRc = vimUtils.vimrcContent (configurePatched // { customRC = ""; }) ;
+      neovimRcContent = vimUtils.vimrcContent configurePatched;
     in
     assert withPython2 -> throw "Python2 support has been removed from neovim, please remove withPython2 and extraPython2Packages.";
 
-    args // {
+    builtins.removeAttrs args ["plugins"] // {
       wrapperArgs = makeWrapperArgs;
       inherit neovimRcContent;
       inherit manifestRc;

pkgs/applications/editors/neovim/wrapper.nix

@@ -11,8 +11,9 @@ neovim:
 
 let
   wrapper = {
-      # should contain all args but the binary
-      wrapperArgs ? ""
+      extraName ? ""
+    # should contain all args but the binary. Can be either a string or list
+    , wrapperArgs ? []
     , manifestRc ? null
     , withPython2 ? false
     , withPython3 ? true,  python3Env ? null
@@ -20,10 +21,18 @@ let
     , rubyEnv ? null
     , vimAlias ? false
     , viAlias ? false
+
+    # additional argument not generated by makeNeovimConfig
+    # it will append "-u <customRc>" to the wrapped arguments
+    # set to false if you want to control where to save the generated config
+    # (e.g., in ~/.config/init.vim or project/.nvimrc)
+    , wrapRc ? true
     , ...
-  }:
+  }@args:
   let
 
+    wrapperArgsStr = if isString wrapperArgs then wrapperArgs else lib.escapeShellArgs wrapperArgs;
+
   # If configure != {}, we can't generate the rplugin.vim file with e.g
   # NVIM_SYSTEM_RPLUGIN_MANIFEST *and* NVIM_RPLUGIN_MANIFEST env vars set in
   # the wrapper. That's why only when configure != {} (tested both here and
@@ -31,13 +40,15 @@ let
   # wrapper with most arguments we need, excluding those that cause problems to
   # generate rplugin.vim, but still required for the final wrapper.
   finalMakeWrapperArgs =
-    [ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ] ++
-      [ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ];
+    [ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ]
+    ++ [ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ]
+    ++ optionals wrapRc [ "--add-flags" "-u ${writeText "init.vim" args.neovimRcContent}" ]
+    ;
   in
   assert withPython2 -> throw "Python2 support has been removed from the neovim wrapper, please remove withPython2 and python2Env.";
 
   symlinkJoin {
-      name = "neovim-${lib.getVersion neovim}";
+      name = "neovim-${lib.getVersion neovim}${extraName}";
       # Remove the symlinks created by symlinkJoin which we need to perform
       # extra actions upon
       postBuild = lib.optionalString stdenv.isLinux ''
@@ -66,7 +77,7 @@ let
       in ''
         echo "Generating remote plugin manifest"
         export NVIM_RPLUGIN_MANIFEST=$out/rplugin.vim
-        makeWrapper ${lib.escapeShellArgs manifestWrapperArgs} ${wrapperArgs}
+        makeWrapper ${lib.escapeShellArgs manifestWrapperArgs} ${wrapperArgsStr}
 
         # Some plugins assume that the home directory is accessible for
         # initializing caches, temporary files, etc. Even if the plugin isn't
@@ -96,7 +107,7 @@ let
       '')
       + ''
         rm $out/bin/nvim
-        makeWrapper ${lib.escapeShellArgs finalMakeWrapperArgs} ${wrapperArgs}
+        makeWrapper ${lib.escapeShellArgs finalMakeWrapperArgs} ${wrapperArgsStr}
       '';
 
     paths = [ neovim ];

pkgs/applications/networking/browsers/vieb/default.nix

@@ -2,13 +2,13 @@
 
 mkYarnPackage rec {
   pname = "vieb";
-  version = "4.5.1";
+  version = "5.0.0";
 
   src = fetchFromGitHub {
     owner = "jelmerro";
     repo = pname;
     rev = version;
-    sha256 = "sha256-7/oB2Inj+iMXzigqbCNJUY7dNrFBals2BOOl+Lp+ESs=";
+    sha256 = "sha256-0fbH2tmrgbu/XQg1piK9f56cow+R/Qe6bYMdbeV/mus=";
   };
 
   packageJSON = ./package.json;

pkgs/applications/networking/browsers/vieb/package.json

@@ -1,19 +1,21 @@
 {
   "name": "vieb",
   "productName": "Vieb",
-  "version": "4.5.1",
+  "version": "5.0.0",
   "description": "Vim Inspired Electron Browser",
   "bin": "app.js",
   "main": "app/index.js",
   "scripts": {
-    "test": "jest --coverage --collectCoverageFrom 'app/**/*.js' -u && eslint app && echo 'All good :)'",
-    "dev": "electron app --datafolder ./ViebData/",
-    "start": "electron app",
     "build": "node build.js",
     "buildall": "node build.js --linux --win --mac",
     "buildlinux": "node build.js --linux",
+    "buildmac": "node build.js --mac",
     "buildwin": "node build.js --win",
-    "buildmac": "node build.js --mac"
+    "dev": "electron app --datafolder=./ViebData/",
+    "fix": "eslint --fix app .eslintrc.js build.js",
+    "lint": "eslint app .eslintrc.js build.js",
+    "start": "electron app",
+    "test": "jest --testEnvironment jsdom --coverage --collectCoverageFrom 'app/**/*.js' -u && npm run lint && echo 'All good :)'"
   },
   "repository": "https://github.com/Jelmerro/Vieb",
   "homepage": "https://vieb.dev",
@@ -28,15 +30,18 @@
   "license": "GPL-3.0-or-later",
   "devDependencies": {
     "archiver": "5.3.0",
-    "electron": "12.0.5",
+    "electron": "13.0.1",
     "electron-builder": "22.10.5",
-    "eslint": "7.25.0",
+    "eslint": "7.27.0",
     "eslint-plugin-compat": "^3.9.0",
-    "jest": "26.6.3"
+    "eslint-plugin-sort-keys-fix": "1.1.1",
+    "jest-environment-jsdom": "^27.0.1",
+    "jest": "27.0.1"
   },
   "dependencies": {
     "7zip-bin": "5.1.1",
-    "@cliqz/adblocker-electron": "1.20.4",
+    "@cliqz/adblocker-electron": "1.20.6",
+    "@cliqz/adblocker-electron-preload": "1.20.6",
     "is-svg": "4.3.1",
     "rimraf": "3.0.2"
   },

pkgs/applications/networking/cluster/argo/default.nix

@@ -19,13 +19,13 @@ let
 in
 buildGoModule rec {
   pname = "argo";
-  version = "3.0.4";
+  version = "3.0.6";
 
   src = fetchFromGitHub {
     owner = "argoproj";
     repo = "argo";
     rev = "v${version}";
-    sha256 = "sha256-zswX6nt7AxxTMznbY4Rk0A8j2PpSNht+gbTMbDr2yuY=";
+    sha256 = "sha256-QD5V6Bz/wfbyNPoXizjhPGyHN7ieotsYbwLTz2ADfcY=";
   };
 
   vendorSha256 = "sha256-YjVAoMyGKMHLGEPeOOkCKCzeWFiUsXfJIKcw5GYoljg=";

pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "helm-secrets";
-  version = "3.6.1";
+  version = "3.7.0";
 
   src = fetchFromGitHub {
     owner = "jkroepke";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-RACETma0AaqaAfe0HWC541/i+knr+emMUauFWnkEuMI=";
+    hash = "sha256-AM+TLeSrXjn10DiQzXSqSwTqsc7CjTdnf6TWetden7g=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/applications/networking/instant-messengers/signal-desktop/default.nix

@@ -28,7 +28,7 @@ let
       else "");
 in stdenv.mkDerivation rec {
   pname = "signal-desktop";
-  version = "5.2.1"; # Please backport all updates to the stable channel.
+  version = "5.3.0"; # Please backport all updates to the stable channel.
   # All releases have a limited lifetime and "expire" 90 days after the release.
   # When releases "expire" the application becomes unusable until an update is
   # applied. The expiration date for the current release can be extracted with:
@@ -38,7 +38,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop/signal-desktop_${version}_amd64.deb";
-    sha256 = "0hkl8h49565kncvczv5fv4gak55lycygwb8i8igkgc4my0ykzs2z";
+    sha256 = "15lclxw3njih90zlh2n90v8ljg0wnglw5w8jrpa7rbd789yagvq7";
   };
 
   nativeBuildInputs = [
@@ -137,7 +137,7 @@ in stdenv.mkDerivation rec {
       --replace /opt/Signal/signal-desktop $out/bin/signal-desktop
 
     autoPatchelf --no-recurse -- $out/lib/Signal/
-    patchelf --add-needed ${libpulseaudio}/lib/libpulse.so $out/lib/Signal/resources/app.asar.unpacked/node_modules/ringrtc/build/linux/libringrtc.node
+    patchelf --add-needed ${libpulseaudio}/lib/libpulse.so $out/lib/Signal/resources/app.asar.unpacked/node_modules/ringrtc/build/linux/libringrtc-x64.node
   '';
 
   postFixup = ''

pkgs/applications/science/logic/lean/default.nix

@@ -7,7 +7,11 @@ stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner  = "leanprover-community";
     repo   = "lean";
-    rev    = "v${version}";
+    # lean's version string contains the commit sha1 it was built
+    # from. this is then used to check whether an olean file should be
+    # rebuilt. don't use a tag as rev because this will get replaced into
+    # src/githash.h.in in preConfigure.
+    rev    = "a5822ea47ebc52eec6323d8f1b60f6ec025daf99";
     sha256 = "sha256-gJhbkl19iilNyfCt2TfPmghYA3yCjg6kS+yk/x/k14Y=";
   };
 
@@ -20,6 +24,13 @@ stdenv.mkDerivation rec {
   # library.
   doCheck = true;
 
+  preConfigure = assert builtins.stringLength src.rev == 40; ''
+     substituteInPlace src/githash.h.in \
+       --subst-var-by GIT_SHA1 "${src.rev}"
+     substituteInPlace library/init/version.lean.in \
+       --subst-var-by GIT_SHA1 "${src.rev}"
+  '';
+
   postPatch = "patchShebangs .";
 
   postInstall = lib.optionalString stdenv.isDarwin ''

pkgs/development/python-modules/aioshelly/default.nix

@@ -7,13 +7,13 @@
 
 buildPythonPackage rec {
   pname = "aioshelly";
-  version = "0.6.3";
+  version = "0.6.4";
 
   src = fetchFromGitHub {
     owner = "home-assistant-libs";
     repo = pname;
     rev = version;
-    sha256 = "sha256-c4EFR7rcYdrCdM0AfmX/d7cP4woh6P1iAjeSQV9ieKM=";
+    sha256 = "sha256-QRCqkaKhPQQjNt9mw8nlTB5YKLmIZbXfrxarb3Ksr5k=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/pyfritzhome/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "pyfritzhome";
-  version = "0.6.0";
+  version = "0.6.1";
   disabled = pythonOlder "3.5";
 
   src = fetchFromGitHub {
     owner = "hthiery";
     repo = "python-fritzhome";
     rev = version;
-    sha256 = "1wzys84hxrjcg86fcn7f7i2i6979qwcpny2afk5rvwljh8f7bli5";
+    sha256 = "sha256-CEoXb7D/8Iksw4aJYNqANkmfhd0yxIIuabaTdWI3RNc=";
   };
 
   propagatedBuildInputs = [ requests ];

pkgs/development/python-modules/qcengine/default.nix

@@ -0,0 +1,37 @@
+{ buildPythonPackage, lib, fetchPypi, pyyaml, qcelemental, pydantic
+, py-cpuinfo, psutil, pytestrunner, pytest, pytestcov
+} :
+
+buildPythonPackage rec {
+  pname = "qcengine";
+  version = "0.19.0";
+
+  checkInputs = [
+    pytestrunner
+    pytestcov
+    pytest
+  ];
+
+  propagatedBuildInputs = [
+    pyyaml
+    qcelemental
+    pydantic
+    py-cpuinfo
+    psutil
+  ];
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "0lz9r0fh31mcixdhayiwfc69cp8if9b3nkrk7gxdrb6vhbfrxhij";
+  };
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Quantum chemistry program executor and IO standardizer (QCSchema) for quantum chemistry";
+    homepage = "http://docs.qcarchive.molssi.org/projects/qcelemental/en/latest/";
+    license = licenses.bsd3;
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ maintainers.sheepforce ];
+  };
+}

pkgs/development/tools/analysis/include-what-you-use/default.nix

@@ -3,15 +3,15 @@
 stdenv.mkDerivation rec {
   pname = "include-what-you-use";
   # Also bump llvmPackages in all-packages.nix to the supported version!
-  version = "0.14";
+  version = "0.16";
 
   src = fetchurl {
-    sha256 = "1vq0c8jqspvlss8hbazml44fi0mbslgnp2i9wcr0qrjpvfbl6623";
+    sha256 = "sha256-jW/JslU0O8Hl7EWeOVEt8dUcYOA1YpheAHYDYRn/Whw=";
     url = "${meta.homepage}/downloads/${pname}-${version}.src.tar.gz";
   };
 
-  nativeBuildInputs = with llvmPackages; [ cmake llvm.dev llvm clang-unwrapped python3];
-  buildInputs = [ llvmPackages.libclang ];
+  nativeBuildInputs = with llvmPackages; [ cmake llvm.dev llvm python3];
+  buildInputs = with llvmPackages; [ libclang clang-unwrapped ];
 
   cmakeFlags = [ "-DIWYU_LLVM_ROOT_PATH=${llvmPackages.clang-unwrapped}" ];
 

pkgs/development/tools/packet-cli/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "packet-cli";
-  version = "0.3.0";
+  version = "0.5.0";
 
   src = fetchFromGitHub {
     owner = "packethost";
     repo = pname;
     rev = version;
-    sha256 = "sha256-P1Bn6vli0d/MroHUsioTWBrjWN+UZmSo3qmzo+fCDwM=";
+    sha256 = "0dlcx186l8kh6w3i4dvj7v90lhjkgvq1xkjb2vijy6399z41grw2";
   };
 
-  vendorSha256 = "sha256-PjKiUdhN87guPAa0loZrWYuwbl0HaspuIjmKgyq4Zp8=";
+  vendorSha256 = "1y1c369gsaf5crkdvv5g8d9p2g5602x2gcj8zy1q3wjx9lwhl0i6";
 
   postInstall = ''
     ln -s $out/bin/packet-cli $out/bin/packet
@@ -23,6 +23,6 @@ buildGoModule rec {
     description = "Official Packet CLI";
     homepage = "https://github.com/packethost/packet-cli";
     license = licenses.mit;
-    maintainers = with maintainers; [ Br1ght0ne ];
+    maintainers = with maintainers; [ Br1ght0ne nshalman ];
   };
 }

pkgs/misc/vim-plugins/vim-utils.nix

@@ -232,8 +232,7 @@ let
     let
       /* pathogen mostly can set &rtp at startup time. Its used very commonly.
       */
-      pathogenImpl = lib.optionalString (pathogen != null)
-      (let
+      pathogenImpl = let
         knownPlugins = pathogen.knownPlugins or vimPlugins;
 
         plugins = findDependenciesRecursively (map (pluginToDrv knownPlugins) pathogen.pluginNames);
@@ -244,15 +243,15 @@ let
         };
       in
       ''
-        let &rtp.=(empty(&rtp)?"":',')."${vimPlugins.pathogen.rtp}"
+        let &rtp.=(empty(&rtp)?"":',')."${vimPlugins.vim-pathogen.rtp}"
         execute pathogen#infect('${pluginsEnv}/{}')
 
         filetype indent plugin on | syn on
-      '');
+      '';
 
       /* vim-plug is an extremely popular vim plugin manager.
       */
-      plugImpl = lib.optionalString (plug != null)
+      plugImpl =
       (''
         source ${vimPlugins.vim-plug.rtp}/plug.vim
         call plug#begin('/dev/null')
@@ -340,10 +339,12 @@ let
 
       entries = [
         beforePlugins
-        vamImpl pathogenImpl plugImpl
+        vamImpl
         (nativeImpl packages)
         customRC
-      ];
+      ]
+      ++ lib.optional (pathogen != null) pathogenImpl
+      ++ lib.optional (plug != null) plugImpl;
 
     in
       lib.concatStringsSep "\n" (lib.filter (x: x != null && x != "") entries);

pkgs/servers/keycloak/default.nix

@@ -18,11 +18,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname   = "keycloak";
-  version = "13.0.0";
+  version = "13.0.1";
 
   src = fetchzip {
     url    = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip";
-    sha256 = "sha256-jpjAPldmJkyXGsokw9MO1u0VysYBXeQ8MamEPWvBGvs=";
+    sha256 = "sha256-81i8Yf9rEuHtUDqYThUCn0/Lb9YokRi4tGi/Ooyyxr8=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/test/vim/default.nix

@@ -1,14 +1,43 @@
-{ vimUtils, vim_configurable, neovim, vimPlugins
-, lib, fetchFromGitHub,
+{ vimUtils, vim_configurable, writeText, neovim, vimPlugins
+, lib, fetchFromGitHub, neovimUtils, wrapNeovimUnstable
+, neovim-unwrapped
 }:
 let
   inherit (vimUtils) buildVimPluginFrom2Nix;
 
   packages.myVimPackage.start = with vimPlugins; [ vim-nix ];
+
+  plugins = with vimPlugins; [
+    {
+      plugin = vim-obsession;
+      config = ''
+        map <Leader>$ <Cmd>Obsession<CR>
+      '';
+    }
+  ];
+
+  nvimConfNix = neovimUtils.makeNeovimConfig {
+    inherit plugins;
+    customRC = ''
+      " just a comment
+    '';
+  };
+
+  wrapNeovim = suffix: config:
+    wrapNeovimUnstable neovim-unwrapped (config // {
+      extraName = suffix;
+      wrapRc = true;
+    });
 in
 {
   vim_empty_config = vimUtils.vimrcFile { beforePlugins = ""; customRC = ""; };
 
+  ### neovim tests
+  ##################
+  nvim_with_plugins = wrapNeovim "-with-plugins" nvimConfNix;
+
+  ### vim tests
+  ##################
   vim_with_vim2nix = vim_configurable.customize {
     name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ];
   };

pkgs/tools/audio/abcmidi/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "abcMIDI";
-  version = "2021.05.19";
+  version = "2021.05.25";
 
   src = fetchzip {
     url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
-    sha256 = "sha256-QdzP9CJrENLVYnWFTvRqn6Jz95zD6JWIMpnCa34QGas=";
+    sha256 = "sha256-lgKrDR+2KRl6vvZJp2nmY493agQx+FoQ+/SNNV4lA/A=";
   };
 
   meta = with lib; {

pkgs/tools/games/amidst/default.nix

@@ -0,0 +1,34 @@
+{ lib
+, stdenv
+, fetchurl
+, makeWrapper
+, jre8 }: # TODO: Update this to the latest version of java upon the next release. This is currently not done because of https://github.com/toolbox4minecraft/amidst/issues/960
+
+stdenv.mkDerivation rec {
+  pname = "amidst";
+  version = "4.6";
+
+  src = fetchurl { # TODO: Compile from src
+    url = "https://github.com/toolbox4minecraft/amidst/releases/download/v${version}/amidst-v${lib.replaceStrings [ "." ] [ "-" ] version}.jar";
+    sha256 = "0nz6xfhshy36j8k81kqdfbbxih96l7f3s9156f9lmw0mi1qlyzqk";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [ jre8 makeWrapper ];
+
+  installPhase = ''
+    mkdir -p $out/{bin,lib/amidst}
+    cp $src $out/lib/amidst/amidst.jar
+    makeWrapper ${jre8}/bin/java $out/bin/amidst \
+      --add-flags "-jar $out/lib/amidst/amidst.jar"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/toolbox4minecraft/amidst";
+    description = "Advanced Minecraft Interface and Data/Structure Tracking";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}

pkgs/tools/misc/cowsay/default.nix

@@ -1,34 +1,46 @@
-{ lib, stdenv, fetchurl, perl }:
+{ lib, stdenv, perl, installShellFiles, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  version = "3.03+dfsg2";
   pname = "cowsay";
+  version = "3.04";
 
-  src = fetchurl {
-    url = "http://http.debian.net/debian/pool/main/c/cowsay/cowsay_${version}.orig.tar.gz";
-    sha256 = "0ghqnkp8njc3wyqx4mlg0qv0v0pc996x2nbyhqhz66bbgmf9d29v";
+  src = fetchFromGitHub {
+    owner = "tnalpgge";
+    repo = "rank-amateur-cowsay";
+    rev = "cowsay-${version}";
+    sha256 = "sha256-9jCaQ6Um6Nl9j0/urrMCRcsGeubRN3VWD3jDM/AshRg=";
   };
 
   buildInputs = [ perl ];
 
-  postBuild = ''
+  nativeBuildInputs = [ installShellFiles ];
+
+  # overriding buildPhase because we don't want to use the install.sh script
+  buildPhase = ''
+    runHook preBuild;
     substituteInPlace cowsay --replace "%BANGPERL%" "!${perl}/bin/perl" \
       --replace "%PREFIX%" "$out"
+    runHook postBuild;
   '';
 
   installPhase = ''
-    mkdir -p $out/{bin,man/man1,share/cows}
-    install -m755 cowsay $out/bin/cowsay
-    ln -s cowsay $out/bin/cowthink
-    install -m644 cowsay.1 $out/man/man1/cowsay.1
-    ln -s cowsay.1 $out/man/man1/cowthink.1
-    install -m644 cows/* -t $out/share/cows/
+    runHook preInstall
+    install -Dm755 cowsay $out/bin/cowsay
+    ln -s $out/bin/cowsay $out/bin/cowthink
+
+    installManPage cowsay.1
+    ln -s $man/share/man/man1/cowsay.1.gz $man/share/man/man1/cowthink.1.gz
+
+    install -Dm644 cows/* -t $out/share/cows/
+    runHook postInstall
   '';
 
+  outputs = [ "out" "man" ];
+
   meta = with lib; {
     description = "A program which generates ASCII pictures of a cow with a message";
-    homepage = "https://en.wikipedia.org/wiki/Cowsay";
-    license = licenses.gpl1;
+    homepage = "https://github.com/tnalpgge/rank-amateur-cowsay";
+    license = licenses.gpl3Only;
     platforms = platforms.all;
     maintainers = [ maintainers.rob ];
   };

pkgs/tools/system/hwinfo/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "hwinfo";
-  version = "21.73";
+  version = "21.74";
 
   src = fetchFromGitHub {
     owner = "opensuse";
     repo = "hwinfo";
     rev = version;
-    sha256 = "sha256-u5EXU+BrTMeDbZAv8WyBTyFcZHdBIUMpJSLTYgf3Mo8=";
+    sha256 = "sha256-pPL/RYL8eVPuX71kT64p/ZkUE4uVFALMVj8mWZM3NuU=";
   };
 
   postPatch = ''

pkgs/top-level/all-packages.nix

@@ -850,6 +850,8 @@ in
 
   auditwheel = callPackage ../tools/package-management/auditwheel { };
 
+  amidst = callPackage ../tools/games/amidst { };
+
   gobgp = callPackage ../tools/networking/gobgp { };
 
   metapixel = callPackage ../tools/graphics/metapixel { };
@@ -13367,7 +13369,7 @@ in
   };
 
   include-what-you-use = callPackage ../development/tools/analysis/include-what-you-use {
-    llvmPackages = llvmPackages_10;
+    llvmPackages = llvmPackages_12;
   };
 
   indent = callPackage ../development/tools/misc/indent { };

pkgs/top-level/python-packages.nix

@@ -7013,6 +7013,8 @@ in {
 
   qcelemental = callPackage ../development/python-modules/qcelemental { };
 
+  qcengine = callPackage ../development/python-modules/qcengine { };
+
   qdarkstyle = callPackage ../development/python-modules/qdarkstyle { };
 
   qdldl = callPackage ../development/python-modules/qdldl { };