Merge remote-tracking branch 'origin/master' into staging-next

.github/CODEOWNERS

@@ -14,9 +14,10 @@
 # CI
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
-/ci @infinisil @NixOS/Security
+/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
+/ci @infinisil @philiptaron @NixOS/Security
 
-# Develompent support
+# Development support
 /.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security
 
@@ -43,6 +44,7 @@
 /pkgs/top-level/stage.nix                        @Ericson2314
 /pkgs/top-level/splice.nix                       @Ericson2314
 /pkgs/top-level/release-cross.nix                @Ericson2314
+/pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron
 /pkgs/stdenv                                     @philiptaron
 /pkgs/stdenv/generic                             @Ericson2314
 /pkgs/stdenv/generic/check-meta.nix              @Ericson2314
@@ -58,12 +60,6 @@
 /pkgs/pkgs-lib/formats/libconfig                 @h7x4
 /pkgs/pkgs-lib/formats/hocon                     @h7x4
 
-# pkgs/by-name
-/pkgs/test/check-by-name @infinisil
-/pkgs/by-name/README.md @infinisil
-/pkgs/top-level/by-name-overlay.nix @infinisil
-/.github/workflows/check-by-name.yml @infinisil
-
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus @Profpatsch
 
@@ -91,6 +87,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /doc/README.md @infinisil
 /nixos/README.md @infinisil
 /pkgs/README.md @infinisil
+/pkgs/by-name/README.md @infinisil
 /maintainers/README.md @infinisil
 
 # User-facing development documentation

.github/workflows/check-nix-format.yml

@@ -7,7 +7,7 @@ name: Check that Nix files are formatted
 
 on:
   pull_request_target:
-    # See the comment at the same location in ./check-by-name.yml
+    # See the comment at the same location in ./nixpkgs-vet.yml
     types: [opened, synchronize, reopened, edited]
 permissions:
   contents: read

.github/workflows/check-by-name.yml → .github/workflows/nixpkgs-vet.yml

@@ -1,42 +1,32 @@
-# Checks pkgs/by-name (see pkgs/by-name/README.md)
-# using the nixpkgs-check-by-name tool (see https://github.com/NixOS/nixpkgs-check-by-name)
-#
-# When you make changes to this workflow, also update pkgs/test/check-by-name/run-local.sh adequately
-name: Check pkgs/by-name
+# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
+# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
+# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
+# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
+name: Vet nixpkgs
 
 on:
-  # Using pull_request_target instead of pull_request avoids having to approve first time contributors
+  # Using pull_request_target instead of pull_request avoids having to approve first time contributors.
   pull_request_target:
-    # This workflow depends on the base branch of the PR,
-    # but changing the base branch is not included in the default trigger events,
-    # which would be `opened`, `synchronize` or `reopened`.
-    # Instead it causes an `edited` event, so we need to add it explicitly here
-    # While `edited` is also triggered when the PR title/body is changed,
-    # this PR action is fairly quick, and PR's don't get edited that often,
-    # so it shouldn't be a problem
-    # There is a feature request for adding a `base_changed` event:
-    # https://github.com/orgs/community/discussions/35058
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
     types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 
-# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit
-# trigger), and contributers would get notified on any canceled run.
-# There is a feature request for supressing notifications on concurrency-canceled runs:
-# https://github.com/orgs/community/discussions/13015
+# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
+# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
 
 jobs:
   check:
-    name: pkgs-by-name-check
-    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases
+    name: nixpkgs-vet
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
     runs-on: ubuntu-latest
-    # This should take 1 minute at most, but let's be generous.
-    # The default of 6 hours is definitely too long
+    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
     steps:
-      # This step has to be in this file,
-      # because it's needed to determine which revision of the repository to fetch,
-      # and we can only use other files from the repository once it's fetched.
+      # This step has to be in this file, because it's needed to determine which revision of the repository to fetch, and we can only use other files from the repository once it's fetched.
       - name: Resolving the merge commit
         env:
           GH_TOKEN: ${{ github.token }}
@@ -99,27 +89,28 @@ jobs:
         if: env.mergedSha
       - name: Fetching the pinned tool
         if: env.mergedSha
-        # Update the pinned version using pkgs/test/check-by-name/update-pinned-tool.sh
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
         run: |
-          # The pinned version of the tooling to use
-          toolVersion=$(<pkgs/test/check-by-name/pinned-version.txt)
-          # Fetch the x86_64-linux-specific release artifact containing the Gzipped NAR of the pre-built tool
-          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-check-by-name/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
+
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
             | gzip -cd | nix-store --import | tail -1)
-          # Adds a result symlink as a GC root
+
+          # Adds a result symlink as a GC root.
           nix-store --realise "$toolPath" --add-root result
-      - name: Running nixpkgs-check-by-name
+      - name: Running nixpkgs-vet
         if: env.mergedSha
         env:
-          # Force terminal colors to be enabled. The library that
-          # nixpkgs-check-by-name uses respects: https://bixense.com/clicolors/
+          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
           CLICOLOR_FORCE: 1
         run: |
-          if result/bin/nixpkgs-check-by-name --base "$base" .; then
+          if result/bin/nixpkgs-vet --base "$base" .; then
             exit 0
           else
             exitCode=$?
-            echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
-            echo "If you're having trouble, ping @NixOS/nixpkgs-check-by-name"
+            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
+            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
             exit "$exitCode"
           fi

ci/README.md

@@ -1,7 +1,7 @@
 # CI support files
 
 This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
-This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
+This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which is for human use instead.
 
 ## Pinned Nixpkgs
 
@@ -10,3 +10,34 @@ In order to ensure that the needed packages are generally available without buil
 [`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
 
 Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
+
+## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
+
+Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
+In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.
+
+Arguments:
+
+- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
+- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
+
+## `ci/nixpkgs-vet`
+
+This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
+See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
+
+## `ci/nixpkgs-vet/update-pinned-tool.sh`
+
+Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
+
+Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
+
+This script currently needs to be called manually when the CI tooling needs to be updated.
+
+Why not just build the tooling right from the PRs Nixpkgs version?
+
+- Because it allows CI to check all PRs, even if they would break the CI tooling.
+- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
+- Because it improves security, since we don't have to build potentially untrusted code from PRs.
+  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+

pkgs/test/check-by-name/run-local.sh → ci/nixpkgs-vet.sh

@@ -61,13 +61,11 @@ trace "Done"
 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
 git -C "$tmp/merged" merge -q --no-edit "$baseSha"
 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
-
-trace -n "Reading pinned nixpkgs-check-by-name version from pinned-version.txt.. "
-toolVersion=$(<"$tmp/merged/pkgs/test/check-by-name/pinned-version.txt")
+trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
+toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
 trace -e "\e[34m$toolVersion\e[0m"
 
 trace -n "Building tool.. "
-nix-build https://github.com/NixOS/nixpkgs-check-by-name/tarball/"$toolVersion" -o "$tmp/tool" -A build
-
-trace "Running nixpkgs-check-by-name.."
-"$tmp/tool/bin/nixpkgs-check-by-name" --base "$tmp/base" "$tmp/merged"
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
+trace "Running nixpkgs-vet.."
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

ci/nixpkgs-vet/pinned-version.txt

@@ -0,0 +1 @@
+0.1.4

pkgs/test/check-by-name/update-pinned-tool.sh → ci/nixpkgs-vet/update-pinned-tool.sh

@@ -7,7 +7,7 @@ trace() { echo >&2 "$@"; }
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
-repository=NixOS/nixpkgs-check-by-name
+repository=NixOS/nixpkgs-vet
 pin_file=$SCRIPT_DIR/pinned-version.txt
 
 trace -n "Fetching latest release of $repository.. "

doc/README.md

@@ -285,7 +285,7 @@ You, as the writer of documentation, are still in charge of its content.
   - _optional_ attributes have a _`Default:`_ if it's easily described as a value.
   - _optional_ attributes have a _`Default behavior:`_ if it's not easily described using a value.
   - Nix types aren't in code spans, because they are not code
-  - Nix types are capitalized, to distinguish them from the camelCase [Module System](#module-system) types, which _are_ code and behave like functions.
+  - Nix types are capitalized, to distinguish them from the camelCase Module System types, which _are_ code and behave like functions.
 
 #### Examples
 

lib/licenses.nix

@@ -721,10 +721,9 @@ lib.mapAttrs mkLicense ({
     fullName = "ISC License";
   };
 
-  # Proprietary binaries; free to redistribute without modification.
   databricks = {
-    fullName = "Databricks Proprietary License";
-    url = "https://pypi.org/project/databricks-connect";
+    fullName = "Databricks License";
+    url = "https://www.databricks.com/legal/db-license";
     free = false;
   };
 

maintainers/maintainer-list.nix

@@ -2255,6 +2255,12 @@
     githubId = 80325;
     name = "Benjamin Andresen";
   };
+  banh-canh = {
+    email = "vhvictorhang@gmail.com";
+    github = "Banh-Canh";
+    githubId = 66330398;
+    name = "Victor Hang";
+  };
   barab-i = {
     email = "barab_i@outlook.com";
     github = "barab-i";

maintainers/scripts/README.md

@@ -9,10 +9,6 @@ What follows is a (very incomplete) overview of available scripts.
 
 ## Metadata
 
-### `check-by-name.sh`
-
-An alias for `pkgs/test/check-by-name/run-local.sh`, see [documentation](../../pkgs/test/check-by-name/README.md).
-
 ### `get-maintainer.sh`
 
 `get-maintainer.sh [selector] value` returns a JSON object describing

maintainers/scripts/check-by-name.sh

@@ -1 +1 @@
-../../pkgs/test/check-by-name/run-local.sh
+../../ci/nixpkgs-vet.sh

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -171,6 +171,9 @@
   Processes also now run as a dynamically allocated user by default instead of
   root.
 
+- The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
+  In case you want to update your configuration make sure to check the NixOS manual.
+
 - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
 
 - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
@@ -456,6 +459,8 @@
 
 - `xxd` is now provided by the `tinyxxd` package, rather than `vim.xxd`, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.
 
+- `prometheus-openldap-exporter` was removed since it was unmaintained upstream and had no nixpkgs maintainers.
+
 - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
 
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)

nixos/modules/programs/foot/bashrc

@@ -12,16 +12,16 @@ osc7_cwd() {
     done
     printf '\e]7;file://%s%s\e\\' "${HOSTNAME}" "${encoded}"
 }
-PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }osc7_cwd
+PROMPT_COMMAND=${PROMPT_COMMAND:+${PROMPT_COMMAND%;}; }osc7_cwd
 
 prompt_marker() {
     printf '\e]133;A\e\\'
 }
-PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }prompt_marker
+PROMPT_COMMAND=${PROMPT_COMMAND:+${PROMPT_COMMAND%;}; }prompt_marker
 
 PS0+='\e]133;C\e\\'
 
 command_done() {
     printf '\e]133;D\e\\'
 }
-PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }command_done
+PROMPT_COMMAND=${PROMPT_COMMAND:+${PROMPT_COMMAND%;}; }command_done

nixos/modules/programs/mouse-actions.nix

@@ -3,13 +3,39 @@
 let
   cfg = config.programs.mouse-actions;
 in
-  {
-    options.programs.mouse-actions = {
-      enable = lib.mkEnableOption ''
-        mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root
+{
+  options.programs.mouse-actions = {
+    enable = lib.mkEnableOption "" // {
+      description = ''
+        Whether to install and set up mouse-actions and it's udev rules.
+
+        Note that only users in the "uinput" group will be able to use the package
+      '';
+    };
+    package = lib.mkPackageOption pkgs "mouse-actions" {
+      example = "mouse-actions-gui";
+    };
+    autorun = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to start a user service to run mouse-actions on startup.
       '';
     };
-    config = lib.mkIf cfg.enable {
-      services.udev.packages = [ pkgs.mouse-actions ];
+  };
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+    services.udev.packages = [ cfg.package ];
+    systemd.user.services.mouse-actions =  lib.mkIf cfg.autorun {
+      description = "mouse-actions launcher";
+      wantedBy = [ "graphical-session.target" ];
+      bindsTo = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      environment.PATH = lib.mkForce null; # don't use the default PATH provided by NixOS
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package} start";
+        PassEnvironment = "PATH"; # inherit PATH from user environment
+      };
     };
-  }
+  };
+}

nixos/modules/services/games/factorio.nix

@@ -275,7 +275,7 @@ in
           "--create=${mkSavePath cfg.saveName}"
           (lib.optionalString (cfg.mods != []) "--mod-directory=${modDir}")
         ])
-        + (lib.optionalString (cfg.extraSettingsFile != null) ("\necho ${lib.strings.lib.escapeShellArg serverSettingsString}"
+        + (lib.optionalString (cfg.extraSettingsFile != null) ("\necho ${lib.strings.escapeShellArg serverSettingsString}"
           + " \"$(cat ${cfg.extraSettingsFile})\" | ${lib.getExe pkgs.jq} -s add"
           + " > ${stateDir}/server-settings.json"));
 

nixos/modules/services/hardware/thinkfan.nix

@@ -12,7 +12,7 @@ let
       tuple = ts: lib.mkOptionType {
         name = "tuple";
         merge = lib.mergeOneOption;
-        check = xs: lib.all lib.id (zipListsWith (t: x: t.check x) ts xs);
+        check = xs: lib.all lib.id (lib.zipListsWith (t: x: t.check x) ts xs);
         description = "tuple of" + lib.concatMapStrings (t: " (${t.description})") ts;
       };
       level = ints.unsigned;