Merge master into staging-next

    githubId = 4656860;

    name = "Gaute Ravndal";

  };

  gray-heron = {

    email = "ave+nix@cezar.info";

    github = "gray-heron";

    githubId = 7032646;

    name = "Cezary Siwek";

  };

  graysonhead = {

    email = "grayson@graysonhead.net";

    github = "graysonhead";

    githubId = 15064765;

    name = "tshaynik";

  };

  tsowell = {

    email = "tom@ldtlb.com";

    github = "tsowell";

    githubId = 4044033;

    name = "Thomas Sowell";

  };

  ttuegel = {

    email = "ttuegel@mailbox.org";

    github = "ttuegel";

- Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see [upstream release notes](https://forum.suricata.io/t/suricata-7-0-0-released/3715) for more details.

- Cloud support in the `netdata` package is now disabled by default. To enable it use the `netdataCloud` package.

- `networking.nftables` now has the option `networking.nftables.table.<table>` to create tables

  and have them be updated atomically, instead of flushing the ruleset.

  config = mkIf cfg.enable {

    environment.systemPackages = [

      (cfg.package.override {

      (cfg.package.override (old: {

        extraPrefs = cfg.autoConfig;

        extraNativeMessagingHosts = with pkgs; optionals nmh.ff2mpv [

          ff2mpv

        ] ++ optionals nmh.euwebid [

          web-eid-app

        ] ++ optionals nmh.gsconnect [

          gnomeExtensions.gsconnect

        ] ++ optionals nmh.jabref [

          jabref

        ] ++ optionals nmh.passff [

          passff-host

        ];

        extraNativeMessagingHosts =

          old.extraNativeMessagingHosts or []

          ++ optional nmh.ff2mpv ff2mpv

          ++ optional nmh.euwebid web-eid-app

          ++ optional nmh.gsconnect gnomeExtensions.gsconnect

          ++ optional nmh.jabref jabref

          ++ optional nmh.passff passff-host;

        cfg = let

          # copy-pasted from the wrapper; TODO: figure out fix

          applicationName = cfg.package.binaryName or (lib.getName cfg.package);

          oldCfg = old.cfg or {};

          nixpkgsConfig = pkgs.config.${applicationName} or {};

          optionConfig = cfg.wrapperConfig;

          nmhConfig = {

            enableUgetIntegrator = nmh.ugetIntegrator;

            enableFXCastBridge = nmh.fxCast;

          };

        in nixpkgsConfig // optionConfig // nmhConfig;

      })

        in oldCfg // nixpkgsConfig // optionConfig // nmhConfig;

      }))

    ];

    environment.etc =

            Group = "asf";

            WorkingDirectory = cfg.dataDir;

            Type = "simple";

            ExecStart = "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate";

            ExecStart = "${lib.getExe cfg.package} --no-restart --process-required --service --system-required --path ${cfg.dataDir}";

            Restart = "always";

            # mostly copied from the default systemd service

            PrivateTmp = true;

            # copied from the default systemd service at

            # https://github.com/JustArchiNET/ArchiSteamFarm/blob/main/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm%40.service

            CapabilityBoundingSet = "";

            DevicePolicy = "closed";

            LockPersonality = true;

            NoNewPrivileges = true;

            PrivateDevices = true;

            PrivateIPC = true;

            PrivateMounts = true;

            PrivateTmp = true; # instead of rw /tmp

            PrivateUsers = true;

            ProcSubset = "pid";

            ProtectClock = true;

            ProtectControlGroups = true;

            ProtectHome = true;

            ProtectHostname = true;

            ProtectKernelLogs = true;

            ProtectKernelModules = true;

            ProtectKernelTunables = true;

            ProtectProc = "invisible";

            ProtectSystem = "full";

            ProtectSystem = "strict";

            RemoveIPC = true;

            RestrictAddressFamilies = "AF_INET AF_INET6";

            RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";

            RestrictNamespaces = true;

            RestrictRealtime = true;

            RestrictSUIDSGID = true;

            SystemCallArchitectures = "native";

            UMask = "0077";

            # we luckily already have systemd v247+

            SecureBits = "noroot-locked";

            SystemCallFilter = [ "@system-service" "~@privileged" ];

          }

        ];

    ++ lib.optional (cfg.enableTpm2 && !(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)) "tpm-crb";

    boot.initrd.systemd = {

      initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages;

      initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package];

      extraBin = {

        less = "${pkgs.less}/bin/less";

        mount = "${cfg.package.util-linux}/bin/mount";