Merge master into staging-next

`nix-prefetch-docker` command can be used to get required image parameters:

```ShellSession

$ nix run nixpkgs.nix-prefetch-docker -c nix-prefetch-docker --image-name mysql --image-tag 5

$ nix run nixpkgs#nix-prefetch-docker -- --image-name mysql --image-tag 5

```

Since a given `imageName` may transparently refer to a manifest list of images which support multiple architectures and/or operating systems, you can supply the `--os` and `--arch` arguments to specify exactly which image you want. By default it will match the OS and architecture of the host the command is run on.

- hardware/infiniband.nix adds infiniband subnet manager support using an [opensm](https://github.com/linux-rdma/opensm) systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as [hardware.infiniband.enable](#opt-hardware.infiniband.enable).

- [zwave-js](https://github.com/zwave-js/zwave-js-server), a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as [services.zwave-js](#opt-services.zwave-js.enable).

- [Honk](https://humungus.tedunangst.com/r/honk), a complete ActivityPub server with minimal setup and support costs.

  Available as [services.honk](#opt-services.honk.enable).

  ./services/home-automation/home-assistant.nix

  ./services/home-automation/homeassistant-satellite.nix

  ./services/home-automation/zigbee2mqtt.nix

  ./services/home-automation/zwave-js.nix

  ./services/logging/SystemdJournal2Gelf.nix

  ./services/logging/awstats.nix

  ./services/logging/filebeat.nix

{config, pkgs, lib, ...}:

with lib;

let

  cfg = config.services.zwave-js;

  mergedConfigFile = "/run/zwave-js/config.json";

  settingsFormat = pkgs.formats.json {};

in {

  options.services.zwave-js = {

    enable = mkEnableOption (mdDoc "the zwave-js server on boot");

    package = mkPackageOptionMD pkgs "zwave-js-server" { };

    port = mkOption {

      type = types.port;

      default = 3000;

      description = mdDoc ''

        Port for the server to listen on.

      '';

    };

    serialPort = mkOption {

      type = types.path;

      description = mdDoc ''

        Serial port device path for Z-Wave controller.

      '';

      example = "/dev/ttyUSB0";

    };

    secretsConfigFile = mkOption {

      type = types.path;

      description = mdDoc ''

        JSON file containing secret keys. A dummy example:

        ```

        {

          "securityKeys": {

            "S0_Legacy": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",

            "S2_Unauthenticated": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",

            "S2_Authenticated": "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",

            "S2_AccessControl": "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"

          }

        }

        ```

        See

        <https://zwave-js.github.io/node-zwave-js/#/getting-started/security-s2>

        for details. This file will be merged with the module-generated config

        file (taking precedence).

        Z-Wave keys can be generated with:

          {command}`< /dev/urandom tr -dc A-F0-9 | head -c32 ;echo`

        ::: {.warning}

        A file in the nix store should not be used since it will be readable to

        all users.

        :::

      '';

      example = "/secrets/zwave-js-keys.json";

    };

    settings = mkOption {

      type = lib.types.submodule {

        freeformType = settingsFormat.type;

        options = {

          storage = {

            cacheDir = mkOption {

              type = types.path;

              default = "/var/cache/zwave-js";

              readOnly = true;

              description = lib.mdDoc "Cache directory";

            };

          };

        };

      };

      default = {};

      description = mdDoc ''

        Configuration settings for the generated config

        file.

      '';

    };

    extraFlags = lib.mkOption {

      type = with lib.types; listOf str;

      default = [ ];

      example = [ "--mock-driver" ];

      description = lib.mdDoc ''

        Extra flags to pass to command

      '';

    };

  };

  config = mkIf cfg.enable {

    systemd.services.zwave-js = let

      configFile = settingsFormat.generate "zwave-js-config.json" cfg.settings;

    in {

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      description = "Z-Wave JS Server";

      serviceConfig = {

        ExecStartPre = ''

          /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}"

        '';

        ExecStart = lib.concatStringsSep " " [

          "${cfg.package}/bin/zwave-server"

          "--config ${mergedConfigFile}"

          "--port ${toString cfg.port}"

          cfg.serialPort

          (escapeShellArgs cfg.extraFlags)

        ];

        Restart = "on-failure";

        User = "zwave-js";

        SupplementaryGroups = [ "dialout" ];

        CacheDirectory = "zwave-js";

        RuntimeDirectory = "zwave-js";

        # Hardening

        CapabilityBoundingSet = "";

        DeviceAllow = [cfg.serialPort];

        DevicePolicy = "closed";

        DynamicUser = true;

        LockPersonality = true;

        MemoryDenyWriteExecute = false;

        NoNewPrivileges = true;

        PrivateUsers = true;

        PrivateTmp = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        RemoveIPC = true;

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service @pkey"

          "~@privileged @resources"

        ];

        UMask = "0077";

      };

    };

  };

  meta.maintainers = with lib.maintainers; [ graham33 ];

}

    services.phpfpm.pools.mediawiki = {

      inherit user group;

      phpEnv.MEDIAWIKI_CONFIG = "${mediawikiConfig}";

      # https://www.mediawiki.org/wiki/Compatibility

      phpPackage = pkgs.php81;

      settings = (if (cfg.webserver == "apache") then {

        "listen.owner" = config.services.httpd.user;

        "listen.group" = config.services.httpd.group;

            deny all;

          '';

          # MediaWiki assets (usually images)

          "~ ^/w/resources/(assets|lib|src)" = {

            tryFiles = "$uri =404";

            extraConfig = ''

          "~ ^/w/resources/(assets|lib|src)".extraConfig = ''

            rewrite ^/w(/.*) $1 break;

            add_header Cache-Control "public";

            expires 7d;

          '';

          };

          # Assets, scripts and styles from skins and extensions

          "~ ^/w/(skins|extensions)/.+\\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$" = {

            tryFiles = "$uri =404";

            extraConfig = ''

          "~ ^/w/(skins|extensions)/.+\\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$".extraConfig = ''

            rewrite ^/w(/.*) $1 break;

            add_header Cache-Control "public";

            expires 7d;

          '';

          };

          # Handling for Mediawiki REST API, see [[mw:API:REST_API]]

          "/w/rest.php".tryFiles = "$uri $uri/ /rest.php?$query_string";

          "/w/rest.php/".tryFiles = "$uri $uri/ /w/rest.php?$query_string";

          # Handling for the article path (pretty URLs)

          "/wiki/".extraConfig = ''