Merge branch 'master' into haskell-updates

    githubId = 34162313;

    name = "Jason Wing";

  };

  netfox = {

    name = "netfox";

    email = "say-hi@netfox.rip";

    matrix = "@netfox:catgirl.cloud";

    github = "0xnetfox";

    githubId = 97521402;

    keys = [{

      fingerprint = "E8E9 43D7 EB83 DB77 E41C  D87F 9C77 CB70 F2E6 3EF7";

    }];

  };

  netixx = {

    email = "dev.espinetfrancois@gmail.com";

    github = "netixx";

- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).

- `boot.bootspec.enable` (internal option) is now enabled by default because [RFC-0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot.

## New Services {#sec-release-23.05-new-services}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

  - `services.openssh.ciphers` to `services.openssh.settings.Ciphers`

  - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`

- `netbox` was updated to 3.4. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's [breaking changes](https://github.com/netbox-community/netbox/releases/tag/v3.4.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically.

- `netbox` was updated to 3.5. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's breaking changes [for 3.4.0](https://github.com/netbox-community/netbox/releases/tag/v3.4.0) and [for 3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically.

- `services.netbox` now support RFC42-style options, through `services.netbox.settings`.

        serviceConfig.ExecStart = [

          ""

          "${lib.getExe pkgs.auto-cpufreq} --config ${cfgFile}"

          "${lib.getExe pkgs.auto-cpufreq} --daemon --config ${cfgFile}"

        ];

      };

    };

#V1: {

import "struct"

#BootspecV1: {

	system:         string

	init:           string

	initrd?:        string

	kernelParams: [...string]

	label:    string

	toplevel: string

	specialisation?: {

		[=~"^"]: #V1

}

	extensions?: {...}

// A restricted document does not allow any official specialisation

// information in it to avoid "recursive specialisations".

#RestrictedDocument: struct.MinFields(1) & {

	"org.nixos.bootspec.v1": #BootspecV1

	[=~"^"]:                 #BootspecExtension

}

Document: {

	v1: #V1

// Specialisations are a hashmap of strings

#BootspecSpecialisationV1: [string]: #RestrictedDocument

// Bootspec extensions are defined by the extension author.

#BootspecExtension: {...}

// A "full" document allows official specialisation information

// in the top-level with a reserved namespaced key.

Document: #RestrictedDocument & {

	"org.nixos.specialisation.v1"?: #BootspecSpecialisationV1

}

      json =

        pkgs.writeText filename

        (builtins.toJSON

          # Merge extensions first to not let them shadow NixOS bootspec data.

          (cfg.extensions //

          {

            v1 = {

            "org.nixos.bootspec.v1" = {

              system = config.boot.kernelPackages.stdenv.hostPlatform.system;

              kernel = "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}";

              kernelParams = config.boot.kernelParams;

              label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})";

              inherit (cfg) extensions;

            } // lib.optionalAttrs config.boot.initrd.enable {

              initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}";

              initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets";

            };

          });

          }));

      generator =

        let

          toplevelInjector = lib.escapeShellArgs [

            "${pkgs.jq}/bin/jq"

            ''

              .v1.toplevel = $toplevel |

              .v1.init = $init

              ."org.nixos.bootspec.v1".toplevel = $toplevel |

              ."org.nixos.bootspec.v1".init = $init

            ''

            "--sort-keys"

            "--arg" "toplevel" "${placeholder "out"}"

            lib.escapeShellArgs [

              "${pkgs.jq}/bin/jq"

              "--sort-keys"

              ".v1.specialisation = ($ARGS.named | map_values(. | first | .v1))"

              ''."org.nixos.specialisation.v1" = ($ARGS.named | map_values(. | first))''

            ] + " ${lib.concatStringsSep " " specialisationLoader}";

        in

        ''

          mkdir -p $out/bootspec

          ${toplevelInjector} | ${specialisationInjector} > $out/${filename}

        '';

        "${toplevelInjector} | ${specialisationInjector} > $out/${filename}";

      validator = pkgs.writeCueValidator ./bootspec.cue {

        document = "Document"; # Universal validator for any version as long the schema is correctly set.

in

{

  options.boot.bootspec = {

    enable = lib.mkEnableOption (lib.mdDoc "Enable generation of RFC-0125 bootspec in $system/bootspec, e.g. /run/current-system/bootspec");

    enable = lib.mkEnableOption (lib.mdDoc "the generation of RFC-0125 bootspec in $system/boot.json, e.g. /run/current-system/boot.json")

      // { default = true; internal = true; };

    enableValidation = lib.mkEnableOption (lib.mdDoc ''the validation of bootspec documents for each build.

      This will introduce Go in the build-time closure as we are relying on [Cuelang](https://cuelang.org/) for schema validation.

      Enable this option if you want to ascertain that your documents are correct.

      ''

    );

    extensions = lib.mkOption {

      type = lib.types.attrsOf lib.types.attrs; # <namespace>: { ...namespace-specific fields }

      # NOTE(RaitoBezarius): this is not enough to validate: extensions."osRelease" = drv; those are picked up by cue validation.

      type = lib.types.attrsOf lib.types.anything; # <namespace>: { ...namespace-specific fields }

      default = { };

      description = lib.mdDoc ''

        User-defined data that extends the bootspec document.

      default = schemas.v1.filename;

    };

  };

  config = lib.mkIf (cfg.enable) {

    warnings = [

      ''RFC-0125 is not merged yet, this is a feature preview of bootspec.

        The schema is not definitive and features are not guaranteed to be stable until RFC-0125 is merged.

        See:

        - https://github.com/NixOS/nixpkgs/pull/172237 to track merge status in nixpkgs.

        - https://github.com/NixOS/rfcs/pull/125 to track RFC status.

      ''

    ];

  };

}