Merge branch 'staging' into staging-next

# nixos/*: add trivial defaultText for options with simple defaults

25124556397ba17bfd70297000270de1e6523b0a

# systemd: rewrite comments

92dfeb7b3dab820ae307c56c216d175c69ee93cd

# systemd: break too long lines of Nix code

67643f8ec84bef1482204709073e417c9f07eb87

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `cryptsetup` has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption.

  Take the time to review [the release notes](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.7.0/docs/v2.7.0-ReleaseNotes).

  One of the highlight is that it is now possible to use hardware OPAL-based encryption of your disk with `cryptsetup`, it has a lot of caveats, see the above notes for the full details.

- `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment.

- `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_latest`, and is therefore no longer available.

  After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes.

  Support for weak password hashes will be removed in NixOS 24.11.

- A stdenv's default set of hardening flags can now be set via its `bintools-wrapper`'s `defaultHardeningFlags` argument. A convenient stdenv adapter, `withDefaultHardeningFlags`, can be used to override an existing stdenv's `defaultHardeningFlags`.

- `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc.

- [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0.

- `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`.

- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.

- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).

  The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

  `globalRedirect` can now have redirect codes other than 301 through

  `redirectCode`.

- `libjxl` 0.9.0 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`.

- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).

- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`

- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.

- A new top-level package set, `pkgsExtraHardening` is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module

  (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

  config = mkIf config.services.pcscd.enable {

    environment.etc."reader.conf".source = cfgFile;

    environment.systemPackages = [ package.out ];

    systemd.packages = [ (getBin package) ];

    environment.systemPackages = [ package ];

    systemd.packages = [ package ];

    services.pcscd.plugins = [ pkgs.ccid ];

      # around it, we force the path to the cfgFile.

      #

      # https://github.com/NixOS/nixpkgs/issues/121088

      serviceConfig.ExecStart = [ "" "${getBin package}/bin/pcscd -f -x -c ${cfgFile}" ];

      serviceConfig.ExecStart = [ "" "${package}/bin/pcscd -f -x -c ${cfgFile}" ];

    };

  };

}

      '';

    } ];

    environment.etc."dhcpcd.conf".source = dhcpcdConf;

    systemd.services.dhcpcd = let

      cfgN = config.networking;

      hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")

{

  ed = let

    pname = "ed";

    version = "1.19";

    version = "1.20";

    src = fetchurl {

      url = "mirror://gnu/ed/ed-${version}.tar.lz";

      hash = "sha256-zi8uXEJHkKqW0J2suT2bv9wLfrYknJy3U4RS6Ox3zUg=";

      hash = "sha256-xgMN7+auFy8Wh5Btc1QFTHWmqRMK8xnU5zxQqRlZxaY=";

    };

  in import ./generic.nix {

    inherit pname version src meta;