Merge #328673: staging-next 2024-07-20

}

```

`buildRustPackage` requires either a `cargoHash` (preferred) or a

`cargoSha256` attribute, computed over all crate sources of this package.

`cargoHash` supports [SRI](https://www.w3.org/TR/SRI/) hashes and should be

preferred over `cargoSha256` which was used for traditional Nix SHA-256 hashes.

For example:

`buildRustPackage` requires a `cargoHash` attribute, computed over all crate sources of this package.

::: {.warning}

`cargoSha256` is already deprecated, and is subject to removal in favor of

`cargoHash` which supports [SRI](https://www.w3.org/TR/SRI/) hashes.

If you are still using `cargoSha256`, you can simply replace it with

`cargoHash` and recompute the hash, or convert the original sha256 to SRI

hash using `nix-hash --to-sri --type sha256 "<original sha256>"`.

:::

```nix

{

}

```

Exception: If the application has cargo `git` dependencies, the `cargoHash`/`cargoSha256`

Exception: If the application has cargo `git` dependencies, the `cargoHash`

approach will not work, and you will need to copy the `Cargo.lock` file of the application

to nixpkgs and continue with the next section for specifying the options of the `cargoLock`

section.

}

```

For `cargoSha256` you can use:

```nix

{

  cargoSha256 = lib.fakeSha256;

}

```

Per the instructions in the [Cargo Book](https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html)

best practices guide, Rust applications should always commit the `Cargo.lock`

file in git to ensure a reproducible build. However, a few packages do not, and

The tarball with vendored dependencies contains a directory with the

package's `name`, which is normally composed of `pname` and

`version`. This means that the vendored dependencies hash

(`cargoHash`/`cargoSha256`) is dependent on the package name and

(`cargoHash`) is dependent on the package name and

version. The `cargoDepsName` attribute can be used to use another name

for the directory of vendored dependencies. For example, the hash can

be made invariant to the version by setting `cargoDepsName` to

### Importing a `Cargo.lock` file {#importing-a-cargo.lock-file}

Using a vendored hash (`cargoHash`/`cargoSha256`) is tedious when using

Using a vendored hash (`cargoHash`) is tedious when using

`buildRustPackage` within a project, since it requires that the hash

is updated after every change to `Cargo.lock`. Therefore,

`buildRustPackage` also supports vendoring dependencies directly from

- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.

  Consequently the package `pkgs.ma1sd` has also been removed.

- `ffmpeg_5` has been removed. Please use the unversioned `ffmpeg`,

  pin a newer version, or if necessary pin `ffmpeg_4` for compatibility.

## Other Notable Changes {#sec-release-24.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- The `stackclashprotection` hardening flag has been added, though disabled by default.

- `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor

  of `cargoHash` which supports SRI hashes. See

  [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)

  for more information.

- `hareHook` has been added as the language framework for Hare. From now on, it,

  not the `hare` package, should be added to `nativeBuildInputs` when building

  Hare programs.

  {option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile` instead of the former

  {option}`services.gitlab-runner.services.<name>.registrationConfigFile` option.

- `iproute2` now has libbpf support.

- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.

  Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.

    optional (attr ? ${name} && !isInt attr.${name})

      "Systemd ${group} field `${name}' is not an integer";

  assertRemoved = name: see: group: attr:

    optional (attr ? ${name})

      "Systemd ${group} field `${name}' has been removed. See ${see}";

  checkUnitConfig = group: checks: attrs: let

    # We're applied at the top-level type (attrsOf unitOption), so the actual

    # unit options might contain attributes from mkOverride and mkIf that we need to

  inherit (lib.types)

    attrsOf

    coercedTo

    enum

    lines

    listOf

    nullOr

    oneOf

    package

    path

    singleLineStr

    submodule

    ;

  initrdStorePathModule = { config, ... }: {

    options = {

      enable = (mkEnableOption "copying of this file and symlinking it") // { default = true; };

      target = mkOption {

        type = nullOr path;

        description = ''

          Path of the symlink.

        '';

        default = null;

      };

      source = mkOption {

        type = path;

        description = "Path of the source file.";

      };

      dlopen = {

        usePriority = mkOption {

          type = enum [ "required" "recommended" "suggested" ];

          default = "recommended";

          description = ''

            Priority of dlopen ELF notes to include. "required" is

            minimal, "recommended" includes "required", and

            "suggested" includes "recommended".

            See: https://systemd.io/ELF_DLOPEN_METADATA/

          '';

        };

        features = mkOption {

          type = listOf singleLineStr;

          default = [ ];

          description = ''

            Features to enable via dlopen ELF notes. These will be in

            addition to anything included via 'usePriority',

            regardless of their priority.

          '';

        };

      };

    };

  };

in

{

  automounts = listOf (submodule [ stage2AutomountOptions unitConfig automountConfig ]);

  initrdAutomounts = attrsOf (submodule [ stage1AutomountOptions unitConfig automountConfig ]);

  initrdStorePath = listOf (coercedTo

    (oneOf [ singleLineStr package ])

    (source: { inherit source; })

    (submodule initrdStorePathModule));

  initrdContents = attrsOf (submodule ({ config, options, name, ... }: {

    imports = [ initrdStorePathModule ];

    options = {

      enable = (mkEnableOption "copying of this file and symlinking it") // { default = true; };

      target = mkOption {

        type = path;

        description = ''

          Path of the symlink.

        '';

        default = name;

      };

      text = mkOption {

        default = null;

        type = nullOr lines;

        description = "Text of the file.";

      };

      source = mkOption {

        type = path;

        description = "Path of the source file.";

      };

    };

    config = {

      target = mkDefault name;

      source = mkIf (config.text != null) (

        let name' = "initrd-" + baseNameOf name;

        in mkDerivedConfig options.text (pkgs.writeText name')

      fastfetch = super.fastfetch.override { vulkanSupport = false; waylandSupport = false; x11Support = false; };

      ffmpeg = super.ffmpeg.override { ffmpegVariant = "headless"; };

      ffmpeg_4 = super.ffmpeg_4.override { ffmpegVariant = "headless"; };

      ffmpeg_5 = super.ffmpeg_5.override { ffmpegVariant = "headless"; };

      ffmpeg_6 = super.ffmpeg_6.override { ffmpegVariant = "headless"; };

      ffmpeg_7 = super.ffmpeg_7.override { ffmpegVariant = "headless"; };

      # dep of graphviz, libXpm is optional for Xpm support