Merge staging-next-24.11 into staging-24.11

## Highlights {#sec-release-24.11-highlights}

- **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.**

  Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS.

  Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS.

  If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports versions back to Mac OS X Snow Leopard 10.6.

- Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for

    [2.19](https://nix.dev/manual/nix/latest/release-notes/rl-2.19),

    [2.20](https://nix.dev/manual/nix/latest/release-notes/rl-2.20),

    [2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24).

  Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life additions.

- There have been significant changes to macOS support.

  - The build environment has been redesigned to be closer to a native Xcode toolchain, enabling us to provide all SDKs from macOS Sierra 10.12 to macOS Sequoia 15, simplify build definitions, and build more software without hacks or patching.

    Although compatibility shims for the old SDK scheme are provided, some builds may break, and the old mechanisms will be removed by 25.11 at the latest.

    See the [Darwin section](https://nixos.org/manual/nixpkgs/stable/#sec-darwin) of the Nixpkgs manual for details of the new scheme and how to use it, and [the announcement on Discourse](https://discourse.nixos.org/t/the-darwin-sdks-have-been-updated/55295) for more information on the changes and benefits.

  - **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.**

    Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS.

    Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS.

    If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports versions back to Mac OS X Snow Leopard 10.6.

- This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0.

  These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release.

  In the future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.

- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.

- Legacy package `globalprotect-openconnect` 1.x and related module

  `services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient`

  from the 2.x version of the GlobalProtect-openconnect project -- are added in its

  place. The GUI components related to the project are non-free and not

  packaged.

- Two new packages -- `gpauth` and `gpclient` from the 2.x version of the

  GlobalProtect-openconnect project -- are added in parallel to

  `globalprotect-openconnect`. The GUI components related to the project are

  non-free and not packaged.

- Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.

  ./services/networking/gdomap.nix

  ./services/networking/ghostunnel.nix

  ./services/networking/git-daemon.nix

  ./services/networking/globalprotect-vpn.nix

  ./services/networking/gns3-server.nix

  ./services/networking/gnunet.nix

  ./services/networking/go-autoconfig.nix

    (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")

    (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")

    (mkRemovedOptionModule [ "services" "globalprotect"] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

    RestrictAddressFamilies = [

      "AF_INET"

      "AF_INET6"

      "AF_UNIX"

      "AF_NETLINK"

    ];

    RestrictNamespaces = true;

    RestrictRealtime = true;

        ProtectKernelTunables = true;

        ProtectControlGroups = true;

        ProtectKernelModules = true;

        Restart = "on-failure";

        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";

        RestrictNamespaces = true;

        RuntimeDirectory = name;