Merge staging-next into staging

  If undesired, the old behavior can be restored by overriding the builders with

  `{ installDocumentation = false; }`.

- The new option `networking.nftables.checkRuleset` controls whether the ruleset is checked for syntax or not during build.  It is `true` by default.  The check might fail because it is in a sandbox environment.  To circumvent this, the ruleset file can be edited using the `networking.nftables.preCheckRuleset` option.

- `mastodon` now supports connection to a remote `PostgreSQL` database.

- `nextcloud` has an option to enable SSE-C in S3.

    # Swift has a separate resource root from Clang, but locates the Clang

    # resource root via subdir or symlink. Provide a default here, but we also

    # patch Swift to prefer NIX_CC if set.

    ln -s ${clang}/resource-root $lib/lib/swift/clang

    #

    # NOTE: We don't symlink directly here, because that'd add a run-time dep

    # on the full Clang compiler to every Swift executable. The copy here is

    # just copying the 3 symlinks inside to smaller closures.

    mkdir $lib/lib/swift/clang

    cp -P ${clang}/resource-root/* $lib/lib/swift/clang/

    ${lib.optionalString stdenv.isDarwin ''

    # Install required library for ObjC interop.

    sha256 = "sha256-FqyNuV5xlim6YZSbmfiib+upRqgdGFIVsoN5u0EWsLQ=";

  };

  patches = [

    # disable tests for des/md5, which we don't support any more

    ./disable-legacy-crypt-tests.patch

  ];

  postPatch = ''

    patchShebangs tests

    # Linux sandbox has an empty hostname and not /etc/hosts, which fails some tests

diff --git a/tests/mod-fastcgi.t b/tests/mod-fastcgi.t

index 25016e60..e0427046 100755

--- a/tests/mod-fastcgi.t

+++ b/tests/mod-fastcgi.t

@@ -79,7 +79,7 @@ EOF

 	ok($tf->handle_http($t) == 0, 'FastCGI + bin-copy-environment');

 SKIP: {

-	skip "no crypt-des under openbsd", 2 if $^O eq 'openbsd';

+	skip "no crypt-des", 2;

 	$t->{REQUEST}  = ( <<EOF

 GET /get-server-env.php?env=REMOTE_USER HTTP/1.0

diff --git a/tests/request.t b/tests/request.t

index f56a4300..36e67b88 100755

--- a/tests/request.t

+++ b/tests/request.t

@@ -1105,7 +1105,7 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];

 ok($tf->handle_http($t) == 0, 'Basic-Auth: Valid Auth-token - plain');

 SKIP: {

-	skip "no crypt-des under openbsd", 2 if $^O eq 'openbsd';

+	skip "no crypt-des", 2;

 $t->{REQUEST}  = ( <<EOF

 GET /server-config HTTP/1.0

 Host: auth-htpasswd.example.org

@@ -1162,9 +1162,7 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];

 ok($tf->handle_http($t) == 0, 'Basic-Auth: Valid Auth-token - htpasswd (apr-md5, wrong password)');

 SKIP: {

-	skip "no crypt-md5 under cygwin", 1 if $^O eq 'cygwin';

-	skip "no crypt-md5 under darwin", 1 if $^O eq 'darwin';

-	skip "no crypt-md5 under openbsd",1 if $^O eq 'openbsd';

+	skip "no crypt-md5", 1;

 $t->{REQUEST}  = ( <<EOF

 GET /server-config HTTP/1.0

 Host: auth-htpasswd.example.org

  ];

  nativeCheckInputs = with python3.pkgs; [

    pytest-runner

    pytest

    pytestCheckHook

  ];

  disabledTests = [

    # uses unsupported crypt method

    "test_htpasswd_crypt"

  ];

  meta = with lib; {