Merge master into staging-next

    githubId = 3417013;

    name = "Eske Nielsen";

  };

  _4r7if3x = {

    email = "the.artifex@proton.me";

    matrix = "@4r7if3x:matrix.org";

    github = "4r7if3x";

    githubId = 8606282;

    name = "4r7if3x";

    keys = [ { fingerprint = "013C ED4B E769 745A CFC3  0F3C F23C 2613 2266 7A12"; } ];

  };

  _6543 = {

    email = "6543@obermui.de";

    github = "6543";

    github = "potb";

    githubId = 10779093;

  };

  pouya = {

    email = "me@pouyacode.net";

    github = "pouya-abbassi";

    githubId = 8519318;

    name = "Pouya Abbasi";

    keys = [ { fingerprint = "8CC7 EB15 3563 4205 E9C2  AAD9 AF5A 5A4A D4FD 8797"; } ];

  };

  poweredbypie = {

    name = "poweredbypie";

    github = "poweredbypie";

## New Modules {#sec-release-24.11-new-modules}

- [KMonad](https://github.com/kmonad/kmonad), an advanced keyboard remapping utility. Available as [services.kmonad](#opt-services.kmonad.enable).

- [Coral](https://coral.ai/), hardware support for Coral.ai Edge TPU devices. Available as [hardware.coral.usb.enable](#opt-hardware.coral.usb.enable) and [hardware.coral.pcie.enable](#opt-hardware.coral.pcie.enable).

- [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service.

- `programs.clash-verge.tunMode` was deprecated and removed because now service mode is neccessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start.

- `siduck76-st` has been renamed to `st-snazzy`, like the project's [flake](https://github.com/siduck/st/blob/main/flake.nix).

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

## Other Notable Changes {#sec-release-25.05-notable-changes}

    ;

  inherit (lib.modules) mkIf;

  inherit (lib.options) literalExpression mkOption;

  inherit (lib.strings) hasInfix;

  inherit (lib.strings) hasInfix replaceStrings;

  inherit (lib.trivial) flip pipe;

  removeNulls = filterAttrs (_: v: v != null);

  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";

  escapeCredentialName = input: replaceStrings [ "\\" ] [ "_" ] input;

  privateKeyCredential = interfaceName: escapeCredentialName "wireguard-${interfaceName}-private-key";

  presharedKeyCredential =

    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";

    interfaceName: peer: escapeCredentialName "wireguard-${interfaceName}-${peer.name}-preshared-key";

  interfaceCredentials =

    interfaceName: interface:

    interfaceName: peer:

    removeNulls {

      PublicKey = peer.publicKey;

      PresharedKey = "@${presharedKeyCredential interfaceName peer}";

      PresharedKey =

        if peer.presharedKeyFile == null then null else "@${presharedKeyCredential interfaceName peer}";

      AllowedIPs = peer.allowedIPs;

      Endpoint = peer.endpoint;

      PersistentKeepalive = peer.persistentKeepalive;

      let

        appDir = "$out/share/php/${finalAttrs.pname}";

        stateDirectories = ''

        stateDirectories = /* sh */ ''

          # Symlinking in our state directories

          rm -rf $out/.env $out/cache ${appDir}/public/cache

          rm -rf $out/{.env,cache} ${appDir}/{log,public/cache}

          ln -s ${cfg.dataDir}/.env ${appDir}/.env

          ln -s ${cfg.dataDir}/public/cache ${appDir}/public/cache

          ln -s ${cfg.logDir} ${appDir}/log

          ln -s ${cfg.runtimeDir}/cache ${appDir}/cache

        '';

        exposeComposer = ''

        exposeComposer = /* sh */ ''

          # Expose PHP Composer for scripts

          mkdir -p $out/bin

          echo "#!${lib.getExe pkgs.dash}" > $out/bin/movim-composer

                  # Disable all Admin panel options that were set in the

                  # `cfg.podConfig` to prevent confusing situtions where the

                  # values are rewritten on server reboot

                  ''

                  /* sh */ ''

                  substituteInPlace ${appDir}/app/Widgets/AdminMain/adminmain.tpl \

                    --replace-warn 'name="${k}"' 'name="${k}" readonly'

                '')

                [ "css" "ini" "js" "json" "manifest" "mjs" "svg" "webmanifest" ]);

          in

          lib.concatStringsSep "\n" [

            (lib.optionalString brotli.enable ''

            (lib.optionalString brotli.enable /* sh */ ''

              echo -n "Precompressing static files with Brotli …"

              find ${appDir}/public -type f ${findTextFileNames} -print0 \

                | xargs -0 -n 1 -P $NIX_BUILD_CORES ${pkgs.writeShellScript "movim_precompress_broti" ''

                  ''}

              echo " done."

            '')

            (lib.optionalString gzip.enable ''

            (lib.optionalString gzip.enable /* sh */ ''

              echo -n "Precompressing static files with Gzip …"

              find ${appDir}/public -type f ${findTextFileNames} -print0 \

                | xargs -0 -n 1 -P $NIX_BUILD_CORES ${pkgs.writeShellScript "movim_precompress_broti" ''

                | xargs -0 -n 1 -P $NIX_BUILD_CORES ${pkgs.writeShellScript "movim_precompress_gzip" ''

                    file="$1"

                    ${lib.getExe gzip.package} -c -${builtins.toString gzip.compressionLevel} $file > $file.gz

                  ''}

          isSystemUser = true;

          group = cfg.group;

        };

      } // lib.optionalAttrs (cfg.nginx != null) {

        "${config.services.nginx.user}".extraGroups = [ cfg.group ];

      };

      groups = {

        };

      };

      nginx = mkIf (cfg.nginx != null) {

      nginx = mkIf (cfg.nginx != null)

        {

          enable = true;

        recommendedOptimisation = true;

        recommendedGzipSettings = true;

        recommendedBrotliSettings = true;

          recommendedOptimisation = mkDefault true;

          recommendedProxySettings = true;

          # TODO: recommended cache options already in Nginx⁇

          appendHttpConfig = /* nginx */ ''

              '';

            }

          ];

      };

        }

      // lib.optionalAttrs (cfg.precompressStaticFiles.gzip.enable) { recommendedGzipSettings = mkDefault true; }

      // lib.optionalAttrs (cfg.precompressStaticFiles.brotli.enable) { recommendedBrotliSettings = mkDefault true; };

      mysql = mkIf (cfg.database.createLocally && cfg.database.type == "mysql") {

        enable = mkDefault true;

        package = mkDefault pkgs.mariadb;

        ensureDatabases = [ cfg.database.name ];

        ensureUsers = [{

          name = cfg.user;

          name = cfg.database.user;

          ensureDBOwnership = true;

        }];

      };

        enable = mkDefault true;

        ensureDatabases = [ cfg.database.name ];

        ensureUsers = [{

          name = cfg.user;

          name = cfg.database.user;

          ensureDBOwnership = true;

        }];

        authentication = ''

          LoadCredential = "env-secrets:${cfg.secretFile}";

        };

        script = ''

        script = /* sh */ ''

          # Env vars

          rm -f ${cfg.dataDir}/.env

          cp --no-preserve=all ${configFile} ${cfg.dataDir}/.env