1108 files changed, 80953 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch
new file mode 100644
index 000000000000..3336a2504e58
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch
@@ -0,0 +1,32 @@
+--- a/tools/build/cross-build/include/common/sys/_types.h
++++ b/tools/build/cross-build/include/common/sys/_types.h
+@@ -47,3 +47,6 @@
+  * Neither GLibc nor macOS define __va_list but many FreeBSD headers require it.
+  */
+ typedef __builtin_va_list __va_list;
++
++typedef __UINTPTR_TYPE__ __uintptr_t;
++typedef __INTPTR_TYPE__ __intptr_t;
+--- a/tools/build/cross-build/include/common/sys/types.h
++++ b/tools/build/cross-build/include/common/sys/types.h
+@@ -49,9 +49,6 @@
+ #include <sys/sysmacros.h>
+ #endif
+ 
+-typedef __UINTPTR_TYPE__ __uintptr_t;
+-typedef __INTPTR_TYPE__ __intptr_t;
+-
+ /* needed for gencat */
+ typedef int __nl_item;
+ 
+--- a/tools/build/cross-build/include/linux/sys/types.h
++++ b/tools/build/cross-build/include/linux/sys/types.h
+@@ -39,6 +39,8 @@
+ 
+ #include_next <sys/types.h>
+ 
++#include <sys/_types.h>
++
+ #ifndef __size_t
+ typedef __SIZE_TYPE__ __size_t;
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch
new file mode 100644
index 000000000000..9bb2bea32ee9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch
@@ -0,0 +1,42 @@
+diff --git a/tools/build/Makefile b/tools/build/Makefile
+index 948a5f9dfdb..592af84eeae 100644
+--- a/tools/build/Makefile
++++ b/tools/build/Makefile
+@@ -327,15 +327,15 @@ host-symlinks:
+ # and cross-tools stages. We do this here using mkdir since mtree may not exist
+ # yet (this happens if we are crossbuilding from Linux/Mac).
+ INSTALLDIR_LIST= \
+-	bin \
+-	lib/casper \
+-	lib/geom \
+-	usr/include/casper \
+-	usr/include/private/ucl \
+-	usr/include/private/zstd \
+-	usr/lib \
+-	usr/libdata/pkgconfig \
+-	usr/libexec
++	${BINDIR} \
++	${LIBDIR}/casper \
++	${LIBDIR}/geom \
++	${INCLUDEDIR}/casper \
++	${INCLUDEDIR}/private/ucl \
++	${INCLUDEDIR}/private/zstd \
++	${LIBDIR} \
++	${LIBDIR}/libdata/pkgconfig \
++	${LIBEXECDIR}
+ 
+ installdirs:
+ 	mkdir -p ${INSTALLDIR_LIST:S,^,${DESTDIR}/,}
+@@ -352,9 +352,9 @@ installdirs:
+ 	    rm -rf "${DESTDIR}/${_dir}"; \
+ 	fi
+ .endfor
+-	ln -sfn bin ${DESTDIR}/sbin
+-	ln -sfn ../bin ${DESTDIR}/usr/bin
+-	ln -sfn ../bin ${DESTDIR}/usr/sbin
++	ln -sfn bin ${DESTDIR}/${SBINDIR}
++	ln -sfn ../bin ${DESTDIR}/${BINDIR}
++	ln -sfn ../bin ${DESTDIR}/${SBINDIR}
+ .for _group in ${INCSGROUPS:NINCS}
+ 	mkdir -p "${DESTDIR}/${${_group}DIR}"
+ .endfor
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh
new file mode 100644
index 000000000000..6c3fda4e95ac
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh
@@ -0,0 +1,6 @@
+# See pkgs/build-support/setup-hooks/role.bash
+getHostRole
+
+export NIX_LDFLAGS${role_post}+=" -legacy"
+export NIX_CFLAGS_COMPILE${role_post}+=" -isystem @out@/0-include"
+export NIX_CFLAGS_COMPILE${role_post}+=" -isystem @out@/1-include"
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/default.nix b/nixpkgs/pkgs/os-specific/bsd/freebsd/default.nix
new file mode 100644
index 000000000000..ff9f4d911f03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/default.nix
@@ -0,0 +1,900 @@
+{ stdenv, lib, stdenvNoCC
+, makeScopeWithSplicing', generateSplicesForMkScope
+, buildPackages
+, bsdSetupHook, makeSetupHook
+, fetchgit, fetchzip, coreutils, groff, mandoc, byacc, flex, which, m4, gawk, substituteAll, runtimeShell
+, zlib, expat, libmd
+, runCommand, writeShellScript, writeText, symlinkJoin
+}:
+
+let
+  inherit (buildPackages.buildPackages) rsync;
+
+  version = "13.1.0";
+
+  # `BuildPackages.fetchgit` avoids some probably splicing-caused infinite
+  # recursion.
+  freebsdSrc = buildPackages.fetchgit {
+    url = "https://git.FreeBSD.org/src.git";
+    rev = "release/${version}";
+    sha256 = "14nhk0kls83xfb64d5xy14vpi6k8laswjycjg80indq9pkcr2rlv";
+  };
+
+  freebsdSetupHook = makeSetupHook {
+    name = "freebsd-setup-hook";
+  } ./setup-hook.sh;
+
+  mkBsdArch = stdenv':  {
+    x86_64 = "amd64";
+    aarch64 = "arm64";
+    i486 = "i386";
+    i586 = "i386";
+    i686 = "i386";
+  }.${stdenv'.hostPlatform.parsed.cpu.name}
+    or stdenv'.hostPlatform.parsed.cpu.name;
+
+  install-wrapper = ''
+    set -eu
+
+    args=()
+    declare -i path_args=0
+
+    while (( $# )); do
+      if (( $# == 1 )); then
+        if (( path_args > 1)) || [[ "$1" = */ ]]; then
+          mkdir -p "$1"
+        else
+          mkdir -p "$(dirname "$1")"
+        fi
+      fi
+      case $1 in
+        -C) ;;
+        -o | -g) shift ;;
+        -s) ;;
+        -m | -l)
+          # handle next arg so not counted as path arg
+          args+=("$1" "$2")
+          shift
+          ;;
+        -*) args+=("$1") ;;
+        *)
+          path_args+=1
+          args+=("$1")
+          ;;
+      esac
+      shift
+    done
+  '';
+
+in makeScopeWithSplicing' {
+  otherSplices = generateSplicesForMkScope "freebsd";
+  f = (self: let
+    inherit (self) mkDerivation;
+  in {
+  inherit freebsdSrc;
+
+  ports = fetchzip {
+    url = "https://cgit.freebsd.org/ports/snapshot/ports-dde3b2b456c3a4bdd217d0bf3684231cc3724a0a.tar.gz";
+    sha256 = "BpHqJfnGOeTE7tkFJBx0Wk8ryalmf4KNTit/Coh026E=";
+  };
+
+  # Why do we have splicing and yet do `nativeBuildInputs = with self; ...`?
+  # See note in ../netbsd/default.nix.
+
+  compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isFreeBSD) self.compat;
+
+  mkDerivation = lib.makeOverridable (attrs: let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in stdenv'.mkDerivation (rec {
+    pname = "${attrs.pname or (baseNameOf attrs.path)}-freebsd";
+    inherit version;
+    src = runCommand "${pname}-filtered-src" {
+      nativeBuildInputs = [ rsync ];
+    } ''
+      for p in ${lib.concatStringsSep " " ([ attrs.path ] ++ attrs.extraPaths or [])}; do
+        set -x
+        path="$out/$p"
+        mkdir -p "$(dirname "$path")"
+        src_path="${freebsdSrc}/$p"
+        if [[ -d "$src_path" ]]; then src_path+=/; fi
+        rsync --chmod="+w" -r "$src_path" "$path"
+        set +x
+      done
+    '';
+
+    extraPaths = [ ];
+
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal
+      install tsort lorder mandoc groff #statHook
+    ];
+    buildInputs = with self; compatIfNeeded;
+
+    HOST_SH = stdenv'.shell;
+
+    # Since STRIP below is the flag
+    STRIPBIN = "${stdenv.cc.bintools.targetPrefix}strip";
+
+    makeFlags = [
+      "STRIP=-s" # flag to install, not command
+    ] ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "MK_WERROR=no";
+
+    # amd64 not x86_64 for this on unlike NetBSD
+    MACHINE_ARCH = mkBsdArch stdenv';
+
+    MACHINE = mkBsdArch stdenv';
+
+    MACHINE_CPUARCH = MACHINE_ARCH;
+
+    COMPONENT_PATH = attrs.path or null;
+
+    strictDeps = true;
+
+    meta = with lib; {
+      maintainers = with maintainers; [ ericson2314 ];
+      platforms = platforms.unix;
+      license = licenses.bsd2;
+    };
+  } // lib.optionalAttrs stdenv'.hasCC {
+    # TODO should CC wrapper set this?
+    CPP = "${stdenv'.cc.targetPrefix}cpp";
+  } // lib.optionalAttrs stdenv'.isDarwin {
+    MKRELRO = "no";
+  } // lib.optionalAttrs (stdenv'.cc.isClang or false) {
+    HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
+    HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.isx86_32) {
+    USE_SSP = "no";
+  } // lib.optionalAttrs (attrs.headersOnly or false) {
+    installPhase = "includesPhase";
+    dontBuild = true;
+  } // attrs));
+
+  ##
+  ## START BOOTSTRAPPING
+  ##
+  makeMinimal = mkDerivation rec {
+    inherit (self.make) path;
+
+    buildInputs = with self; [];
+    nativeBuildInputs = with buildPackages.netbsd; [ bsdSetupHook freebsdSetupHook ];
+
+    skipIncludesPhase = true;
+
+    makeFlags = [];
+
+    postPatch = ''
+      patchShebangs configure
+      ${self.make.postPatch}
+    '';
+
+    buildPhase = ''
+      runHook preBuild
+
+      sh ./make-bootstrap.sh
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      install -D bmake "$out/bin/bmake"
+      ln -s "$out/bin/bmake" "$out/bin/make"
+      mkdir -p "$out/share"
+      cp -r "$BSDSRCDIR/share/mk" "$out/share/mk"
+      find "$out/share/mk" -type f -print0 |
+        while IFS= read -r -d "" f; do
+          substituteInPlace "$f" --replace 'usr/' ""
+        done
+      substituteInPlace "$out/share/mk/bsd.symver.mk" \
+        --replace '/share/mk' "$out/share/mk"
+
+      runHook postInstall
+    '';
+
+    postInstall = lib.optionalString (!stdenv.targetPlatform.isFreeBSD) ''
+      boot_mk="$BSDSRCDIR/tools/build/mk"
+      cp "$boot_mk"/Makefile.boot* "$out/share/mk"
+      replaced_mk="$out/share/mk.orig"
+      mkdir "$replaced_mk"
+      mv "$out"/share/mk/bsd.{lib,prog}.mk "$replaced_mk"
+      for m in bsd.{lib,prog}.mk; do
+        cp "$boot_mk/$m" "$out/share/mk"
+        substituteInPlace "$out/share/mk/$m" --replace '../../../share/mk' '../mk.orig'
+      done
+    '';
+
+    extraPaths = with self; make.extraPaths;
+  };
+
+  # Wrap NetBSD's install
+  boot-install = buildPackages.writeShellScriptBin "boot-install" (install-wrapper + ''
+
+    ${buildPackages.netbsd.install}/bin/xinstall "''${args[@]}"
+  '');
+
+  compat = mkDerivation rec {
+    pname = "compat";
+    path = "tools/build";
+    extraPaths = [
+      "lib/libc/db"
+      "lib/libc/stdlib" # getopt
+      "lib/libc/gen" # getcap
+      "lib/libc/locale" # rpmatch
+    ] ++ lib.optionals stdenv.hostPlatform.isLinux [
+      "lib/libc/string" # strlcpy
+      "lib/libutil"
+    ] ++ [
+      "contrib/libc-pwcache"
+      "contrib/libc-vis"
+      "sys/libkern"
+      "sys/kern/subr_capability.c"
+
+      # Take only individual headers, or else we will clobber native libc, etc.
+
+      "sys/rpc/types.h"
+
+      # Listed in Makekfile as INC
+      "include/mpool.h"
+      "include/ndbm.h"
+      "include/err.h"
+      "include/stringlist.h"
+      "include/a.out.h"
+      "include/nlist.h"
+      "include/db.h"
+      "include/getopt.h"
+      "include/nl_types.h"
+      "include/elf.h"
+      "sys/sys/ctf.h"
+
+      # Listed in Makekfile as SYSINC
+
+      "sys/sys/capsicum.h"
+      "sys/sys/caprights.h"
+      "sys/sys/imgact_aout.h"
+      "sys/sys/nlist_aout.h"
+      "sys/sys/nv.h"
+      "sys/sys/dnv.h"
+      "sys/sys/cnv.h"
+
+      "sys/sys/elf32.h"
+      "sys/sys/elf64.h"
+      "sys/sys/elf_common.h"
+      "sys/sys/elf_generic.h"
+      "sys/${mkBsdArch stdenv}/include"
+    ] ++ lib.optionals stdenv.hostPlatform.isx86 [
+      "sys/x86/include"
+    ] ++ [
+
+      "sys/sys/queue.h"
+      "sys/sys/md5.h"
+      "sys/sys/sbuf.h"
+      "sys/sys/tree.h"
+      "sys/sys/font.h"
+      "sys/sys/consio.h"
+      "sys/sys/fnv_hash.h"
+
+      "sys/crypto/chacha20/_chacha.h"
+      "sys/crypto/chacha20/chacha.h"
+      # included too, despite ".c"
+      "sys/crypto/chacha20/chacha.c"
+
+      "sys/fs"
+      "sys/ufs"
+      "sys/sys/disk"
+
+      "lib/libcapsicum"
+      "lib/libcasper"
+    ];
+
+    patches = [
+      ./compat-install-dirs.patch
+      ./compat-fix-typedefs-locations.patch
+    ];
+
+    preBuild = ''
+      NIX_CFLAGS_COMPILE+=' -I../../include -I../../sys'
+
+      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys
+      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys/${mkBsdArch stdenv}
+    '' + lib.optionalString stdenv.hostPlatform.isx86 ''
+      cp ../../sys/x86/include/elf.h ../../sys/x86
+    '';
+
+    setupHooks = [
+      ../../../build-support/setup-hooks/role.bash
+      ./compat-setup-hook.sh
+    ];
+
+    # This one has an ifdefed `#include_next` that makes it annoying.
+    postInstall = ''
+      rm ''${!outputDev}/0-include/libelf.h
+    '';
+
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal
+      boot-install
+
+      which
+    ];
+    buildInputs = [ expat zlib ];
+
+    makeFlags = [
+      "STRIP=-s" # flag to install, not command
+      "MK_WERROR=no"
+      "HOST_INCLUDE_ROOT=${lib.getDev stdenv.cc.libc}/include"
+      "INSTALL=boot-install"
+    ];
+
+    preIncludes = ''
+      mkdir -p $out/{0,1}-include
+      cp --no-preserve=mode -r cross-build/include/common/* $out/0-include
+    '' + lib.optionalString stdenv.hostPlatform.isLinux ''
+      cp --no-preserve=mode -r cross-build/include/linux/* $out/1-include
+    '' + lib.optionalString stdenv.hostPlatform.isDarwin ''
+      cp --no-preserve=mode -r cross-build/include/darwin/* $out/1-include
+    '';
+  };
+
+  libnetbsd = mkDerivation {
+    path = "lib/libnetbsd";
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal mandoc groff
+      (if stdenv.hostPlatform == stdenv.buildPlatform
+       then boot-install
+       else install)
+    ];
+    patches = lib.optionals (!stdenv.hostPlatform.isFreeBSD) [
+      ./libnetbsd-do-install.patch
+      #./libnetbsd-define-__va_list.patch
+    ];
+    makeFlags = [
+      "STRIP=-s" # flag to install, not command
+      "MK_WERROR=no"
+    ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "INSTALL=boot-install";
+    buildInputs = with self; compatIfNeeded;
+  };
+
+  # HACK: to ensure parent directories exist. This emulates GNU
+  # install’s -D option. No alternative seems to exist in BSD install.
+  install = let binstall = writeShellScript "binstall" (install-wrapper + ''
+
+    @out@/bin/xinstall "''${args[@]}"
+  ''); in mkDerivation {
+    path = "usr.bin/xinstall";
+    extraPaths = with self; [ mtree.path ];
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal mandoc groff
+      (if stdenv.hostPlatform == stdenv.buildPlatform
+       then boot-install
+       else install)
+    ];
+    skipIncludesPhase = true;
+    buildInputs = with self; compatIfNeeded ++ [ libmd libnetbsd ];
+    makeFlags = [
+      "STRIP=-s" # flag to install, not command
+      "MK_WERROR=no"
+      "TESTSDIR=${builtins.placeholder "test"}"
+    ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "INSTALL=boot-install";
+    postInstall = ''
+      install -D -m 0550 ${binstall} $out/bin/binstall
+      substituteInPlace $out/bin/binstall --subst-var out
+      mv $out/bin/install $out/bin/xinstall
+      ln -s ./binstall $out/bin/install
+    '';
+    outputs = [ "out" "man" "test" ];
+  };
+
+  sed = mkDerivation {
+    path = "usr.bin/sed";
+    TESTSRC = "${freebsdSrc}/contrib/netbsd-tests";
+    MK_TESTS = "no";
+  };
+
+  # Don't add this to nativeBuildInputs directly.  Use statHook instead.
+  stat = mkDerivation {
+    path = "usr.bin/stat";
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+    ];
+  };
+
+  # stat isn't in POSIX, and NetBSD stat supports a completely
+  # different range of flags than GNU stat, so including it in PATH
+  # breaks stdenv.  Work around that with a hook that will point
+  # NetBSD's build system and NetBSD stat without including it in
+  # PATH.
+  statHook = makeSetupHook {
+    name = "netbsd-stat-hook";
+  } (writeText "netbsd-stat-hook-impl" ''
+    makeFlagsArray+=(TOOL_STAT=${self.stat}/bin/stat)
+  '');
+
+  tsort = mkDerivation {
+    path = "usr.bin/tsort";
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+    ];
+  };
+
+  lorder = mkDerivation rec {
+    path = "usr.bin/lorder";
+    noCC = true;
+    dontBuild = true;
+    installPhase = ''
+      mkdir -p "$out/bin" "$man/share/man"
+      mv "lorder.sh" "$out/bin/lorder"
+      chmod +x "$out/bin/lorder"
+      mv "lorder.1" "$man/share/man"
+    '';
+    nativeBuildInputs = [ bsdSetupHook freebsdSetupHook ];
+    buildInputs = [];
+    outputs = [ "out" "man" ];
+  };
+
+  ##
+  ## END BOOTSTRAPPING
+  ##
+
+  ##
+  ## START COMMAND LINE TOOLS
+  ##
+  make = mkDerivation {
+    path = "contrib/bmake";
+    version = "9.2";
+    postPatch = ''
+      # make needs this to pick up our sys make files
+      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
+
+    '' + lib.optionalString stdenv.isDarwin ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
+        --replace '-Wl,--fatal-warnings' "" \
+        --replace '-Wl,--warn-shared-textrel' ""
+    '';
+    postInstall = ''
+      make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
+    '';
+    extraPaths = [ "share/mk" ]
+      ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "tools/build/mk";
+  };
+  mtree = mkDerivation {
+    path = "contrib/mtree";
+    extraPaths = with self; [ mknod.path ];
+  };
+
+  mknod = mkDerivation {
+    path = "sbin/mknod";
+  };
+
+  rpcgen = mkDerivation rec {
+    path = "usr.bin/rpcgen";
+    patches = lib.optionals (stdenv.hostPlatform.libc == "glibc") [
+      # `WUNTRACED` is defined privately `bits/waitflags.h` in glibc.
+      # But instead of having a regular header guard, it has some silly
+      # non-modular logic. `stdlib.h` will include it if `sys/wait.h`
+      # hasn't yet been included (for it would first), and vice versa.
+      #
+      # The problem is that with the FreeBSD compat headers, one of
+      # those headers ends up included other headers...which ends up
+      # including the other one, this means by the first time we reach
+      # `#include `<bits/waitflags.h>`, both `_SYS_WAIT_H` and
+      # `_STDLIB_H` are already defined! Thus, we never ned up including
+      # `<bits/waitflags.h>` and defining `WUNTRACED`.
+      #
+      # This hacks around this by manually including `WUNTRACED` until
+      # the problem is fixed properly in glibc.
+      ./rpcgen-glibc-hack.patch
+    ];
+  };
+
+  gencat = mkDerivation {
+    path = "usr.bin/gencat";
+  };
+
+  file2c = mkDerivation {
+    path = "usr.bin/file2c";
+    MK_TESTS = "no";
+  };
+
+  libnv = mkDerivation {
+    path = "lib/libnv";
+    extraPaths = [
+      "sys/contrib/libnv"
+      "sys/sys"
+    ];
+    MK_TESTS = "no";
+  };
+
+  libsbuf = mkDerivation {
+    path = "lib/libsbuf";
+    extraPaths = [
+      "sys/kern"
+    ];
+    MK_TESTS = "no";
+  };
+
+  libelf = mkDerivation {
+    path = "lib/libelf";
+    extraPaths = [
+      "contrib/elftoolchain/libelf"
+      "contrib/elftoolchain/common"
+      "sys/sys/elf32.h"
+      "sys/sys/elf64.h"
+      "sys/sys/elf_common.h"
+    ];
+    BOOTSTRAPPING = !stdenv.isFreeBSD;
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+
+      m4
+    ];
+    MK_TESTS = "no";
+  };
+
+  libdwarf = mkDerivation {
+    path = "lib/libdwarf";
+    extraPaths = [
+      "contrib/elftoolchain/libdwarf"
+      "contrib/elftoolchain/common"
+      "sys/sys/elf32.h"
+      "sys/sys/elf64.h"
+      "sys/sys/elf_common.h"
+    ];
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+
+      m4
+    ];
+    buildInputs = with self; compatIfNeeded ++ [
+      libelf
+    ];
+    MK_TESTS = "no";
+  };
+
+  uudecode = mkDerivation {
+    path = "usr.bin/uudecode";
+    MK_TESTS = "no";
+  };
+
+  config = mkDerivation {
+    path = "usr.sbin/config";
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+
+      flex byacc file2c
+    ];
+    buildInputs = with self; compatIfNeeded ++ [ libnv libsbuf ];
+  };
+  ##
+  ## END COMMAND LINE TOOLS
+  ##
+
+  ##
+  ## START HEADERS
+  ##
+  include = mkDerivation {
+    path = "include";
+
+    extraPaths = [
+      "contrib/libc-vis"
+      "etc/mtree/BSD.include.dist"
+      "sys"
+    ];
+
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal
+      install
+      mandoc groff rsync /*nbperf*/ rpcgen
+
+      # HACK use NetBSD's for now
+      buildPackages.netbsd.mtree
+    ];
+
+    patches = [
+      ./no-perms-BSD.include.dist.patch
+    ];
+
+    # The makefiles define INCSDIR per subdirectory, so we have to set
+    # something else on the command line so those definitions aren't
+    # overridden.
+    postPatch = ''
+      find "$BSDSRCDIR" -name Makefile -exec \
+        sed -i -E \
+          -e 's_/usr/include_''${INCSDIR0}_' \
+          {} \;
+    '';
+
+    makeFlags = [
+      "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp"
+    ];
+
+    # multiple header dirs, see above
+    postConfigure = ''
+      makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
+    '';
+
+    headersOnly = true;
+
+    MK_HESIOD = "yes";
+
+    meta.platforms = lib.platforms.freebsd;
+  };
+
+  ##
+  ## END HEADERS
+  ##
+
+  csu = mkDerivation {
+    path = "lib/csu";
+    extraPaths = with self; [
+      "lib/Makefile.inc"
+      "lib/libc/include/libc_private.h"
+    ];
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal
+      install
+
+      flex byacc gencat
+    ];
+    buildInputs = with self; [ include ];
+    MK_TESTS = "no";
+    meta.platforms = lib.platforms.freebsd;
+  };
+
+  libc = mkDerivation rec {
+    pname = "libc";
+    path = "lib/libc";
+    extraPaths = [
+      "etc/group"
+      "etc/master.passwd"
+      "etc/shells"
+      "lib/libmd"
+      "lib/libutil"
+      "lib/msun"
+      "sys/kern"
+      "sys/libkern"
+      "sys/sys"
+      "sys/crypto/chacha20"
+      "include/rpcsvc"
+      "contrib/jemalloc"
+      "contrib/gdtoa"
+      "contrib/libc-pwcache"
+      "contrib/libc-vis"
+      "contrib/tzcode/stdtime"
+
+      # libthr
+      "lib/libthr"
+      "lib/libthread_db"
+      "libexec/rtld-elf"
+
+      # librpcsvc
+      "lib/librpcsvc"
+
+      # librt
+      "lib/librt"
+
+      # libcrypt
+      "lib/libcrypt"
+      "lib/libmd"
+      "sys/crypto/sha2"
+    ];
+
+    patches = [
+      # Hack around broken propogating MAKEFLAGS to submake, just inline logic
+      ./libc-msun-arch-subdir.patch
+
+      # Don't force -lcompiler-rt, we don't actually call it that
+      ./libc-no-force--lcompiler-rt.patch
+
+      # Fix extra include dir to get rpcsvc headers.
+      ./librpcsvc-include-subdir.patch
+    ];
+
+    postPatch = ''
+      substituteInPlace $COMPONENT_PATH/Makefile --replace '.include <src.opts.mk>' ""
+    '';
+
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal
+      install
+
+      flex byacc gencat rpcgen
+    ];
+    buildInputs = with self; [ include csu ];
+    env.NIX_CFLAGS_COMPILE = "-B${self.csu}/lib";
+
+    makeFlags = [
+      "STRIP=-s" # flag to install, not command
+      # lib/libc/gen/getgrent.c has sketchy cast from `void *` to enum
+      "MK_WERROR=no"
+    ];
+
+    MK_SYMVER = "yes";
+    MK_SSP = "yes";
+    MK_NLS = "yes";
+    MK_ICONV = "no"; # TODO make srctop
+    MK_NS_CACHING = "yes";
+    MK_INET6_SUPPORT = "yes";
+    MK_HESIOD = "yes";
+    MK_NIS = "yes";
+    MK_HYPERV = "yes";
+    MK_FP_LIBC = "yes";
+
+    MK_TCSH = "no";
+    MK_MALLOC_PRODUCTION = "yes";
+
+    MK_TESTS = "no";
+
+    postInstall = ''
+      pushd ${self.include}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      pushd ${self.csu}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      sed -i -e 's| [^ ]*/libc_nonshared.a||' $out/lib/libc.so
+
+      $CC -nodefaultlibs -lgcc -shared -o $out/lib/libgcc_s.so
+
+      NIX_CFLAGS_COMPILE+=" -B$out/lib"
+      NIX_CFLAGS_COMPILE+=" -I$out/include"
+      NIX_LDFLAGS+=" -L$out/lib"
+
+      make -C $BSDSRCDIR/lib/libthr $makeFlags
+      make -C $BSDSRCDIR/lib/libthr $makeFlags install
+
+      make -C $BSDSRCDIR/lib/msun $makeFlags
+      make -C $BSDSRCDIR/lib/msun $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libutil $makeFlags
+      make -C $BSDSRCDIR/lib/libutil $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librt $makeFlags
+      make -C $BSDSRCDIR/lib/librt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
+    '';
+
+    meta.platforms = lib.platforms.freebsd;
+  };
+
+  ##
+  ## Kernel
+  ##
+
+  libspl = mkDerivation {
+    path = "cddl/lib/libspl";
+    extraPaths = [
+      "sys/contrib/openzfs/lib/libspl"
+      "sys/contrib/openzfs/include"
+
+      "cddl/compat/opensolaris/include"
+      "sys/contrib/openzfs/module/icp/include"
+      "sys/modules/zfs"
+    ];
+    # nativeBuildInputs = with buildPackages.freebsd; [
+    #   bsdSetupHook freebsdSetupHook
+    #   makeMinimal install mandoc groff
+
+    #   flex byacc file2c
+    # ];
+    # buildInputs = with self; compatIfNeeded ++ [ libnv libsbuf ];
+    meta.license = lib.licenses.cddl;
+  };
+
+  ctfconvert = mkDerivation {
+    path = "cddl/usr.bin/ctfconvert";
+    extraPaths = [
+      "cddl/compat/opensolaris"
+      "cddl/contrib/opensolaris"
+      "sys/cddl/compat/opensolaris"
+      "sys/cddl/contrib/opensolaris"
+      "sys/contrib/openzfs"
+    ];
+    OPENSOLARIS_USR_DISTDIR = "$(SRCTOP)/cddl/contrib/opensolaris";
+    OPENSOLARIS_SYS_DISTDIR = "$(SRCTOP)/sys/cddl/contrib/opensolaris";
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+
+      # flex byacc file2c
+    ];
+    buildInputs = with self; compatIfNeeded ++ [
+      libelf libdwarf zlib libspl
+    ];
+    meta.license = lib.licenses.cddl;
+  };
+
+  xargs-j = substituteAll {
+    name = "xargs-j";
+    shell = runtimeShell;
+    src = ../xargs-j.sh;
+    dir = "bin";
+    isExecutable = true;
+  };
+
+  sys = mkDerivation (let
+    cfg = "MINIMAL";
+  in rec {
+    path = "sys";
+
+    nativeBuildInputs = with buildPackages.freebsd; [
+      bsdSetupHook freebsdSetupHook
+      makeMinimal install mandoc groff
+
+      config rpcgen file2c gawk uudecode xargs-j
+      #ctfconvert
+    ];
+
+    patches = [
+      ./sys-gnu-date.patch
+      ./sys-no-explicit-intrinsics-dep.patch
+    ];
+
+    # --dynamic-linker /red/herring is used when building the kernel.
+    NIX_ENFORCE_PURITY = 0;
+
+    AWK = "${buildPackages.gawk}/bin/awk";
+
+    CWARNEXTRA = "-Wno-error=shift-negative-value -Wno-address-of-packed-member";
+
+    MK_CTF = "no";
+
+    KODIR = "${builtins.placeholder "out"}/kernel";
+    KMODDIR = "${builtins.placeholder "out"}/kernel";
+    DTBDIR = "${builtins.placeholder"out"}/dbt";
+
+    KERN_DEBUGDIR = "${builtins.placeholder "out"}/debug";
+    KERN_DEBUGDIR_KODIR = "${KERN_DEBUGDIR}/kernel";
+    KERN_DEBUGDIR_KMODDIR = "${KERN_DEBUGDIR}/kernel";
+
+    skipIncludesPhase = true;
+
+    configurePhase = ''
+      runHook preConfigure
+
+      for f in conf/kmod.mk contrib/dev/acpica/acpica_prep.sh; do
+        substituteInPlace "$f" --replace 'xargs -J' 'xargs-j '
+      done
+
+      for f in conf/*.mk; do
+        substituteInPlace "$f" --replace 'KERN_DEBUGDIR}''${' 'KERN_DEBUGDIR_'
+      done
+
+      cd ${mkBsdArch stdenv}/conf
+      sed -i ${cfg} \
+        -e 's/WITH_CTF=1/WITH_CTF=0/' \
+        -e '/KDTRACE/d'
+      config ${cfg}
+
+      runHook postConfigure
+    '';
+    preBuild = ''
+      cd ../compile/${cfg}
+    '';
+  });
+
+});
+}
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix b/nixpkgs/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix
new file mode 100644
index 000000000000..b6dab0d8bdfc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix
@@ -0,0 +1,64 @@
+{ lib, stdenv, linuxHeaders, freebsd, runCommandCC, buildPackages }:
+
+stdenv.mkDerivation {
+  pname = "evdev-proto";
+  inherit (linuxHeaders) version;
+
+  src = freebsd.ports;
+
+  sourceRoot = "${freebsd.ports.name}/devel/evdev-proto";
+
+  useTempPrefix = true;
+
+  nativeBuildInputs = [ freebsd.makeMinimal ];
+
+  ARCH = freebsd.makeMinimal.MACHINE_ARCH;
+  OPSYS = "FreeBSD";
+  _OSRELEASE = "${lib.versions.majorMinor freebsd.makeMinimal.version}-RELEASE";
+
+  AWK = "awk";
+  CHMOD = "chmod";
+  FIND = "find";
+  MKDIR = "mkdir -p";
+  PKG_BIN = "${buildPackages.pkg}/bin/pkg";
+  RM = "rm -f";
+  SED = "${buildPackages.freebsd.sed}/bin/sed";
+  SETENV = "env";
+  SH = "sh";
+  TOUCH = "touch";
+  XARGS = "xargs";
+
+  ABI_FILE = runCommandCC "abifile" {} "$CC -shared -o $out";
+  CLEAN_FETCH_ENV = true;
+  INSTALL_AS_USER = true;
+  NO_CHECKSUM = true;
+  NO_MTREE = true;
+  SRC_BASE = freebsd.freebsdSrc;
+
+  preUnpack = ''
+    export MAKE_JOBS_NUMBER="$NIX_BUILD_CORES"
+
+    export DISTDIR="$PWD/distfiles"
+    export PKG_DBDIR="$PWD/pkg"
+    export PREFIX="$prefix"
+
+    mkdir -p "$DISTDIR/evdev-proto"
+    tar -C "$DISTDIR/evdev-proto" \
+        -xf ${linuxHeaders.src} \
+        --strip-components 4 \
+        linux-${linuxHeaders.version}/include/uapi/linux
+  '';
+
+  makeFlags = [ "DIST_SUBDIR=evdev-proto" ];
+
+  postInstall = ''
+    mv $prefix $out
+  '';
+
+  meta = with lib; {
+    description = "Input event device header files for FreeBSD";
+    maintainers = with maintainers; [ qyliss ];
+    platforms = platforms.freebsd;
+    license = licenses.gpl2Only;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch
new file mode 100644
index 000000000000..4a69e85a986a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch
@@ -0,0 +1,11 @@
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -194,7 +194,7 @@ SUBDIR.${MK_TESTS}+= tests
+ # recording a build dependency
+ CFLAGS+= -I${SRCTOP}/lib/libutil
+ # Same issue with libm
+-MSUN_ARCH_SUBDIR != ${MAKE} -B -C ${SRCTOP}/lib/msun -V ARCH_SUBDIR
++MSUN_ARCH_SUBDIR = ${MACHINE_CPUARCH:S/i386/i387/}
+ # unfortunately msun/src contains both private and public headers
+ CFLAGS+= -I${SRCTOP}/lib/msun/${MSUN_ARCH_SUBDIR}
+ .if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64"
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch
new file mode 100644
index 000000000000..60176fb73cf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch
@@ -0,0 +1,10 @@
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -58,7 +58,6 @@ CFLAGS+=${CANCELPOINTS_CFLAGS}
+ # Link with static libcompiler_rt.a.
+ #
+ LDFLAGS+= -nodefaultlibs
+-LIBADD+=	compiler_rt
+ 
+ .if ${MK_SSP} != "no" && \
+     (${LIBC_ARCH} == "i386" || ${MACHINE_ARCH:Mpower*} != "")
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch
new file mode 100644
index 000000000000..a7bd032d2be5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch
@@ -0,0 +1,32 @@
+diff --git a/Makefile b/Makefile
+index 22710f3d933..22effc848cf 100644
+--- a/lib/libnetbsd/Makefile
++++ b/lib/libnetbsd/Makefile
+@@ -9,6 +9,26 @@ CFLAGS+=	-I${.CURDIR}
+ 
+ SRCS+=	efun.c sockaddr_snprintf.c strsuftoll.c util.c util.h
+ 
+-INTERNALLIB=
++INCSGROUPS= INCS SYSINCS NETINETINCS
++
++INCS+= \
++	glob.h \
++	pthread.h \
++	rmd160.h \
++	sha1.h \
++	sha2.h \
++	stdlib.h \
++	util.h
++
++SYSINCSDIR= ${INCLUDEDIR}/sys
++SYSINCS+= \
++	sys/cdefs.h \
++	sys/event.h \
++	sys/types.h \
++	sys/wait.h
++
++NETINETINCSDIR= ${INCLUDEDIR}/netinet
++NETINETINCS+= \
++	netinet/in.h
+ 
+ .include <bsd.lib.mk>
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch
new file mode 100644
index 000000000000..38e06682869f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch
@@ -0,0 +1,11 @@
+--- a/lib/librpcsvc/Makefile
++++ b/lib/librpcsvc/Makefile
+@@ -20,7 +20,7 @@ OTHERSRCS+= yp_passwd.c yp_update.c
+ 
+ RPCCOM=	RPCGEN_CPP=${CPP:Q} rpcgen -C
+ 
+-INCDIRS= -I${SYSROOT:U${DESTDIR}}/usr/include/rpcsvc
++INCDIRS= -I${INCLUDEDIR}/rpcsvc
+ 
+ CFLAGS+= -DYP ${INCDIRS}
+ 
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch
new file mode 100644
index 000000000000..985617ee0f45
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch
@@ -0,0 +1,11 @@
+--- a/etc/mtree/BSD.include.dist
++++ b/etc/mtree/BSD.include.dist
+@@ -3,7 +3,7 @@
+ # Please see the file src/etc/mtree/README before making changes to this file.
+ #
+ 
+-/set type=dir uname=root gname=wheel mode=0755
++/set type=dir
+ .
+     arpa
+     ..
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch
new file mode 100644
index 000000000000..3dde1a010651
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch
@@ -0,0 +1,15 @@
+--- a/usr.bin/rpcgen/rpc_scan.c
++++ b/usr.bin/rpcgen/rpc_scan.c
+@@ -43,8 +43,12 @@ __FBSDID("$FreeBSD$");
+  */
+ 
+ #include <sys/types.h>
+ 
++// glibc + compat is broken from silly indirect header guard
++#define _SYS_WAIT_H
++# include <bits/waitflags.h>
++#undef _SYS_WAIT_H
+ #include <sys/wait.h>
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <string.h>
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/freebsd/setup-hook.sh
new file mode 100644
index 000000000000..929782954ba7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/setup-hook.sh
@@ -0,0 +1,12 @@
+setFreeBSDSrcTop() {
+  makeFlags="SRCTOP=$BSDSRCDIR $makeFlags"
+}
+
+addFreeBSDMakeFlags() {
+  makeFlags="SBINDIR=${!outputBin}/bin $makeFlags"
+  makeFlags="LIBEXECDIR=${!outputLib}/libexec $makeFlags"
+  makeFlags="INCLUDEDIR=${!outputDev}/include $makeFlags"
+}
+
+postUnpackHooks+=(setFreeBSDSrcTop)
+preConfigureHooks+=(addFreeBSDMakeFlags)
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch
new file mode 100644
index 000000000000..2356446baf85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch
@@ -0,0 +1,13 @@
+diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
+index c594724d814..d5287c7b992 100644
+--- a/sys/conf/newvers.sh
++++ b/sys/conf/newvers.sh
+@@ -177,7 +177,7 @@ u=${USER:-root}
+ d=$(pwd)
+ h=${HOSTNAME:-$(hostname)}
+ if [ -n "$SOURCE_DATE_EPOCH" ]; then
+-	if ! t=$(date -r $SOURCE_DATE_EPOCH 2>/dev/null); then
++	if ! t=$(date -d @$SOURCE_DATE_EPOCH 2>/dev/null); then
+ 		echo "Invalid SOURCE_DATE_EPOCH" >&2
+ 		exit 1
+ 	fi
diff --git a/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch b/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch
new file mode 100644
index 000000000000..edf44de5bb0d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch
@@ -0,0 +1,45 @@
+diff --git a/sys/modules/aesni/Makefile b/sys/modules/aesni/Makefile
+index cb8c744adde..1c327331890 100644
+--- a/sys/modules/aesni/Makefile
++++ b/sys/modules/aesni/Makefile
+@@ -1,7 +1,6 @@
+ # $FreeBSD$
+ 
+ .PATH: ${SRCTOP}/sys/crypto/aesni
+-.PATH: ${SRCTOP}/contrib/llvm-project/clang/lib/Headers
+ 
+ KMOD=	aesni
+ SRCS=	aesni.c
+@@ -40,8 +39,8 @@ intel_sha256.o: intel_sha256.c
+ aesni_ghash.o: aesni.h
+ aesni_wrap.o: aesni.h
+ aesni_ccm.o: aesni.h
+-intel_sha1.o: sha_sse.h immintrin.h shaintrin.h tmmintrin.h xmmintrin.h
+-intel_sha256.o: sha_sse.h immintrin.h shaintrin.h tmmintrin.h xmmintrin.h
++intel_sha1.o: sha_sse.h
++intel_sha256.o: sha_sse.h
+ 
+ .include <bsd.kmod.mk>
+ 
+diff --git a/sys/modules/blake2/Makefile b/sys/modules/blake2/Makefile
+index e4b3fb9f126..5bfd9c2ae02 100644
+--- a/sys/modules/blake2/Makefile
++++ b/sys/modules/blake2/Makefile
+@@ -3,7 +3,6 @@
+ .PATH:	${SRCTOP}/sys/contrib/libb2
+ .PATH:	${SRCTOP}/sys/crypto/blake2
+ .PATH:	${SRCTOP}/sys/opencrypto
+-.PATH:	${SRCTOP}/contrib/llvm-project/clang/lib/Headers
+ 
+ KMOD	= blake2
+ 
+@@ -64,8 +63,7 @@ ${src:S/.c/.o/}: ${src}
+ 	    -D_MM_MALLOC_H_INCLUDED -Wno-unused-function ${.IMPSRC}
+ 	${CTFCONVERT_CMD}
+ 
+-${src:S/.c/.o/}: intrin.h emmintrin.h tmmintrin.h smmintrin.h immintrin.h \
+-    x86intrin.h ${SRCS:M*.h}
++${src:S/.c/.o/}: ${SRCS:M*.h}
+ .endfor
+ 
+ # FreeBSD-specific sources:
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch
new file mode 100644
index 000000000000..2aaa90b76146
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch
@@ -0,0 +1,18 @@
+diff -u -r1.35.2.1 nbtool_config.h.in
+--- a/tools/compat/nbtool_config.h.in	22 Apr 2015 07:18:58 -0000	1.35.2.1
++++ b/tools/compat/nbtool_config.h.in	31 May 2018 01:46:53 -0000
+@@ -680,5 +680,14 @@
+ /* Define if you have u_int8_t, but not uint8_t. */
+ #undef uint8_t
+ 
++#ifdef __cplusplus
++extern "C" {
++#endif
++
+ #include "compat_defs.h"
++
++#ifdef __cplusplus
++}
++#endif
++
+ #endif /* !__NETBSD_NBTOOL_CONFIG_H__ */
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch
new file mode 100644
index 000000000000..2758e256a616
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch
@@ -0,0 +1,22 @@
+commit f2d0ff85e05b49e9d11735ce4810b242c1dbf5af
+Author: John Ericson <John.Ericson@Obsidian.Systems>
+Date:   Wed Sep 1 15:38:56 2021 +0000
+
+    Make should not hit configure
+
+diff --git a/Makefile b/Makefile
+index b5adb8a5f2e9..1a914ef16739 100644
+--- a/tools/compat/Makefile
++++ b/tools/compat/Makefile
+@@ -76,11 +76,6 @@ _CURDIR:=	${.CURDIR}
+ 
+ SRCS:=		${SRCS:M*.c}
+ 
+-config.cache: include/.stamp configure nbtool_config.h.in defs.mk.in
+-	rm -f ${.TARGET}
+-	CC=${HOST_CC:Q} CFLAGS=${HOST_CFLAGS:Q} LDFLAGS=${HOST_LDFLAGS:Q} \
+-		${HOST_SH} ${.CURDIR}/configure --cache-file=config.cache
+-
+ defs.mk: config.cache
+ 	@touch ${.TARGET}
+ 
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch
new file mode 100644
index 000000000000..117fb7e04298
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch
@@ -0,0 +1,101 @@
+commit 5acf3bdea5140e90135d15d6479f29fbf624f75e
+Author: John Ericson <John.Ericson@Obsidian.Systems>
+Date:   Wed Sep 1 15:38:56 2021 +0000
+
+    Don't force building and installing for the build platform
+    
+    Also remove `compat/` subdir from install directories.
+
+diff --git a/Makefile b/Makefile
+index 4bcf227f0e75..9ed1d6eea6ff 100644
+--- a/tools/compat/Makefile
++++ b/tools/compat/Makefile
+@@ -1,6 +1,6 @@
+ #	$NetBSD: Makefile,v 1.87 2019/05/08 02:25:50 thorpej Exp $
+ 
+-HOSTLIB=	nbcompat
++LIB=	nbcompat
+ 
+-.include <bsd.hostinit.mk>
++.include <bsd.own.mk>
+ 
+@@ -94,63 +94,37 @@ include/.stamp:
+ 
+ # Install rules
+ 
+-HOST_LIBDIR=	${TOOLDIR}/lib
+-HOST_INCSDIR=	${TOOLDIR}/include
+-HOST_SHAREDIR= ${TOOLDIR}/share
+-
+-install:	.PHONY install.lib includes install.defs.mk
+-
+-# Install lib${HOSTLIB}.a in ${TOOLDIR}/lib
+-install.lib: .PHONY ${HOST_LIBDIR}/lib${HOSTLIB}.a
+-${HOST_LIBDIR}/lib${HOSTLIB}.a: lib${HOSTLIB}.a
+-	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${HOST_LIBDIR}
+-	${HOST_INSTALL_FILE} -m ${LIBMODE} ${.ALLSRC} ${.TARGET}
++install:	.PHONY includes install.defs.mk
+ 
+ .for _f in ${INCFILES}
+-HOST_INCINSTFILES+= ${HOST_INCSDIR}/compat/${_f}
+-${HOST_INCSDIR}/compat/${_f}: ${_f}
++INCINSTFILES+= ${INCSDIR}/${_f}
++${INCSDIR}/${_f}: ${_f}
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_FILE} ${.ALLSRC} ${.TARGET}
++	${INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+ .endfor
+ 
+ .for _d in ${INCSUBDIRS}
+-HOST_INCINSTDIRS+= ${HOST_INCSDIR}/compat/${_d}
+-${HOST_INCSDIR}/compat/${_d}:
++INCINSTDIRS+= ${INCSDIR}/${_d}
++${INCSDIR}/${_d}:
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${.TARGET}
++	${INSTALL_DIR} ${.TARGET}
+ .endfor
+ 
+-# Install include files in ${TOOLDIR}/include/compat
+-includes: .PHONY ${HOST_INCINSTDIRS} .WAIT ${HOST_INCINSTFILES}
++# Install include files in ${INCSDIR}
++includes: .PHONY ${INCINSTDIRS} .WAIT ${INCINSTFILES}
+ 	@(cd include && find . -name '*.h' -print | while read f ; do \
+-	    ${HOST_INSTALL_FILE} $$f ${HOST_INCSDIR}/compat/$$f ; \
++	    ${INSTALL_FILE} $$f ${INCSDIR}/$$f ; \
+ 	done)
+ 
+ 
+-# Install defs.mk in ${TOOLDIR}/share/compat
+-install.defs.mk: .PHONY ${HOST_SHAREDIR}/compat/defs.mk
+-${HOST_SHAREDIR}/compat/defs.mk: defs.mk
++# Install defs.mk in ${DATADIR}
++install.defs.mk: .PHONY ${DATADIR}/defs.mk
++${DATADIR}/defs.mk: defs.mk
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${HOST_SHAREDIR}
+-	${HOST_INSTALL_DIR} ${HOST_SHAREDIR}/compat
+-	${HOST_INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+-
+-# bsd.hostlib.mk wants HOST_CPPFLAGS, not CPPFLAGS
+-
+-HOST_CPPFLAGS:=	${CPPFLAGS}
+-CPPFLAGS:=	# empty
+-
+-.include <bsd.hostlib.mk>
+-
+-# Use uninstalled copy of host-mkdep
+-HOST_MKDEP_OBJ!= cd ${.CURDIR}/../host-mkdep && ${PRINTOBJDIR}
+-HOST_MKDEP=	${HOST_MKDEP_OBJ}/host-mkdep
+-MKDEP=		${HOST_MKDEP}
++	${INSTALL_DIR} ${DATADIR}
++	${INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+ 
+-# Use uninstalled copy of the install program
+-INSTALL_OBJ!=	cd ${NETBSDSRCDIR}/tools/binstall && ${PRINTOBJDIR}
+-INSTALL=	${INSTALL_OBJ}/xinstall
++.include <bsd.lib.mk>
+ 
+ # Run "${TOOLDIR}/bin/nbmake-${MACHINE} regen" by hand after editing
+ # configure.ac.  See more detailed instructions in configure.ac.
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
new file mode 100644
index 000000000000..acd90b7aa2f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
@@ -0,0 +1,5 @@
+# See pkgs/build-support/setup-hooks/role.bash
+getHostRole
+
+export NIX_LDFLAGS${role_post}+=" -lnbcompat"
+export NIX_CFLAGS_COMPILE${role_post}+=" -DHAVE_NBTOOL_CONFIG_H"
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix b/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix
new file mode 100644
index 000000000000..5012a0c7d3c7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix
@@ -0,0 +1,1013 @@
+{ stdenv, lib, stdenvNoCC
+, makeScopeWithSplicing', generateSplicesForMkScope
+, buildPackages
+, bsdSetupHook, makeSetupHook, fetchcvs, groff, mandoc, byacc, flex
+, zlib
+, writeShellScript, writeText, runtimeShell, symlinkJoin
+}:
+
+let
+  inherit (buildPackages.buildPackages) rsync;
+
+  fetchNetBSD = path: version: sha256: fetchcvs {
+    cvsRoot = ":pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot";
+    module = "src/${path}";
+    inherit sha256;
+    tag = "netbsd-${lib.replaceStrings ["."] ["-"] version}-RELEASE";
+  };
+
+  netbsdSetupHook = makeSetupHook {
+    name = "netbsd-setup-hook";
+  } ./setup-hook.sh;
+
+  defaultMakeFlags = [
+    "MKSOFTFLOAT=${if stdenv.hostPlatform.gcc.float or (stdenv.hostPlatform.parsed.abi.float or "hard") == "soft"
+      then "yes"
+      else "no"}"
+  ];
+
+in makeScopeWithSplicing' {
+  otherSplices = generateSplicesForMkScope "netbsd";
+  f = (self: let
+    inherit (self) mkDerivation;
+  in {
+
+  # Why do we have splicing and yet do `nativeBuildInputs = with self; ...`?
+  #
+  # We use `makeScopeWithSplicing'` because this should be used for all
+  # nested package sets which support cross, so the inner `callPackage` works
+  # correctly. But for the inline packages we don't bother to use
+  # `callPackage`.
+  #
+  # We still could have tried to `with` a big spliced packages set, but
+  # splicing is jank and causes a number of bootstrapping infinite recursions
+  # if one is not careful. Pulling deps out of the right package set directly
+  # side-steps splicing entirely and avoids those footguns.
+  #
+  # For non-bootstrap-critical packages, we might as well use `callPackage` for
+  # consistency with everything else, and maybe put in separate files too.
+
+  compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isNetBSD) self.compat;
+
+  mkDerivation = lib.makeOverridable (attrs: let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in stdenv'.mkDerivation ({
+    pname = "${attrs.pname or (baseNameOf attrs.path)}-netbsd";
+    inherit (attrs) version;
+    src = fetchNetBSD attrs.path attrs.version attrs.sha256;
+
+    extraPaths = [ ];
+
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install tsort lorder buildPackages.mandoc groff statHook rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+
+    HOST_SH = stdenv'.shell;
+
+    MACHINE_ARCH = {
+      i486 = "i386";
+      i586 = "i386";
+      i686 = "i386";
+    }.${stdenv'.hostPlatform.parsed.cpu.name}
+      or stdenv'.hostPlatform.parsed.cpu.name;
+
+    MACHINE = {
+      x86_64 = "amd64";
+      aarch64 = "evbarm64";
+      i486 = "i386";
+      i586 = "i386";
+      i686 = "i386";
+    }.${stdenv'.hostPlatform.parsed.cpu.name}
+      or stdenv'.hostPlatform.parsed.cpu.name;
+
+    COMPONENT_PATH = attrs.path;
+
+    makeFlags = defaultMakeFlags;
+
+    strictDeps = true;
+
+    meta = with lib; {
+      maintainers = with maintainers; [ matthewbauer qyliss ];
+      platforms = platforms.unix;
+      license = licenses.bsd2;
+    };
+
+  } // lib.optionalAttrs stdenv'.hasCC {
+    # TODO should CC wrapper set this?
+    CPP = "${stdenv'.cc.targetPrefix}cpp";
+  } // lib.optionalAttrs stdenv'.isDarwin {
+    MKRELRO = "no";
+  } // lib.optionalAttrs (stdenv'.cc.isClang or false) {
+    HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
+    HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.isx86_32) {
+    USE_SSP = "no";
+  } // lib.optionalAttrs (attrs.headersOnly or false) {
+    installPhase = "includesPhase";
+    dontBuild = true;
+  } // attrs // {
+    # Files that use NetBSD-specific macros need to have nbtool_config.h
+    # included ahead of them on non-NetBSD platforms.
+    postPatch = lib.optionalString (!stdenv'.hostPlatform.isNetBSD) ''
+      set +e
+      grep -Zlr "^__RCSID
+      ^__BEGIN_DECLS" $COMPONENT_PATH | xargs -0r grep -FLZ nbtool_config.h |
+          xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/'
+      set -e
+    '' + attrs.postPatch or "";
+  }));
+
+  ##
+  ## START BOOTSTRAPPING
+  ##
+  makeMinimal = mkDerivation {
+    path = "tools/make";
+    sha256 = "0fh0nrnk18m613m5blrliq2aydciv51qhc0ihsj4k63incwbk90n";
+    version = "9.2";
+
+    buildInputs = with self; [];
+    nativeBuildInputs = with buildPackages.netbsd; [ bsdSetupHook netbsdSetupHook rsync ];
+
+    skipIncludesPhase = true;
+
+    postPatch = ''
+      patchShebangs $COMPONENT_PATH/configure
+      ${self.make.postPatch}
+    '';
+
+    buildPhase = ''
+      runHook preBuild
+
+      sh ./buildmake.sh
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      install -D nbmake $out/bin/nbmake
+      ln -s $out/bin/nbmake $out/bin/make
+      mkdir -p $out/share
+      cp -r $BSDSRCDIR/share/mk $out/share/mk
+
+      runHook postInstall
+    '';
+
+    extraPaths = with self; [ make.src ] ++ make.extraPaths;
+  };
+
+  compat = mkDerivation (let
+    version = "9.2";
+    commonDeps = [ zlib ];
+  in {
+    path = "tools/compat";
+    sha256 = "1vsxg7136nlhc72vpa664vs22874xh7ila95nkmsd8crn3z3cyn0";
+    inherit version;
+
+    setupHooks = [
+      ../../../build-support/setup-hooks/role.bash
+      ./compat-setup-hook.sh
+    ];
+
+    preConfigure = ''
+      make include/.stamp configure nbtool_config.h.in defs.mk.in
+    '';
+
+    configurePlatforms = [ "build" "host" ];
+    configureFlags = [
+      "--cache-file=config.cache"
+    ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+      # We include this header in our musl package only for legacy
+      # compatibility, and compat works fine without it (and having it
+      # know about sys/cdefs.h breaks packages like glib when built
+      # statically).
+      "ac_cv_header_sys_cdefs_h=no"
+    ];
+
+    nativeBuildInputs = with buildPackages.netbsd; commonDeps ++ [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      rsync
+    ];
+
+    buildInputs = with self; commonDeps;
+
+    # temporarily use gnuinstall for bootstrapping
+    # bsdinstall will be built later
+    makeFlags = defaultMakeFlags ++ [
+      "INSTALL=${buildPackages.coreutils}/bin/install"
+      "DATADIR=$(out)/share"
+      # Can't sort object files yet
+      "LORDER=echo"
+      "TSORT=cat"
+      # Can't process man pages yet
+      "MKSHARE=no"
+    ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      # GNU objcopy produces broken .a libs which won't link into dependers.
+      # Makefiles only invoke `$OBJCOPY -x/-X`, so cctools strip works here.
+      "OBJCOPY=${buildPackages.darwin.cctools-port}/bin/strip"
+    ];
+    RENAME = "-D";
+
+    passthru.tests = { netbsd-install = self.install; };
+
+    patches = [
+      ./compat-cxx-safe-header.patch
+      ./compat-dont-configure-twice.patch
+      ./compat-no-force-native.patch
+    ];
+
+    preInstall = ''
+      makeFlagsArray+=('INSTALL_FILE=''${INSTALL} ''${COPY} ''${PRESERVE} ''${RENAME}')
+      makeFlagsArray+=('INSTALL_DIR=''${INSTALL} -d')
+      makeFlagsArray+=('INSTALL_SYMLINK=''${INSTALL} ''${SYMLINK} ''${RENAME}')
+    '';
+
+    postInstall = ''
+      # why aren't these installed by netbsd?
+      install -D compat_defs.h $out/include/compat_defs.h
+      install -D $BSDSRCDIR/include/cdbw.h $out/include/cdbw.h
+      install -D $BSDSRCDIR/sys/sys/cdbr.h $out/include/cdbr.h
+      install -D $BSDSRCDIR/sys/sys/featuretest.h \
+                 $out/include/sys/featuretest.h
+      install -D $BSDSRCDIR/sys/sys/md5.h $out/include/md5.h
+      install -D $BSDSRCDIR/sys/sys/rmd160.h $out/include/rmd160.h
+      install -D $BSDSRCDIR/sys/sys/sha1.h $out/include/sha1.h
+      install -D $BSDSRCDIR/sys/sys/sha2.h $out/include/sha2.h
+      install -D $BSDSRCDIR/sys/sys/queue.h $out/include/sys/queue.h
+      install -D $BSDSRCDIR/include/vis.h $out/include/vis.h
+      install -D $BSDSRCDIR/include/db.h $out/include/db.h
+      install -D $BSDSRCDIR/include/netconfig.h $out/include/netconfig.h
+      install -D $BSDSRCDIR/include/utmpx.h $out/include/utmpx.h
+      install -D $BSDSRCDIR/include/tzfile.h $out/include/tzfile.h
+      install -D $BSDSRCDIR/sys/sys/tree.h $out/include/sys/tree.h
+      install -D $BSDSRCDIR/include/nl_types.h $out/include/nl_types.h
+      install -D $BSDSRCDIR/include/stringlist.h $out/include/stringlist.h
+
+      # Collapse includes slightly to fix dangling reference
+      install -D $BSDSRCDIR/common/include/rpc/types.h $out/include/rpc/types.h
+      sed -i '1s;^;#include "nbtool_config.h"\n;' $out/include/rpc/types.h
+   '' + lib.optionalString stdenv.isDarwin ''
+      mkdir -p $out/include/ssp
+      touch $out/include/ssp/ssp.h
+   '' + ''
+      mkdir -p $out/lib/pkgconfig
+      substitute ${./libbsd-overlay.pc} $out/lib/pkgconfig/libbsd-overlay.pc \
+        --subst-var-by out $out \
+        --subst-var-by version ${version}
+    '';
+    extraPaths = with self; [ include.src libc.src libutil.src
+      (fetchNetBSD "external/bsd/flex" "9.2" "0h98jpfj7vx5zh7vd7bk6b1hmzgkcb757a8j6d9zgygxxv13v43m")
+      (fetchNetBSD "sys/sys" "9.2" "0zawhw51klaigqqwkx0lzrx3mim2jywrc24cm7c66qsf1im9awgd")
+      (fetchNetBSD "common/include/rpc/types.h" "9.2" "0n2df12mlc3cbc48jxq35yzl1y7ghgpykvy7jnfh898rdhac7m9a")
+    ] ++ libutil.extraPaths ++ _mainLibcExtraPaths;
+  });
+
+  # HACK: to ensure parent directories exist. This emulates GNU
+  # install’s -D option. No alternative seems to exist in BSD install.
+  install = let binstall = writeShellScript "binstall" ''
+    set -eu
+    for last in "$@"; do true; done
+    mkdir -p $(dirname $last)
+    @out@/bin/xinstall "$@"
+  ''; in mkDerivation {
+    path = "usr.bin/xinstall";
+    version = "9.2";
+    sha256 = "1f6pbz3qv1qcrchdxif8p5lbmnwl8b9nq615hsd3cyl4avd5bfqj";
+    extraPaths = with self; [ mtree.src make.src ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      mandoc groff rsync
+    ];
+    skipIncludesPhase = true;
+    buildInputs = with self; compatIfNeeded
+      # fts header is needed. glibc already has this header, but musl doesn't,
+      # so make sure pkgsMusl.netbsd.install still builds in case you want to
+      # remove it!
+      ++ [ fts ];
+    installPhase = ''
+      runHook preInstall
+
+      install -D install.1 $out/share/man/man1/install.1
+      install -D xinstall $out/bin/xinstall
+      install -D -m 0550 ${binstall} $out/bin/binstall
+      substituteInPlace $out/bin/binstall --subst-var out
+      ln -s $out/bin/binstall $out/bin/install
+
+      runHook postInstall
+    '';
+    setupHook = ./install-setup-hook.sh;
+  };
+
+  fts = mkDerivation {
+    pname = "fts";
+    path = "include/fts.h";
+    sha256 = "01d4fpxvz1pgzfk5xznz5dcm0x0gdzwcsfm1h3d0xc9kc6hj2q77";
+    version = "9.2";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook rsync
+    ];
+    propagatedBuildInputs = with self; compatIfNeeded;
+    extraPaths = with self; [
+      (fetchNetBSD "lib/libc/gen/fts.c" "9.2" "1a8hmf26242nmv05ipn3ircxb0jqmmi66rh78kkyi9vjwkfl3qn7")
+      (fetchNetBSD "lib/libc/include/namespace.h" "9.2" "0kksr3pdwdc1cplqf5z12ih4cml6l11lqrz91f7hjjm64y7785kc")
+      (fetchNetBSD "lib/libc/gen/fts.3" "9.2" "1asxw0n3fhjdadwkkq3xplfgqgl3q32w1lyrvbakfa3gs0wz5zc1")
+    ];
+    skipIncludesPhase = true;
+    buildPhase = ''
+      "$CC" -c -Iinclude -Ilib/libc/include lib/libc/gen/fts.c \
+          -o lib/libc/gen/fts.o
+      "$AR" -rsc libfts.a lib/libc/gen/fts.o
+    '';
+    installPhase = ''
+      runHook preInstall
+
+      install -D lib/libc/gen/fts.3 $out/share/man/man3/fts.3
+      install -D include/fts.h $out/include/fts.h
+      install -D lib/libc/include/namespace.h $out/include/namespace.h
+      install -D libfts.a $out/lib/libfts.a
+
+      runHook postInstall
+    '';
+    setupHooks = [
+      ../../../build-support/setup-hooks/role.bash
+      ./fts-setup-hook.sh
+    ];
+  };
+
+  # Don't add this to nativeBuildInputs directly.  Use statHook instead.
+  stat = mkDerivation {
+    path = "usr.bin/stat";
+    version = "9.2";
+    sha256 = "18nqwlndfc34qbbgqx5nffil37jfq9aw663ippasfxd2hlyc106x";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+
+  # stat isn't in POSIX, and NetBSD stat supports a completely
+  # different range of flags than GNU stat, so including it in PATH
+  # breaks stdenv.  Work around that with a hook that will point
+  # NetBSD's build system and NetBSD stat without including it in
+  # PATH.
+  statHook = makeSetupHook {
+    name = "netbsd-stat-hook";
+  } (writeText "netbsd-stat-hook-impl" ''
+    makeFlagsArray+=(TOOL_STAT=${self.stat}/bin/stat)
+  '');
+
+  tsort = mkDerivation {
+    path = "usr.bin/tsort";
+    version = "9.2";
+    sha256 = "1dqvf9gin29nnq3c4byxc7lfd062pg7m84843zdy6n0z63hnnwiq";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+
+  lorder = mkDerivation {
+    path = "usr.bin/lorder";
+    version = "9.2";
+    sha256 = "0rjf9blihhm0n699vr2bg88m4yjhkbxh6fxliaay3wxkgnydjwn2";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+
+  ##
+  ## END BOOTSTRAPPING
+  ##
+
+  ##
+  ## START COMMAND LINE TOOLS
+  ##
+  make = mkDerivation {
+    path = "usr.bin/make";
+    sha256 = "0vi73yicbmbp522qzqvd979cx6zm5jakhy77xh73c1kygf8klccs";
+    version = "9.2";
+
+   postPatch = ''
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.doc.mk \
+       --replace '-o ''${DOCOWN}' "" \
+       --replace '-g ''${DOCGRP}' ""
+     for mk in $BSDSRCDIR/share/mk/bsd.inc.mk $BSDSRCDIR/share/mk/bsd.kinc.mk; do
+       substituteInPlace $mk \
+         --replace '-o ''${BINOWN}' "" \
+         --replace '-g ''${BINGRP}' ""
+     done
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.kmodule.mk \
+       --replace '-o ''${KMODULEOWN}' "" \
+       --replace '-g ''${KMODULEGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+       --replace '-o ''${LIBOWN}' "" \
+       --replace '-g ''${LIBGRP}' "" \
+       --replace '-o ''${DEBUGOWN}' "" \
+       --replace '-g ''${DEBUGGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.lua.mk \
+       --replace '-o ''${LIBOWN}' "" \
+       --replace '-g ''${LIBGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.man.mk \
+       --replace '-o ''${MANOWN}' "" \
+       --replace '-g ''${MANGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.nls.mk \
+       --replace '-o ''${NLSOWN}' "" \
+       --replace '-g ''${NLSGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.prog.mk \
+       --replace '-o ''${BINOWN}' "" \
+       --replace '-g ''${BINGRP}' "" \
+       --replace '-o ''${RUMPBINOWN}' "" \
+       --replace '-g ''${RUMPBINGRP}' "" \
+       --replace '-o ''${DEBUGOWN}' "" \
+       --replace '-g ''${DEBUGGRP}' ""
+
+      # make needs this to pick up our sys make files
+      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
+
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+        --replace '_INSTRANLIB=''${empty(PRESERVE):?-a "''${RANLIB} -t":}' '_INSTRANLIB='
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.kinc.mk \
+        --replace /bin/rm rm
+    '' + lib.optionalString stdenv.isDarwin ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
+        --replace '-Wl,--fatal-warnings' "" \
+        --replace '-Wl,--warn-shared-textrel' ""
+    '';
+    postInstall = ''
+      make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
+    '';
+    extraPaths = [
+      (fetchNetBSD "share/mk" "9.2" "0w9x77cfnm6zwy40slradzi0ip9gz80x6lk7pvnlxzsr2m5ra5sy")
+    ];
+  };
+
+  mtree = mkDerivation {
+    path = "usr.sbin/mtree";
+    version = "9.2";
+    sha256 = "04p7w540vz9npvyb8g8hcf2xa05phn1y88hsyrcz3vwanvpc0yv9";
+    extraPaths = with self; [ mknod.src ];
+  };
+
+  mknod = mkDerivation {
+    path = "sbin/mknod";
+    version = "9.2";
+    sha256 = "1d9369shzwgixz3nph991i8q5vk7hr04py3n9avbfbhzy4gndqs2";
+  };
+
+  getent = mkDerivation {
+    path = "usr.bin/getent";
+    sha256 = "1qngywcmm0y7nl8h3n8brvkxq4jw63szbci3kc1q6a6ndhycbbvr";
+    version = "9.2";
+    patches = [ ./getent.patch ];
+  };
+
+  getconf = mkDerivation {
+    path = "usr.bin/getconf";
+    sha256 = "122vslz4j3h2mfs921nr2s6m078zcj697yrb75rwp2hnw3qz4s8q";
+    version = "9.2";
+  };
+
+  locale = mkDerivation {
+    path = "usr.bin/locale";
+    version = "9.2";
+    sha256 = "0kk6v9k2bygq0wf9gbinliqzqpzs9bgxn0ndyl2wcv3hh2bmsr9p";
+    patches = [ ./locale.patch ];
+    env.NIX_CFLAGS_COMPILE = "-DYESSTR=__YESSTR -DNOSTR=__NOSTR";
+  };
+
+  rpcgen = mkDerivation {
+    path = "usr.bin/rpcgen";
+    version = "9.2";
+    sha256 = "1kfgfx54jg98wbg0d95p0rvf4w0302v8fz724b0bdackdsrd4988";
+  };
+
+  genassym = mkDerivation {
+    path = "usr.bin/genassym";
+    version = "9.2";
+    sha256 = "1acl1dz5kvh9h5806vkz2ap95rdsz7phmynh5i3x5y7agbki030c";
+  };
+
+  gencat = mkDerivation {
+    path = "usr.bin/gencat";
+    version = "9.2";
+    sha256 = "0gd463x1hg36bhr7y0xryb5jyxk0z0g7xvy8rgk82nlbnlnsbbwb";
+  };
+
+  nbperf = mkDerivation {
+    path = "usr.bin/nbperf";
+    version = "9.2";
+    sha256 = "1nxc302vgmjhm3yqdivqyfzslrg0vjpbss44s74rcryrl19mma9r";
+  };
+
+  tic = mkDerivation {
+    path = "tools/tic";
+    version = "9.2";
+    sha256 = "092y7db7k4kh2jq8qc55126r5qqvlb8lq8mhmy5ipbi36hwb4zrz";
+    HOSTPROG = "tic";
+    buildInputs = with self; compatIfNeeded;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff nbperf rsync
+    ];
+    makeFlags = defaultMakeFlags ++ [ "TOOLDIR=$(out)" ];
+    extraPaths = with self; [
+      libterminfo.src
+      (fetchNetBSD "usr.bin/tic" "9.2" "1mwdfg7yx1g43ss378qsgl5rqhsxskqvsd2mqvrn38qw54i8v5i1")
+      (fetchNetBSD "tools/Makefile.host" "9.2" "15b4ab0n36lqj00j5lz2xs83g7l8isk3wx1wcapbrn66qmzz2sxy")
+    ];
+  };
+
+  uudecode = mkDerivation {
+    path = "usr.bin/uudecode";
+    version = "9.2";
+    sha256 = "00a3zmh15pg4vx6hz0kaa5mi8d2b1sj4h512d7p6wbvxq6mznwcn";
+    env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isLinux "-DNO_BASE64";
+    NIX_LDFLAGS = lib.optional stdenv.isDarwin "-lresolv";
+  };
+
+  cksum = mkDerivation {
+    path = "usr.bin/cksum";
+    version = "9.2";
+    sha256 = "0msfhgyvh5c2jmc6qjnf12c378dhw32ffsl864qz4rdb2b98rfcq";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  config = mkDerivation {
+    path = "usr.bin/config";
+    version = "9.2";
+    sha256 = "1yz3n4hncdkk6kp595fh2q5lg150vpqg8iw2dccydkyw4y3hgsjj";
+    env.NIX_CFLAGS_COMPILE = toString [ "-DMAKE_BOOTSTRAP" ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install mandoc byacc flex rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+    extraPaths = with self; [ cksum.src ];
+  };
+  ##
+  ## END COMMAND LINE TOOLS
+  ##
+
+  ##
+  ## START HEADERS
+  ##
+  include = mkDerivation {
+    path = "include";
+    version = "9.2";
+    sha256 = "0nxnmj4c8s3hb9n3fpcmd0zl3l1nmhivqgi9a35sis943qvpgl9h";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync nbperf rpcgen
+    ];
+
+    # The makefiles define INCSDIR per subdirectory, so we have to set
+    # something else on the command line so those definitions aren't
+    # overridden.
+    postPatch = ''
+      find "$BSDSRCDIR" -name Makefile -exec \
+        sed -i -E \
+          -e 's_/usr/include_''${INCSDIR0}_' \
+          {} \;
+    '';
+
+    # multiple header dirs, see above
+    postConfigure = ''
+      makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
+    '';
+
+    extraPaths = with self; [ common ];
+    headersOnly = true;
+    noCC = true;
+    meta.platforms = lib.platforms.netbsd;
+    makeFlags = defaultMakeFlags ++ [ "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp" ];
+  };
+
+  common = fetchNetBSD "common" "9.2" "1pfylz9r3ap5wnwwbwczbfjb1m5qdyspzbnmxmcdkpzz2zgj64b9";
+
+  sys-headers = mkDerivation {
+    pname = "sys-headers";
+    path = "sys";
+    version = "9.2";
+    sha256 = "03s18q8d9giipf05bx199fajc2qwikji0djz7hw63d2lya6bfnpj";
+
+    patches = [
+      # Fix this error when building bootia32.efi and bootx64.efi:
+      # error: PHDR segment not covered by LOAD segment
+      ./no-dynamic-linker.patch
+
+      # multiple header dirs, see above
+      ./sys-headers-incsdir.patch
+    ];
+
+    # multiple header dirs, see above
+    inherit (self.include) postPatch;
+
+    CONFIG = "GENERIC";
+
+    propagatedBuildInputs = with self; [ include ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install tsort lorder statHook rsync uudecode config genassym
+    ];
+
+    postConfigure = ''
+      pushd arch/$MACHINE/conf
+      config $CONFIG
+      popd
+    ''
+      # multiple header dirs, see above
+      + self.include.postConfigure;
+
+    makeFlags = defaultMakeFlags ++ [ "FIRMWAREDIR=$(out)/libdata/firmware" ];
+    hardeningDisable = [ "pic" ];
+    MKKMOD = "no";
+    env.NIX_CFLAGS_COMPILE = toString [ "-Wa,--no-warn" ];
+
+    postBuild = ''
+      make -C arch/$MACHINE/compile/$CONFIG $makeFlags
+    '';
+
+    postInstall = ''
+      cp arch/$MACHINE/compile/$CONFIG/netbsd $out
+    '';
+
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ common ];
+
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+  };
+
+  # The full kernel. We do the funny thing of overridding the headers to the
+  # full kernal and not vice versa to avoid infinite recursion -- the headers
+  # come earlier in the bootstrap.
+  sys = self.sys-headers.override {
+    pname = "sys";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+  };
+
+  headers = symlinkJoin {
+    name = "netbsd-headers-9.2";
+    paths = with self; [
+      include
+      sys-headers
+      libpthread-headers
+    ];
+    meta.platforms = lib.platforms.netbsd;
+  };
+  ##
+  ## END HEADERS
+  ##
+
+  ##
+  ## START LIBRARIES
+  ##
+  libarch = mkDerivation {
+    path = "lib/libarch";
+    version = "9.2";
+    sha256 = "6ssenRhuSwp0Jn71ErT0PrEoCJ+cIYRztwdL4QTDZsQ=";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  libutil = mkDerivation {
+    path = "lib/libutil";
+    version = "9.2";
+    sha256 = "02gm5a5zhh8qp5r5q5r7x8x6x50ir1i0ncgsnfwh1vnrz6mxbq7z";
+    extraPaths = with self; [ common libc.src sys.src ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      byacc install tsort lorder mandoc statHook rsync
+    ];
+    buildInputs = with self; [ headers ];
+    SHLIBINSTALLDIR = "$(out)/lib";
+  };
+
+  libedit = mkDerivation {
+    path = "lib/libedit";
+    version = "9.2";
+    sha256 = "1wqhngraxwqk4jgrf5f18jy195yrp7c06n1gf31pbplq79mg1bcj";
+    buildInputs = with self; [ libterminfo libcurses ];
+    propagatedBuildInputs = with self; compatIfNeeded;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
+    postPatch = ''
+      sed -i '1i #undef bool_t' $COMPONENT_PATH/el.h
+      substituteInPlace $COMPONENT_PATH/config.h \
+        --replace "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" ""
+      substituteInPlace $COMPONENT_PATH/readline/Makefile --replace /usr/include "$out/include"
+    '';
+    env.NIX_CFLAGS_COMPILE = toString [
+      "-D__noinline="
+      "-D__scanflike(a,b)="
+      "-D__va_list=va_list"
+    ];
+  };
+
+  libterminfo = mkDerivation {
+    path = "lib/libterminfo";
+    version = "9.2";
+    sha256 = "0pq05k3dj0dfsczv07frnnji92mazmy2qqngqbx2zgqc1x251414";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install tsort lorder mandoc statHook nbperf tic rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    postPatch = ''
+      substituteInPlace $COMPONENT_PATH/term.c --replace /usr/share $out/share
+      substituteInPlace $COMPONENT_PATH/setupterm.c \
+        --replace '#include <curses.h>' 'void use_env(bool);'
+    '';
+    postBuild = ''
+      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share
+    '';
+    postInstall = ''
+      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share install
+    '';
+    extraPaths = with self; [
+      (fetchNetBSD "share/terminfo" "9.2" "1vh9rl4w8118a9qdpblfxmv1wkpm83rm9gb4rzz5bpm56i6d7kk7")
+    ];
+  };
+
+  libcurses = mkDerivation {
+    path = "lib/libcurses";
+    version = "9.2";
+    sha256 = "0pd0dggl3w4bv5i5h0s1wrc8hr66n4hkv3zlklarwfdhc692fqal";
+    buildInputs = with self; [ libterminfo ];
+    env.NIX_CFLAGS_COMPILE = toString [
+      "-D__scanflike(a,b)="
+      "-D__va_list=va_list"
+      "-D__warn_references(a,b)="
+    ] ++ lib.optional stdenv.isDarwin "-D__strong_alias(a,b)=";
+    propagatedBuildInputs = with self; compatIfNeeded;
+    MKDOC = "no"; # missing vfontedpr
+    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
+    postPatch = lib.optionalString (!stdenv.isDarwin) ''
+      substituteInPlace $COMPONENT_PATH/printw.c \
+        --replace "funopen(win, NULL, __winwrite, NULL, NULL)" NULL \
+        --replace "__strong_alias(vwprintw, vw_printw)" 'extern int vwprintw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_printw")));'
+      substituteInPlace $COMPONENT_PATH/scanw.c \
+        --replace "__strong_alias(vwscanw, vw_scanw)" 'extern int vwscanw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_scanw")));'
+    '';
+  };
+
+  column = mkDerivation {
+    path = "usr.bin/column";
+    version = "9.2";
+    sha256 = "0r6b0hjn5ls3j3sv6chibs44fs32yyk2cg8kh70kb4cwajs4ifyl";
+  };
+
+  libossaudio = mkDerivation {
+    path = "lib/libossaudio";
+    version = "9.2";
+    sha256 = "16l3bfy6dcwqnklvh3x0ps8ld1y504vf57v9rx8f9adzhb797jh0";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  librpcsvc = mkDerivation {
+    path = "lib/librpcsvc";
+    version = "9.2";
+    sha256 = "1q34pfiyjbrgrdqm46jwrsqms49ly6z3b0xh1wg331zga900vq5n";
+    makeFlags = defaultMakeFlags ++ [ "INCSDIR=$(out)/include/rpcsvc" ];
+    meta.platforms = lib.platforms.netbsd;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install tsort lorder rpcgen statHook
+    ];
+  };
+
+  librt = mkDerivation {
+    path = "lib/librt";
+    version = "9.2";
+    sha256 = "07f8mpjcqh5kig5z5sp97fg55mc4dz6aa1x5g01nv2pvbmqczxc6";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
+    postPatch = ''
+      sed -i 's,/usr\(/include/sys/syscall.h\),${self.headers}\1,g' \
+        $BSDSRCDIR/lib/{libc,librt}/sys/Makefile.inc
+    '';
+  };
+
+  libcrypt = mkDerivation {
+    path = "lib/libcrypt";
+    version = "9.2";
+    sha256 = "0siqan1wdqmmhchh2n8w6a8x1abbff8n4yb6jrqxap3hqn8ay54g";
+    SHLIBINSTALLDIR = "$(out)/lib";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  libpci = mkDerivation {
+    pname = "libpci";
+    path = "lib/libpci";
+    version = "9.2";
+    sha256 = "+IOEO1Bw3/H3iCp3uk3bwsFZbvCqN5Ciz70irnPl8E8=";
+    env.NIX_CFLAGS_COMPILE = toString [ "-I." ];
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ sys.src ];
+  };
+
+  libpthread-headers = mkDerivation {
+    pname = "libpthread-headers";
+    path = "lib/libpthread";
+    version = "9.2";
+    sha256 = "0mlmc31k509dwfmx5s2x010wxjc44mr6y0cbmk30cfipqh8c962h";
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  libpthread = self.libpthread-headers.override {
+    pname = "libpthread";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+    buildInputs = with self; [ headers ];
+    SHLIBINSTALLDIR = "$(out)/lib";
+    extraPaths = with self; [ common libc.src librt.src sys.src ];
+  };
+
+  libresolv = mkDerivation {
+    path = "lib/libresolv";
+    version = "9.2";
+    sha256 = "1am74s74mf1ynwz3p4ncjkg63f78a1zjm983q166x4sgzps15626";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ];
+  };
+
+  libm = mkDerivation {
+    path = "lib/libm";
+    version = "9.2";
+    sha256 = "1apwfr26shdmbqqnmg7hxf7bkfxw44ynqnnnghrww9bnhqdnsy92";
+    SHLIBINSTALLDIR = "$(out)/lib";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ sys.src ];
+  };
+
+  i18n_module = mkDerivation {
+    path = "lib/i18n_module";
+    version = "9.2";
+    sha256 = "0w6y5v3binm7gf2kn7y9jja8k18rhnyl55cvvfnfipjqdxvxd9jd";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ];
+  };
+
+  csu = mkDerivation {
+    path = "lib/csu";
+    version = "9.2";
+    sha256 = "0al5jfazvhlzn9hvmnrbchx4d0gm282hq5gp4xs2zmj9ycmf6d03";
+    meta.platforms = lib.platforms.netbsd;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff flex
+      byacc genassym gencat lorder tsort statHook rsync
+    ];
+    buildInputs = with self; [ headers ];
+    extraPaths = with self; [ sys.src ld_elf_so.src ];
+  };
+
+  ld_elf_so = mkDerivation {
+    path  = "libexec/ld.elf_so";
+    version = "9.2";
+    sha256 = "0ia9mqzdljly0vqfwflm5mzz55k7qsr4rw2bzhivky6k30vgirqa";
+    meta.platforms = lib.platforms.netbsd;
+    LIBC_PIC = "${self.libc}/lib/libc_pic.a";
+    # Hack to prevent a symlink being installed here for compatibility.
+    SHLINKINSTALLDIR = "/usr/libexec";
+    USE_FORT = "yes";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/libexec" "CLIBOBJ=${self.libc}/lib" ];
+    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
+  };
+
+  _mainLibcExtraPaths = with self; [
+      common i18n_module.src sys.src
+      ld_elf_so.src libpthread.src libm.src libresolv.src
+      librpcsvc.src libutil.src librt.src libcrypt.src
+  ];
+
+  libc = mkDerivation {
+    path = "lib/libc";
+    version = "9.2";
+    sha256 = "1y9c13igg0kai07sqvf9cm6yqmd8lhfd8hq3q7biilbgs1l99as3";
+    USE_FORT = "yes";
+    MKPROFILE = "no";
+    extraPaths = with self; _mainLibcExtraPaths ++ [
+      (fetchNetBSD "external/bsd/jemalloc" "9.2" "0cq704swa0h2yxv4gc79z2lwxibk9k7pxh3q5qfs7axx3jx3n8kb")
+    ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff flex
+      byacc genassym gencat lorder tsort statHook rsync rpcgen
+    ];
+    buildInputs = with self; [ headers csu ];
+    env.NIX_CFLAGS_COMPILE = "-B${self.csu}/lib -fcommon";
+    meta.platforms = lib.platforms.netbsd;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    MKPICINSTALL = "yes";
+    NLSDIR = "$(out)/share/nls";
+    makeFlags = defaultMakeFlags ++ [ "FILESDIR=$(out)/var/db"];
+    postInstall = ''
+      pushd ${self.headers}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      pushd ${self.csu}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      NIX_CFLAGS_COMPILE+=" -B$out/lib"
+      NIX_CFLAGS_COMPILE+=" -I$out/include"
+      NIX_LDFLAGS+=" -L$out/lib"
+
+      make -C $BSDSRCDIR/lib/libpthread $makeFlags
+      make -C $BSDSRCDIR/lib/libpthread $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libm $makeFlags
+      make -C $BSDSRCDIR/lib/libm $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libresolv $makeFlags
+      make -C $BSDSRCDIR/lib/libresolv $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+
+      make -C $BSDSRCDIR/lib/i18n_module $makeFlags
+      make -C $BSDSRCDIR/lib/i18n_module $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libutil $makeFlags
+      make -C $BSDSRCDIR/lib/libutil $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librt $makeFlags
+      make -C $BSDSRCDIR/lib/librt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
+    '';
+    inherit (self.librt) postPatch;
+  };
+  #
+  # END LIBRARIES
+  #
+
+  #
+  # START MISCELLANEOUS
+  #
+  dict = mkDerivation {
+    path = "share/dict";
+    noCC = true;
+    version = "9.2";
+    sha256 = "0svfc0byk59ri37pyjslv4c4rc7zw396r73mr593i78d39q5g3ad";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+  };
+
+  misc = mkDerivation {
+    path = "share/misc";
+    noCC = true;
+    version = "9.2";
+    sha256 = "1j2cdssdx6nncv8ffj7f7ybl7m9hadjj8vm8611skqdvxnjg6nbc";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+  };
+
+  man = mkDerivation {
+    path = "share/man";
+    noCC = true;
+    version = "9.2";
+    sha256 = "1l4lmj4kmg8dl86x94sr45w0xdnkz8dn4zjx0ipgr9bnq98663zl";
+    # man0 generates a man.pdf using ps2pdf, but doesn't install it later,
+    # so we can avoid the dependency on ghostscript
+    postPatch = ''
+      substituteInPlace $COMPONENT_PATH/man0/Makefile --replace "ps2pdf" "echo noop "
+    '';
+    makeFlags = defaultMakeFlags ++ [
+      "FILESDIR=$(out)/share"
+      "MKRUMP=no" # would require to have additional path sys/rump/share/man
+    ];
+  };
+  #
+  # END MISCELLANEOUS
+  #
+
+});
+}
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh
new file mode 100644
index 000000000000..b6cb5aaca05b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh
@@ -0,0 +1,4 @@
+# See pkgs/build-support/setup-hooks/role.bash
+getHostRole
+
+export NIX_LDFLAGS${role_post}+=" -lfts"
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch
new file mode 100644
index 000000000000..18258b648618
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch
@@ -0,0 +1,455 @@
+Author: Matthew Bauer
+Description: Remove unavailable getent databases
+Version: 7.1.2
+--- a/usr.bin/getent/getent.c	2018-04-16 13:33:49.000000000 -0500
++++ b/usr.bin/getent/getent.c	2018-04-16 13:29:30.000000000 -0500
+@@ -42,7 +42,6 @@
+ #include <grp.h>
+ #include <limits.h>
+ #include <netdb.h>
+-#include <netgroup.h>
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdarg.h>
+@@ -57,27 +56,16 @@
+ #include <arpa/nameser.h>
+ 
+ #include <net/if.h>
+-#include <net/if_ether.h>
+ 
+ #include <netinet/in.h>		/* for INET6_ADDRSTRLEN */
+ 
+-#include <rpc/rpcent.h>
+-
+-#include <disktab.h>
+-
+ static int	usage(void) __attribute__((__noreturn__));
+ static int	parsenum(const char *, unsigned long *);
+-static int	disktab(int, char *[]);
+-static int	gettytab(int, char *[]);
+-static int	ethers(int, char *[]);
+ static int	group(int, char *[]);
+ static int	hosts(int, char *[]);
+-static int	netgroup(int, char *[]);
+ static int	networks(int, char *[]);
+ static int	passwd(int, char *[]);
+-static int	printcap(int, char *[]);
+ static int	protocols(int, char *[]);
+-static int	rpc(int, char *[]);
+ static int	services(int, char *[]);
+ static int	shells(int, char *[]);
+ 
+@@ -92,17 +80,11 @@
+ 	const char	*name;
+ 	int		(*callback)(int, char *[]);
+ } databases[] = {
+-	{	"disktab",	disktab,	},
+-	{	"ethers",	ethers,		},
+-	{	"gettytab",	gettytab,	},
+ 	{	"group",	group,		},
+ 	{	"hosts",	hosts,		},
+-	{	"netgroup",	netgroup,	},
+ 	{	"networks",	networks,	},
+ 	{	"passwd",	passwd,		},
+-	{	"printcap",	printcap,	},
+ 	{	"protocols",	protocols,	},
+-	{	"rpc",		rpc,		},
+ 	{	"services",	services,	},
+ 	{	"shells",	shells,		},
+ 
+@@ -195,49 +177,6 @@
+ 	(void)printf("\n");
+ }
+ 
+-
+-		/*
+-		 * ethers
+-		 */
+-
+-static int
+-ethers(int argc, char *argv[])
+-{
+-	char		hostname[MAXHOSTNAMELEN + 1], *hp;
+-	struct ether_addr ea, *eap;
+-	int		i, rv;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define ETHERSPRINT	(void)printf("%-17s  %s\n", ether_ntoa(eap), hp)
+-
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		warnx("Enumeration not supported on ethers");
+-		rv = RV_NOENUM;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			if ((eap = ether_aton(argv[i])) == NULL) {
+-				eap = &ea;
+-				hp = argv[i];
+-				if (ether_hostton(hp, eap) != 0) {
+-					rv = RV_NOTFOUND;
+-					break;
+-				}
+-			} else {
+-				hp = hostname;
+-				if (ether_ntohost(hp, eap) != 0) {
+-					rv = RV_NOTFOUND;
+-					break;
+-				}
+-			}
+-			ETHERSPRINT;
+-		}
+-	}
+-	return rv;
+-}
+-
+ 		/*
+ 		 * group
+ 		 */
+@@ -298,7 +237,7 @@
+ hosts(int argc, char *argv[])
+ {
+ 	struct hostent	*he;
+-	char		addr[IN6ADDRSZ];
++	char		addr[NS_IN6ADDRSZ];
+ 	int		i, rv;
+ 
+ 	assert(argc > 1);
+@@ -312,9 +251,9 @@
+ 	} else {
+ 		for (i = 2; i < argc; i++) {
+ 			if (inet_pton(AF_INET6, argv[i], (void *)addr) > 0)
+-				he = gethostbyaddr(addr, IN6ADDRSZ, AF_INET6);
++				he = gethostbyaddr(addr, NS_IN6ADDRSZ, AF_INET6);
+ 			else if (inet_pton(AF_INET, argv[i], (void *)addr) > 0)
+-				he = gethostbyaddr(addr, INADDRSZ, AF_INET);
++				he = gethostbyaddr(addr, NS_INADDRSZ, AF_INET);
+ 			else
+ 				he = gethostbyname(argv[i]);
+ 			if (he != NULL)
+@@ -330,48 +269,6 @@
+ }
+ 
+ 		/*
+-		 * netgroup
+-		 */
+-static int
+-netgroup(int argc, char *argv[])
+-{
+-	int		rv, i;
+-	bool		first;
+-	const char	*host, *user, *domain;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define NETGROUPPRINT(s)	(((s) != NULL) ? (s) : "")
+-
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		warnx("Enumeration not supported on netgroup");
+-		rv = RV_NOENUM;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			setnetgrent(argv[i]);
+-			first = true;
+-			while (getnetgrent(&host, &user, &domain) != 0) {
+-				if (first) {
+-					first = false;
+-					(void)fputs(argv[i], stdout);
+-				}
+-				(void)printf(" (%s,%s,%s)",
+-				    NETGROUPPRINT(host),
+-				    NETGROUPPRINT(user),
+-				    NETGROUPPRINT(domain));
+-			}
+-			if (!first)
+-				(void)putchar('\n');
+-			endnetgrent();
+-		}
+-	}
+-
+-	return rv;
+-}
+-
+-		/*
+ 		 * networks
+ 		 */
+ 
+@@ -464,227 +361,6 @@
+ 	return rv;
+ }
+ 
+-static char *
+-mygetent(const char * const * db_array, const char *name)
+-{
+-	char *buf = NULL;
+-	int error;
+-
+-	switch (error = cgetent(&buf, db_array, name)) {
+-	case -3:
+-		warnx("tc= loop in record `%s' in `%s'", name, db_array[0]);
+-		break;
+-	case -2:
+-		warn("system error fetching record `%s' in `%s'", name,
+-		    db_array[0]);
+-		break;
+-	case -1:
+-	case 0:
+-		break;
+-	case 1:
+-		warnx("tc= reference not found in record for `%s' in `%s'",
+-		    name, db_array[0]);
+-		break;
+-	default:
+-		warnx("unknown error %d in record `%s' in `%s'", error, name,
+-		    db_array[0]);
+-		break;
+-	}
+-	return buf;
+-}
+-
+-static char *
+-mygetone(const char * const * db_array, int first)
+-{
+-	char *buf = NULL;
+-	int error;
+-
+-	switch (error = (first ? cgetfirst : cgetnext)(&buf, db_array)) {
+-	case -2:
+-		warnx("tc= loop in `%s'", db_array[0]);
+-		break;
+-	case -1:
+-		warn("system error fetching record in `%s'", db_array[0]);
+-		break;
+-	case 0:
+-	case 1:
+-		break;
+-	case 2:
+-		warnx("tc= reference not found in `%s'", db_array[0]);
+-		break;
+-	default:
+-		warnx("unknown error %d in `%s'", error, db_array[0]);
+-		break;
+-	}
+-	return buf;
+-}
+-
+-static void
+-capprint(const char *cap)
+-{
+-	char *c = strchr(cap, ':');
+-	if (c)
+-		if (c == cap)
+-			(void)printf("true\n");
+-		else {
+-			int l = (int)(c - cap);
+-			(void)printf("%*.*s\n", l, l, cap);
+-		}
+-	else
+-		(void)printf("%s\n", cap);
+-}
+-
+-static void
+-prettyprint(char *b)
+-{
+-#define TERMWIDTH 65
+-	int did = 0;
+-	size_t len;
+-	char *s, c;
+-
+-	for (;;) {
+-		len = strlen(b);
+-		if (len <= TERMWIDTH) {
+-done:
+-			if (did)
+-				printf("\t:");
+-			printf("%s\n", b);
+-			return;
+-		}
+-		for (s = b + TERMWIDTH; s > b && *s != ':'; s--)
+-			continue;
+-		if (*s++ != ':')
+-			goto done;
+-		c = *s;
+-		*s = '\0';
+-		if (did)
+-			printf("\t:");
+-		did++;
+-		printf("%s\\\n", b);
+-		*s = c;
+-		b = s;
+-	}
+-}
+-
+-static void
+-handleone(const char * const *db_array, char *b, int recurse, int pretty,
+-    int level)
+-{
+-	char *tc;
+-
+-	if (level && pretty)
+-		printf("\n");
+-	if (pretty)
+-		prettyprint(b);
+-	else
+-		printf("%s\n", b);
+-	if (!recurse || cgetstr(b, "tc", &tc) <= 0)
+-		return;
+-
+-	b = mygetent(db_array, tc);
+-	free(tc);
+-
+-	if (b == NULL)
+-		return;
+-
+-	handleone(db_array, b, recurse, pretty, ++level);
+-	free(b);
+-}
+-
+-static int
+-handlecap(const char *db, int argc, char *argv[])
+-{
+-	static const char sfx[] = "=#:";
+-	const char *db_array[] = { db, NULL };
+-	char	*b, *cap;
+-	int	i, rv, c;
+-	size_t	j;
+-	int	expand = 1, recurse = 0, pretty = 0;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-	argc--;
+-	argv++;
+-	while ((c = getopt(argc, argv, "pnr")) != -1)
+-		switch (c) {
+-		case 'n':
+-			expand = 0;
+-			break;
+-		case 'r':
+-			expand = 0;
+-			recurse = 1;
+-			break;
+-		case 'p':
+-			pretty = 1;
+-			break;
+-		default:
+-			usage();
+-			break;
+-		}
+-
+-	argc -= optind;
+-	argv += optind;
+-	csetexpandtc(expand);
+-	rv = RV_OK;
+-	if (argc == 0) {
+-		for (b = mygetone(db_array, 1); b; b = mygetone(db_array, 0)) {
+-			handleone(db_array, b, recurse, pretty, 0);
+-			free(b);
+-		}
+-	} else {
+-		if ((b = mygetent(db_array, argv[0])) == NULL)
+-			return RV_NOTFOUND;
+-		if (argc == 1)
+-			handleone(db_array, b, recurse, pretty, 0);
+-		else {
+-			for (i = 2; i < argc; i++) {
+-				for (j = 0; j < sizeof(sfx) - 1; j++) {
+-					cap = cgetcap(b, argv[i], sfx[j]);
+-					if (cap) {
+-						capprint(cap);
+-						break;
+-					} 
+-				}
+-				if (j == sizeof(sfx) - 1)
+-					printf("false\n");
+-			}
+-		}
+-		free(b);
+-	}
+-	return rv;
+-}
+-
+-		/*
+-		 * gettytab
+-		 */
+-
+-static int
+-gettytab(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_GETTYTAB, argc, argv);
+-}
+-
+-		/*
+-		 * printcap
+-		 */
+-
+-static int
+-printcap(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_PRINTCAP, argc, argv);
+-}
+-
+-		/*
+-		 * disktab
+-		 */
+-
+-static int
+-disktab(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_DISKTAB, argc, argv);
+-}
+-
+ 		/*
+ 		 * protocols
+ 		 */
+@@ -726,47 +402,6 @@
+ }
+ 
+ 		/*
+-		 * rpc
+-		 */
+-
+-static int
+-rpc(int argc, char *argv[])
+-{
+-	struct rpcent	*re;
+-	unsigned long	id;
+-	int		i, rv;
+-	
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define RPCPRINT	printfmtstrings(re->r_aliases, "  ", " ", \
+-				"%-16s  %6d", \
+-				re->r_name, re->r_number)
+-
+-	setrpcent(1);
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		while ((re = getrpcent()) != NULL)
+-			RPCPRINT;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			if (parsenum(argv[i], &id))
+-				re = getrpcbynumber((int)id);
+-			else
+-				re = getrpcbyname(argv[i]);
+-			if (re != NULL)
+-				RPCPRINT;
+-			else {
+-				rv = RV_NOTFOUND;
+-				break;
+-			}
+-		}
+-	}
+-	endrpcent();
+-	return rv;
+-}
+-
+-		/*
+ 		 * services
+ 		 */
+ 
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh
new file mode 100644
index 000000000000..4bfd4d785fac
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh
@@ -0,0 +1,8 @@
+addNetBSDInstallMakeFlags() {
+  export INSTALL_FILE="install -U -c"
+  export INSTALL_DIR="install -U -d"
+  export INSTALL_LINK="install -U -l h"
+  export INSTALL_SYMLINK="install -U -l s"
+}
+
+preConfigureHooks+=(addNetBSDInstallMakeFlags)
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc b/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc
new file mode 100644
index 000000000000..3aadabe50882
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc
@@ -0,0 +1,11 @@
+prefix=@out@
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: nbcompat
+Description: NetBSD compatibility framework
+Version: @version@
+URL: https://www.netbsd.org/
+Libs: -L${libdir} -lnbcompat
+Cflags: -I${includedir} -DHAVE_NBTOOL_CONFIG_H -include nbtool_config.h
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch
new file mode 100644
index 000000000000..4b7f47855287
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch
@@ -0,0 +1,85 @@
+--- a/usr.bin/locale/locale.c	2018-06-11 14:39:06.449762000 -0400
++++ b/usr.bin/locale/locale.c	2018-06-11 14:42:28.461122899 -0400
+@@ -56,14 +56,8 @@
+ #include <stringlist.h>
+ #include <unistd.h>
+ 
+-#include "citrus_namespace.h"
+-#include "citrus_region.h"
+-#include "citrus_lookup.h"
+-#include "setlocale_local.h"
+-
+ /* Local prototypes */
+ void	init_locales_list(void);
+-void	init_locales_list_alias(void);
+ void	list_charmaps(void);
+ void	list_locales(void);
+ const char *lookup_localecat(int);
+@@ -221,6 +215,8 @@
+ };
+ #define NKWINFO (sizeof(kwinfo)/sizeof(kwinfo[0]))
+ 
++const char *_PathLocale = NULL;
++
+ int
+ main(int argc, char *argv[])
+ {
+@@ -411,8 +407,7 @@
+ 	while ((dp = readdir(dirp)) != NULL) {
+ 		/* exclude "." and "..", _LOCALE_ALIAS_NAME */
+ 		if ((dp->d_name[0] != '.' || (dp->d_name[1] != '\0' &&
+-		    (dp->d_name[1] != '.' ||  dp->d_name[2] != '\0'))) &&
+-		    strcmp(_LOCALE_ALIAS_NAME, dp->d_name) != 0) {
++		    (dp->d_name[1] != '.' ||  dp->d_name[2] != '\0')))) {
+ 			s = strdup(dp->d_name);
+ 			if (s == NULL)
+ 				err(1, "could not allocate memory");
+@@ -431,48 +426,10 @@
+ 	if (sl_find(locales, "C") == NULL)
+ 		sl_add(locales, "C");
+ 
+-	init_locales_list_alias();
+-
+ 	/* make output nicer, sort the list */
+ 	qsort(locales->sl_str, locales->sl_cur, sizeof(char *), scmp);
+ }
+ 
+-void
+-init_locales_list_alias(void)
+-{
+-	char aliaspath[PATH_MAX];
+-	struct _lookup *hlookup;
+-	struct _region key, dat;
+-	size_t n;
+-	char *s, *t;
+-
+-	_DIAGASSERT(locales != NULL);
+-	_DIAGASSERT(_PathLocale != NULL);
+-
+-	(void)snprintf(aliaspath, sizeof(aliaspath),
+-		"%s/" _LOCALE_ALIAS_NAME, _PathLocale);
+-
+-	if (_lookup_seq_open(&hlookup, aliaspath,
+-	    _LOOKUP_CASE_SENSITIVE) == 0) {
+-		while (_lookup_seq_next(hlookup, &key, &dat) == 0) {
+-			n = _region_size((const struct _region *)&key);
+-			s = _region_head((const struct _region *)&key);
+-			for (t = s; n > 0 && *s!= '/'; --n, ++s);
+-			n = (size_t)(s - t);
+-			s = malloc(n + 1);
+-			if (s == NULL)
+-				err(1, "could not allocate memory");
+-			memcpy(s, t, n);
+-			s[n] = '\0';
+-			if (sl_find(locales, s) == NULL)
+-				sl_add(locales, s);
+-			else
+-				free(s);
+-		}
+-		_lookup_seq_close(hlookup);
+-	}
+-}
+-
+ /*
+  * Show current locale status, depending on environment variables
+  */
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch
new file mode 100644
index 000000000000..b3e9f3c88a13
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch
@@ -0,0 +1,16 @@
+===================================================================
+RCS file: /ftp/cvs/cvsroot/src/sys/arch/i386/stand/efiboot/Makefile.efiboot,v
+rcsdiff: /ftp/cvs/cvsroot/src/sys/arch/i386/stand/efiboot/Makefile.efiboot,v: warning: Unknown phrases like `commitid ...;' are present.
+retrieving revision 1.16
+retrieving revision 1.17
+diff -u -p -r1.16 -r1.17
+--- a/sys/arch/i386/stand/efiboot/Makefile.efiboot	2019/09/13 02:19:45	1.16
++++ b/sys/arch/i386/stand/efiboot/Makefile.efiboot	2020/04/04 15:30:46	1.17
+@@ -41,6 +41,7 @@ BINMODE=444
+ .PATH:	${.CURDIR}/../../libsa
+ 
+ LDSCRIPT?= ${.CURDIR}/ldscript
++LDFLAGS+= --no-dynamic-linker --noinhibit-exec
+ LDFLAGS+= -nostdlib -T${LDSCRIPT} -Bsymbolic -shared -nocombreloc
+ CPPFLAGS+= -I$S -I${.CURDIR} -I${.CURDIR}/.. -I$S/lib/libsa
+ CPPFLAGS+= -I${.OBJDIR}
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh
new file mode 100644
index 000000000000..fa8b19e7d8ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh
@@ -0,0 +1,15 @@
+mergeNetBSDSourceDir() {
+  # merge together all extra paths
+  # there should be a better way to do this
+  chmod -R u+w $BSDSRCDIR
+  for path in $extraPaths; do
+    rsync -Er --chmod u+w $path/ $BSDSRCDIR/
+  done
+}
+
+addNetBSDMakeFlags() {
+  makeFlags="INCSDIR=${!outputDev}/include $makeFlags"
+}
+
+postUnpackHooks+=(mergeNetBSDSourceDir)
+preConfigureHooks+=(addNetBSDMakeFlags)
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch
new file mode 100644
index 000000000000..5cfb2a54c8db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 3f1e18dc659d..163362b82f94 100644
+--- a/sys/Makefile
++++ b/sys/Makefile
+@@ -2,6 +2,8 @@
+ 
+ .include <bsd.own.mk>
+ 
++INCSDIR= ${INCSDIR0}
++
+ SUBDIR=	altq arch compat dev fs miscfs \
+ 	net net80211 netatalk netbt netcan netipsec netinet netinet6 \
+         netmpls netsmb \
diff --git a/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh
new file mode 100644
index 000000000000..e0afefcd73f7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh
@@ -0,0 +1,114 @@
+# BSD makefiles should be able to detect this
+# but without they end up using gcc on Darwin stdenv
+addMakeFlags() {
+  export setOutputFlags=
+
+  export LIBCRT0=
+  export LIBCRTI=
+  export LIBCRTEND=
+  export LIBCRTBEGIN=
+  export LIBC=
+  export LIBUTIL=
+  export LIBSSL=
+  export LIBCRYPTO=
+  export LIBCRYPT=
+  export LIBCURSES=
+  export LIBTERMINFO=
+  export LIBM=
+  export LIBL=
+
+  export _GCC_CRTBEGIN=
+  export _GCC_CRTBEGINS=
+  export _GCC_CRTEND=
+  export _GCC_CRTENDS=
+  export _GCC_LIBGCCDIR=
+  export _GCC_CRTI=
+  export _GCC_CRTN=
+  export _GCC_CRTDIR=
+
+  # Definitions passed to share/mk/*.mk. Should be pretty simple -
+  # eventually maybe move it to a configure script.
+  export DESTDIR=
+  export USETOOLS=never
+  export NOCLANGERROR=yes
+  export NOGCCERROR=yes
+  export LEX=flex
+  export MKUNPRIVED=yes
+  export EXTERNAL_TOOLCHAIN=yes
+
+  makeFlags="MACHINE=$MACHINE $makeFlags"
+  makeFlags="MACHINE_ARCH=$MACHINE_ARCH $makeFlags"
+  makeFlags="AR=$AR $makeFlags"
+  makeFlags="CC=$CC $makeFlags"
+  makeFlags="CPP=$CPP $makeFlags"
+  makeFlags="CXX=$CXX $makeFlags"
+  makeFlags="LD=$LD $makeFlags"
+  makeFlags="STRIP=$STRIP $makeFlags"
+
+  makeFlags="BINDIR=${!outputBin}/bin $makeFlags"
+  makeFlags="LIBDIR=${!outputLib}/lib $makeFlags"
+  makeFlags="SHLIBDIR=${!outputLib}/lib $makeFlags"
+  makeFlags="SHAREDIR=${!outputLib}/share $makeFlags"
+  makeFlags="MANDIR=${!outputMan}/share/man $makeFlags"
+  makeFlags="INFODIR=${!outputInfo}/share/info $makeFlags"
+  makeFlags="DOCDIR=${!outputDoc}/share/doc $makeFlags"
+  makeFlags="LOCALEDIR=${!outputLib}/share/locale $makeFlags"
+
+  # Parallel building. Needs the space.
+  makeFlags="-j $NIX_BUILD_CORES $makeFlags"
+}
+
+setBSDSourceDir() {
+  sourceRoot=$PWD/$sourceRoot
+  export BSDSRCDIR=$sourceRoot
+  export _SRC_TOP_=$BSDSRCDIR
+  cd $sourceRoot
+}
+
+cdBSDPath() {
+  if [ -d "$COMPONENT_PATH" ]
+    then sourceRoot=$sourceRoot/$COMPONENT_PATH
+    cd $COMPONENT_PATH
+  fi
+}
+
+includesPhase() {
+  if [ -z "${skipIncludesPhase:-}" ]; then
+    runHook preIncludes
+
+    local flagsArray=(
+         $makeFlags ${makeFlagsArray+"${makeFlagsArray[@]}"}
+         includes
+    )
+
+    echoCmd 'includes flags' "${flagsArray[@]}"
+    make ${makefile:+-f $makefile} "${flagsArray[@]}"
+
+    moveUsrDir
+
+    runHook postIncludes
+  fi
+}
+
+moveUsrDir() {
+  if [ -d $prefix ]; then
+    # Remove lingering /usr references
+    if [ -d $prefix/usr ]; then
+      # Didn't try using rsync yet because per
+      # https://unix.stackexchange.com/questions/127712/merging-folders-with-mv,
+      # it's not neessarily better.
+      pushd $prefix/usr
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec mv \{} $out/\{} \;
+      popd
+    fi
+
+    find $prefix -type d -empty -delete
+  fi
+}
+
+postUnpackHooks+=(setBSDSourceDir)
+postPatchHooks+=(cdBSDPath)
+preConfigureHooks+=(addMakeFlags)
+preInstallHooks+=(includesPhase)
+fixupOutputHooks+=(moveUsrDir)
diff --git a/nixpkgs/pkgs/os-specific/bsd/xargs-j.sh b/nixpkgs/pkgs/os-specific/bsd/xargs-j.sh
new file mode 100644
index 000000000000..3dd27c2cd2cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/xargs-j.sh
@@ -0,0 +1,17 @@
+#! @shell@
+
+declare -a args=()
+
+token=$1
+shift
+
+while (( $# )); do
+    if [[ "$1" = "$token" ]]; then
+        mapfile -t -O $(("${#args[@]}" + 1)) args
+    else
+        args+=("$1")
+    fi
+    shift
+done
+
+exec "${args[@]}"
diff --git a/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix b/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix
new file mode 100644
index 000000000000..5cf92a41a6f8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix
@@ -0,0 +1,23 @@
+{ lib, fetchFromGitHub, stdenv }:
+
+stdenv.mkDerivation {
+  pname = "core-symbolication";
+  version = "unstable-2018-06-17";
+
+  src = fetchFromGitHub {
+    repo = "CoreSymbolication";
+    owner = "matthewbauer";
+    rev = "24c87c23664b3ee05dc7a5a87d647ae476a680e4";
+    hash = "sha256-PzvLq94eNhP0+rLwGMKcMzxuD6MlrNI7iT/eV0obtSE=";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" "CC=${stdenv.cc.targetPrefix}cc" ];
+
+  meta = with lib; {
+    description = "Reverse engineered headers for Apple's CoreSymbolication framework";
+    homepage = "https://github.com/matthewbauer/CoreSymbolication";
+    license = licenses.mit;
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix
new file mode 100644
index 000000000000..11e4c84395da
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "DarwinTools";
+  version = "1";
+
+  src = fetchurl {
+    url = "https://web.archive.org/web/20180408044816/https://opensource.apple.com/tarballs/DarwinTools/DarwinTools-${version}.tar.gz";
+    hash = "sha256-Fzo5QhLd3kZHVFKhJe7xzV6bmRz5nAsG2mNLkAqVBEI=";
+  };
+
+  patches = [
+    ./sw_vers-CFPriv.patch
+  ];
+
+  configurePhase = ''
+    export SRCROOT=.
+    export SYMROOT=.
+    export DSTROOT=$out
+  '';
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "STRIP=${stdenv.cc.targetPrefix}strip"
+  ];
+
+  postInstall = ''
+    mv $out/usr/* $out
+    rmdir $out/usr
+  '';
+
+  meta = {
+    maintainers = [ lib.maintainers.matthewbauer ];
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch
new file mode 100644
index 000000000000..6faeaa75025e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch
@@ -0,0 +1,19 @@
+--- a/sw_vers.c	2021-04-19 13:06:50.131346864 +0900
++++ b/sw_vers.c	2021-04-19 13:07:32.481967474 +0900
+@@ -28,7 +28,15 @@
+  */
+ 
+ #include <CoreFoundation/CoreFoundation.h>
+-#include <CoreFoundation/CFPriv.h>
++
++// Avoid dependency on CoreFoundation/CFPriv, which no longer appears to be
++// part of the upstream sdk.
++
++CFDictionaryRef _CFCopyServerVersionDictionary(void);
++CFDictionaryRef _CFCopySystemVersionDictionary(void);
++extern CFStringRef _kCFSystemVersionProductNameKey;
++extern CFStringRef _kCFSystemVersionProductVersionKey;
++extern CFStringRef _kCFSystemVersionBuildVersionKey;
+ 
+ void usage(char *progname) {
+ 	fprintf(stderr, "Usage: %s [-productName|-productVersion|-buildVersion]\n", progname);
diff --git a/nixpkgs/pkgs/os-specific/darwin/airbuddy/default.nix b/nixpkgs/pkgs/os-specific/darwin/airbuddy/default.nix
new file mode 100644
index 000000000000..303311ccb105
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/airbuddy/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, undmg
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "airbuddy";
+  version = "2.7.1";
+
+  src = fetchurl {
+    name = "AirBuddy.dmg";
+    url = "https://download.airbuddy.app/WebDownload/AirBuddy_v${finalAttrs.version}.dmg";
+    hash = "sha256-z8iy3kIBO+1HDgmWxXmFHArLdw85CLNSMvMFZfEJAp0=";
+  };
+
+  dontPatch = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  nativeBuildInputs = [ undmg ];
+
+  # AirBuddy.dmg is not HFS formatted, default unpackPhase fails
+  # https://discourse.nixos.org/t/help-with-error-only-hfs-file-systems-are-supported-on-ventura
+  unpackCmd = ''
+    mnt=$(mktemp -d)
+
+    /usr/bin/hdiutil attach -nobrowse -readonly $src -mountpoint $mnt
+
+    shopt -s extglob
+    DEST="$PWD"
+    (cd "$mnt"; cp -a !(Applications) "$DEST/")
+  '';
+
+  sourceRoot = "AirBuddy.app";
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/AirBuddy.app
+    cp -R . $out/Applications/AirBuddy.app
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Take Control of Your Wireless Devices on macOS";
+    longDescription = ''
+      Open your AirPods case next to your Mac to see the status right away, just like it works on your iPhone or iPad.
+      AirBuddy lives in your Menu Bar and can also show battery information for your iPhone, iPad, Apple Watch, Mouse, Keyboard, and more.
+    '';
+    homepage = "https://v2.airbuddy.app";
+    changelog = "https://support.airbuddy.app/articles/airbuddy-2-changelog";
+    license = with licenses; [ unfree ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ stepbrobd ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/aldente/default.nix b/nixpkgs/pkgs/os-specific/darwin/aldente/default.nix
new file mode 100644
index 000000000000..7ca454609aed
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/aldente/default.nix
@@ -0,0 +1,59 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, undmg
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "aldente";
+  version = "1.22.3";
+
+  src = fetchurl {
+    url = "https://github.com/davidwernhart/aldente-charge-limiter/releases/download/${finalAttrs.version}/AlDente.dmg";
+    hash = "sha256-pSqBDDumCbORLQ+B3skSqKmgG2KybR5Zb4ojiNQcAaM=";
+  };
+
+  dontBuild = true;
+  dontFixup = true;
+
+  nativeBuildInputs = [ undmg ];
+
+  # AlDente.dmg is not HFS formatted, default unpackPhase fails
+  # https://discourse.nixos.org/t/help-with-error-only-hfs-file-systems-are-supported-on-ventura
+  unpackCmd = ''
+    if ! [[ "$curSrc" =~ \.dmg$ ]]; then return 1; fi
+    mnt=$(mktemp -d -t ci-XXXXXXXXXX)
+
+    function finish {
+      /usr/bin/hdiutil detach $mnt -force
+    }
+    trap finish EXIT
+
+    /usr/bin/hdiutil attach -nobrowse -readonly $src -mountpoint $mnt
+
+    shopt -s extglob
+    DEST="$PWD"
+    (cd "$mnt"; cp -a !(Applications) "$DEST/")
+  '';
+
+  sourceRoot = "AlDente.app";
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/AlDente.app
+    cp -R . $out/Applications/AlDente.app
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "macOS tool to limit maximum charging percentage";
+    homepage = "https://apphousekitchen.com";
+    changelog = "https://github.com/davidwernhart/aldente-charge-limiter/releases/tag/${finalAttrs.version}";
+    license = with licenses; [ unfree ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ stepbrobd ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/apparency/default.nix b/nixpkgs/pkgs/os-specific/darwin/apparency/default.nix
new file mode 100644
index 000000000000..0bae99c14b37
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apparency/default.nix
@@ -0,0 +1,39 @@
+{ lib
+, fetchurl
+, stdenv
+, undmg
+}:
+
+stdenv.mkDerivation {
+  pname = "apparency";
+  version = "1.5.1";
+
+  src = fetchurl {
+    url = "https://web.archive.org/web/20230815073821/https://www.mothersruin.com/software/downloads/Apparency.dmg";
+    hash = "sha256-JpaBdlt8kTNFzK/yZVZ+ZFJ3DnPQbogJC7QBmtSVkoQ=";
+  };
+
+  nativeBuildInputs = [ undmg ];
+
+  sourceRoot = "Apparency.app";
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/Apparency.app $out/bin
+    cp -R . $out/Applications/Apparency.app
+    ln -s ../Applications/Apparency.app/Contents/MacOS/appy $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "The App That Opens Apps";
+    homepage = "https://www.mothersruin.com/software/Apparency/";
+    license = lib.licenses.unfreeRedistributable;
+    maintainers = with lib.maintainers; [ Enzime ];
+    mainProgram = "appy";
+    platforms = lib.platforms.darwin;
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix
new file mode 100644
index 000000000000..ca23af43229c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix
@@ -0,0 +1,268 @@
+{ lib, stdenvNoCC, buildPackages, fetchurl, xar, cpio, pkgs, python3, pbzx, MacOSX-SDK }:
+
+# TODO: reorganize to make this just frameworks, and move libs to default.nix
+
+let
+  stdenv = stdenvNoCC;
+
+  standardFrameworkPath = name: private:
+    "/System/Library/${lib.optionalString private "Private"}Frameworks/${name}.framework";
+
+  mkDepsRewrites = deps:
+  let
+    mergeRewrites = x: y: {
+      prefix = lib.mergeAttrs (x.prefix or {}) (y.prefix or {});
+      const = lib.mergeAttrs (x.const or {}) (y.const or {});
+    };
+
+    rewriteArgs = { prefix ? {}, const ? {} }: lib.concatLists (
+      (lib.mapAttrsToList (from: to: [ "-p" "${from}:${to}" ]) prefix) ++
+      (lib.mapAttrsToList (from: to: [ "-c" "${from}:${to}" ]) const)
+    );
+
+    rewrites = depList: lib.fold mergeRewrites {}
+      (map (dep: dep.tbdRewrites)
+        (lib.filter (dep: dep ? tbdRewrites) depList));
+  in
+    lib.escapeShellArgs (rewriteArgs (rewrites (builtins.attrValues deps)));
+
+  mkFramework = { name, deps, private ? false }:
+    let self = stdenv.mkDerivation {
+      pname = "apple-${lib.optionalString private "private-"}framework-${name}";
+      version = MacOSX-SDK.version;
+
+      dontUnpack = true;
+
+      # because we copy files from the system
+      preferLocalBuild = true;
+
+      disallowedRequisites = [ MacOSX-SDK ];
+
+      nativeBuildInputs = [ buildPackages.darwin.rewrite-tbd ];
+
+      installPhase = ''
+        mkdir -p $out/Library/Frameworks
+
+        cp -r ${MacOSX-SDK}${standardFrameworkPath name private} $out/Library/Frameworks
+
+        if [[ -d ${MacOSX-SDK}/usr/lib/swift/${name}.swiftmodule ]]; then
+          mkdir -p $out/lib/swift
+          cp -r -t $out/lib/swift \
+            ${MacOSX-SDK}/usr/lib/swift/${name}.swiftmodule \
+            ${MacOSX-SDK}/usr/lib/swift/libswift${name}.tbd
+        fi
+
+        # Fix and check tbd re-export references
+        chmod u+w -R $out
+        find $out -name '*.tbd' -type f | while read tbd; do
+          echo "Fixing re-exports in $tbd"
+          rewrite-tbd \
+            -p ${standardFrameworkPath name private}/:$out/Library/Frameworks/${name}.framework/ \
+            -p /usr/lib/swift/:$out/lib/swift/ \
+            ${mkDepsRewrites deps} \
+            -r ${builtins.storeDir} \
+            "$tbd"
+        done
+      '';
+
+      propagatedBuildInputs = builtins.attrValues deps;
+
+      passthru = {
+        tbdRewrites = {
+          prefix."${standardFrameworkPath name private}/" = "${self}/Library/Frameworks/${name}.framework/";
+        };
+      };
+
+      meta = with lib; {
+        description = "Apple SDK framework ${name}";
+        maintainers = with maintainers; [ copumpkin ];
+        platforms   = platforms.darwin;
+      };
+    };
+  in self;
+
+  framework = name: deps: mkFramework { inherit name deps; private = false; };
+  privateFramework = name: deps: mkFramework { inherit name deps; private = true; };
+in rec {
+  libs = {
+    xpc = stdenv.mkDerivation {
+      name   = "apple-lib-xpc";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        cp -r "${MacOSX-SDK}/usr/include/xpc" $out/include/xpc
+        cp "${MacOSX-SDK}/usr/include/launch.h" $out/include/launch.h
+        popd >/dev/null
+      '';
+    };
+
+    Xplugin = stdenv.mkDerivation {
+      name   = "apple-lib-Xplugin";
+      dontUnpack = true;
+
+      propagatedBuildInputs = with frameworks; [
+        OpenGL ApplicationServices Carbon IOKit CoreGraphics CoreServices CoreText
+      ];
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${MacOSX-SDK}/include/Xplugin.h" $out/include/Xplugin.h
+        cp ${MacOSX-SDK}/usr/lib/libXplugin.1.tbd $out/lib
+        ln -s libXplugin.1.tbd $out/lib/libXplugin.tbd
+      '';
+    };
+
+    utmp = stdenv.mkDerivation {
+      name   = "apple-lib-utmp";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        ln -s "${MacOSX-SDK}/include/utmp.h"
+        ln -s "${MacOSX-SDK}/include/utmpx.h"
+        popd >/dev/null
+      '';
+    };
+
+    sandbox = stdenv.mkDerivation {
+      name = "apple-lib-sandbox";
+
+      dontUnpack = true;
+      dontBuild = true;
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${MacOSX-SDK}/usr/include/sandbox.h" $out/include/sandbox.h
+        cp "${MacOSX-SDK}/usr/lib/libsandbox.1.tbd" $out/lib
+        ln -s libsandbox.1.tbd $out/lib/libsandbox.tbd
+      '';
+    };
+
+    libDER = stdenv.mkDerivation {
+      name = "apple-lib-libDER";
+      dontUnpack = true;
+      installPhase = ''
+        mkdir -p $out/include
+        cp -r ${MacOSX-SDK}/usr/include/libDER $out/include
+      '';
+    };
+
+    simd = stdenv.mkDerivation {
+      name = "apple-lib-simd";
+      dontUnpack = true;
+      installPhase = ''
+        mkdir -p $out/include
+        cp -r ${MacOSX-SDK}/usr/include/simd $out/include
+      '';
+    };
+  };
+
+  frameworks = let
+    # Dependency map created by gen-frameworks.py.
+    generatedDeps = import ./frameworks.nix {
+      inherit frameworks libs;
+    };
+
+    # Additional dependencies that are not picked up by gen-frameworks.py.
+    # Some of these are simply private frameworks the generator does not see.
+    extraDeps = with libs; with frameworks; let
+      inherit (pkgs.darwin.apple_sdk_11_0) libnetwork;
+      libobjc = pkgs.darwin.apple_sdk_11_0.objc4;
+    in {
+      # Below this comment are entries migrated from before the generator was
+      # added. If, for a given framework, you are able to reverify the extra
+      # deps are really necessary on top of the generator deps, move it above
+      # this comment (and maybe document your findings).
+      AVFoundation            = { inherit ApplicationServices AVFCapture AVFCore; };
+      Accelerate              = { inherit CoreWLAN IOBluetooth; };
+      AddressBook             = { inherit AddressBookCore ContactsPersistence libobjc; };
+      AppKit                  = { inherit AudioToolbox AudioUnit UIFoundation; };
+      AudioToolbox            = { inherit AudioToolboxCore; };
+      AudioUnit               = { inherit Carbon CoreAudio; };
+      Carbon                  = { inherit IOKit QuartzCore libobjc; };
+      CoreAudio               = { inherit IOKit; };
+      CoreFoundation          = { inherit libobjc; };
+      CoreGraphics            = { inherit SystemConfiguration; };
+      CoreMIDIServer          = { inherit CoreMIDI; };
+      CoreMedia               = { inherit ApplicationServices AudioToolbox AudioUnit; };
+      CoreServices            = { inherit CoreAudio NetFS ServiceManagement; };
+      CoreWLAN                = { inherit SecurityFoundation; };
+      DiscRecording           = { inherit IOKit libobjc; };
+      Foundation              = { inherit SystemConfiguration libobjc; };
+      GameKit                 = { inherit GameCenterFoundation GameCenterUI GameCenterUICore ReplayKit; };
+      ICADevices              = { inherit Carbon libobjc; };
+      IOBluetooth             = { inherit CoreBluetooth; };
+      JavaScriptCore          = { inherit libobjc; };
+      Kernel                  = { inherit IOKit; };
+      LinkPresentation        = { inherit URLFormatting; };
+      MediaToolbox            = { inherit AudioUnit; };
+      MetricKit               = { inherit SignpostMetrics; };
+      Network                 = { inherit libnetwork; };
+      PCSC                    = { inherit CoreData; };
+      PassKit                 = { inherit PassKitCore; };
+      QTKit                   = { inherit CoreMedia CoreMediaIO MediaToolbox VideoToolbox; };
+      Quartz                  = { inherit QTKit; };
+      QuartzCore              = { inherit ApplicationServices CoreImage CoreVideo Metal OpenCL libobjc; };
+      Security                = { inherit IOKit libDER; };
+      TWAIN                   = { inherit Carbon; };
+      VideoDecodeAcceleration = { inherit CoreVideo; };
+      WebKit                  = { inherit ApplicationServices Carbon libobjc; };
+    };
+
+    # Overrides for framework derivations.
+    overrides = super: {
+      CoreFoundation = lib.overrideDerivation super.CoreFoundation (drv: {
+        setupHook = ./cf-setup-hook.sh;
+      });
+
+      # This framework doesn't exist in newer SDKs (somewhere around 10.13), but
+      # there are references to it in nixpkgs.
+      QuickTime = throw "QuickTime framework not available";
+
+      # Seems to be appropriate given https://developer.apple.com/forums/thread/666686
+      JavaVM = super.JavaNativeFoundation;
+
+      CoreVideo = lib.overrideDerivation super.CoreVideo (drv: {
+        installPhase = drv.installPhase + ''
+          # When used as a module, complains about a missing import for
+          # Darwin.C.stdint. Apparently fixed in later SDKs.
+          awk -i inplace '/CFBase.h/ { print "#include <stdint.h>" } { print }' \
+            $out/Library/Frameworks/CoreVideo.framework/Headers/CVBase.h
+        '';
+      });
+
+      System = lib.overrideDerivation super.System (drv: {
+        installPhase = drv.installPhase + ''
+          # Contrarily to the other frameworks, System framework's TBD file
+          # is a symlink pointing to ${MacOSX-SDK}/usr/lib/libSystem.B.tbd.
+          # This produces an error when installing the framework as:
+          #   1. The original file is not copied into the output directory
+          #   2. Even if it was copied, the relative path wouldn't match
+          # Thus, it is easier to replace the file than to fix the symlink.
+          cp --remove-destination ${MacOSX-SDK}/usr/lib/libSystem.B.tbd \
+            $out/Library/Frameworks/System.framework/Versions/B/System.tbd
+        '';
+      });
+    };
+
+    # Merge extraDeps into generatedDeps.
+    deps = generatedDeps // (
+      lib.mapAttrs
+        (name: deps: generatedDeps.${name} // deps)
+        extraDeps
+    );
+
+    # Create derivations, and add private frameworks.
+    bareFrameworks = (lib.mapAttrs framework deps) // (
+      lib.mapAttrs privateFramework (import ./private-frameworks.nix {
+        inherit frameworks;
+        libobjc = pkgs.darwin.apple_sdk_11_0.objc4;
+      })
+    );
+  in
+    # Apply derivation overrides.
+    bareFrameworks // overrides bareFrameworks;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh
new file mode 100644
index 000000000000..b64eb95f2ded
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh
@@ -0,0 +1,6 @@
+forceLinkCoreFoundationFramework() {
+  NIX_CFLAGS_COMPILE="-F@out@/Library/Frameworks${NIX_CFLAGS_COMPILE:+ }${NIX_CFLAGS_COMPILE-}"
+  NIX_LDFLAGS+=" @out@/Library/Frameworks/CoreFoundation.framework/CoreFoundation.tbd"
+}
+
+preConfigureHooks+=(forceLinkCoreFoundationFramework)
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
new file mode 100644
index 000000000000..fe0d0ca63ea9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
@@ -0,0 +1,143 @@
+{ stdenvNoCC, fetchurl, newScope, lib, pkgs
+, stdenv, overrideCC
+, xar, cpio, python3, pbzx }:
+
+let
+  mkSusDerivation = args: stdenvNoCC.mkDerivation (args // {
+    dontBuild = true;
+    darwinDontCodeSign = true;
+
+    nativeBuildInputs = [ cpio pbzx ];
+
+    outputs = [ "out" ];
+
+    unpackPhase = ''
+      pbzx $src | cpio -idm
+    '';
+
+    passthru = {
+      inherit (args) version;
+    };
+  });
+
+  MacOSX-SDK = mkSusDerivation {
+    pname = "MacOSX-SDK";
+    version = "11.0.0";
+
+    # https://swscan.apple.com/content/catalogs/others/index-11-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
+    src = fetchurl {
+      url = "http://swcdn.apple.com/content/downloads/46/21/001-89745-A_56FM390IW5/v1um2qppgfdnam2e9cdqcqu2r6k8aa3lis/CLTools_macOSNMOS_SDK.pkg";
+      sha256 = "0n425smj4q1vxbza8fzwnk323fyzbbq866q32w288c44hl5yhwsf";
+    };
+
+    installPhase = ''
+      mv Library/Developer/CommandLineTools/SDKs/MacOSX11.1.sdk $out
+    '';
+  };
+
+  CLTools_Executables = mkSusDerivation {
+    pname = "CLTools_Executables";
+    version = "11.0.0";
+
+    # https://swscan.apple.com/content/catalogs/others/index-11-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
+    src = fetchurl {
+      url = "http://swcdn.apple.com/content/downloads/46/21/001-89745-A_56FM390IW5/v1um2qppgfdnam2e9cdqcqu2r6k8aa3lis/CLTools_Executables.pkg";
+      sha256 = "0nvb1qx7l81l2wcl8wvgbpsg5rcn51ylhivqmlfr2hrrv3zrrpl0";
+    };
+
+    installPhase = ''
+      mv Library/Developer/CommandLineTools $out
+    '';
+  };
+
+  mkCc = cc:
+    if stdenv.isAarch64 then cc
+    else
+      cc.override {
+        bintools = stdenv.cc.bintools.override { libc = packages.Libsystem; };
+        libc = packages.Libsystem;
+      };
+
+  mkStdenv = stdenv:
+    if stdenv.isAarch64 then stdenv
+    else
+      (overrideCC stdenv (mkCc stdenv.cc)).override {
+        extraBuildInputs = [ pkgs.darwin.apple_sdk_11_0.frameworks.CoreFoundation ];
+        targetPlatform = stdenv.targetPlatform // {
+          darwinMinVersion = "10.12";
+          darwinSdkVersion = "11.0";
+        };
+      };
+
+  stdenvs = {
+    stdenv = mkStdenv stdenv;
+  } // builtins.listToAttrs (map
+    (v: {
+      name = "llvmPackages_${v}";
+      value = pkgs."llvmPackages_${v}" // {
+        stdenv = mkStdenv pkgs."llvmPackages_${v}".stdenv;
+        clang = mkCc pkgs."llvmPackages_${v}".clang;
+      };
+    })
+    [ "12" "13" "14" "15" "16" ]
+  );
+
+  callPackage = newScope (packages // pkgs.darwin // { inherit MacOSX-SDK; });
+
+  packages = stdenvs // {
+    inherit (callPackage ./apple_sdk.nix { }) frameworks libs;
+
+    # TODO: this is nice to be private. is it worth the callPackage above?
+    # Probably, I don't think that callPackage costs much at all.
+    inherit MacOSX-SDK CLTools_Executables;
+
+    Libsystem = callPackage ./libSystem.nix { };
+    LibsystemCross = pkgs.darwin.Libsystem;
+    libcharset = callPackage ./libcharset.nix { };
+    libunwind = callPackage ./libunwind.nix { };
+    libnetwork = callPackage ./libnetwork.nix { };
+    libpm = callPackage ./libpm.nix { };
+    # Avoid introducing a new objc4 if stdenv already has one, to prevent
+    # conflicting LLVM modules.
+    objc4 = stdenv.objc4 or (callPackage ./libobjc.nix { });
+
+    # questionable aliases
+    configd = pkgs.darwin.apple_sdk.frameworks.SystemConfiguration;
+    inherit (pkgs.darwin.apple_sdk.frameworks) IOKit;
+
+    xcodebuild = pkgs.xcbuild.override {
+      inherit (pkgs.darwin.apple_sdk_11_0) stdenv;
+      inherit (pkgs.darwin.apple_sdk_11_0.frameworks) CoreServices CoreGraphics ImageIO;
+    };
+
+    rustPlatform = pkgs.makeRustPlatform {
+      inherit (pkgs.darwin.apple_sdk_11_0) stdenv;
+      inherit (pkgs) rustc cargo;
+    } // {
+      inherit (pkgs.callPackage ../../../build-support/rust/hooks {
+        inherit (pkgs.darwin.apple_sdk_11_0) stdenv;
+        inherit (pkgs) cargo rustc;
+        clang = mkCc pkgs.clang;
+      }) bindgenHook;
+    };
+
+    callPackage = newScope (lib.optionalAttrs stdenv.isDarwin (stdenvs // rec {
+      inherit (pkgs.darwin.apple_sdk_11_0) xcodebuild rustPlatform;
+      darwin = pkgs.darwin.overrideScope (_: prev: {
+        inherit (prev.darwin.apple_sdk_11_0)
+          IOKit
+          Libsystem
+          LibsystemCross
+          Security
+          configd
+          libcharset
+          libunwind
+          objc4
+          ;
+        apple_sdk = prev.darwin.apple_sdk_11_0;
+        CF = prev.darwin.apple_sdk_11_0.CoreFoundation;
+      });
+      xcbuild = xcodebuild;
+    }));
+  };
+in packages
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix
new file mode 100644
index 000000000000..fa6945f76718
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix
@@ -0,0 +1,196 @@
+# This file is generated by gen-frameworks.nix.
+# Do not edit, put overrides in apple_sdk.nix instead.
+{ libs, frameworks }: with libs; with frameworks;
+{
+  AGL                              = { inherit Carbon OpenGL; };
+  AVFoundation                     = { inherit AudioToolbox CoreAudio CoreAudioTypes CoreFoundation CoreGraphics CoreImage CoreMIDI CoreMedia CoreVideo Foundation IOKit ImageIO MediaToolbox Metal QuartzCore UniformTypeIdentifiers simd; };
+  AVKit                            = { inherit AVFoundation AppKit Cocoa Foundation; };
+  Accelerate                       = { inherit CoreFoundation CoreGraphics CoreVideo Foundation IOKit Metal; };
+  Accessibility                    = { inherit CoreGraphics Foundation; };
+  Accounts                         = { inherit Foundation; };
+  AdServices                       = { inherit Foundation; };
+  AdSupport                        = { inherit Foundation; };
+  AddressBook                      = { inherit Carbon Cocoa CoreFoundation Foundation; };
+  AppKit                           = { inherit ApplicationServices CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal OpenGL QuartzCore; };
+  AppTrackingTransparency          = { inherit Foundation; };
+  AppleScriptKit                   = {};
+  AppleScriptObjC                  = { inherit Foundation; };
+  ApplicationServices              = { inherit ColorSync CoreFoundation CoreGraphics CoreServices CoreText ImageIO; };
+  AudioToolbox                     = { inherit Carbon CoreAudio CoreAudioTypes CoreFoundation CoreMIDI Foundation; };
+  AudioUnit                        = { inherit AudioToolbox; };
+  AudioVideoBridging               = { inherit Foundation IOKit; };
+  AuthenticationServices           = { inherit AppKit Foundation; };
+  AutomaticAssessmentConfiguration = { inherit Foundation; };
+  Automator                        = { inherit AppKit Cocoa Foundation OSAKit; };
+  BackgroundTasks                  = { inherit Foundation; };
+  BusinessChat                     = { inherit Cocoa Foundation; };
+  CFNetwork                        = { inherit CoreFoundation; };
+  CalendarStore                    = {};
+  CallKit                          = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  Carbon                           = { inherit ApplicationServices CoreServices Foundation Security; };
+  ClassKit                         = { inherit CoreGraphics Foundation; };
+  CloudKit                         = { inherit CoreFoundation CoreGraphics CoreLocation Foundation IOKit; };
+  Cocoa                            = { inherit AppKit CoreData Foundation; };
+  Collaboration                    = { inherit AppKit CoreServices Foundation; };
+  ColorSync                        = { inherit CoreFoundation; };
+  Combine                          = {};
+  Contacts                         = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  ContactsUI                       = { inherit AppKit; };
+  CoreAudio                        = { inherit CoreAudioTypes CoreFoundation; };
+  CoreAudioKit                     = { inherit AppKit AudioUnit Cocoa Foundation; };
+  CoreAudioTypes                   = { inherit CoreFoundation; };
+  CoreBluetooth                    = { inherit Foundation; };
+  CoreData                         = { inherit CloudKit Combine CoreFoundation CoreGraphics CoreLocation Foundation IOKit; };
+  CoreDisplay                      = {};
+  CoreFoundation                   = {};
+  CoreGraphics                     = { inherit CoreFoundation IOKit; };
+  CoreHaptics                      = { inherit Foundation; };
+  CoreImage                        = { inherit ApplicationServices CoreFoundation CoreGraphics CoreVideo Foundation IOKit IOSurface ImageIO Metal OpenGL; };
+  CoreLocation                     = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  CoreMIDI                         = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  CoreMIDIServer                   = {};
+  CoreML                           = { inherit CoreFoundation CoreGraphics CoreVideo Foundation IOKit ImageIO Metal; };
+  CoreMedia                        = { inherit CoreAudio CoreAudioTypes CoreFoundation CoreGraphics CoreVideo Foundation IOKit Metal; };
+  CoreMediaIO                      = { inherit CoreFoundation CoreMedia; };
+  CoreMotion                       = { inherit Foundation; };
+  CoreServices                     = { inherit CFNetwork CoreFoundation DiskArbitration Security; };
+  CoreSpotlight                    = { inherit Foundation UniformTypeIdentifiers; };
+  CoreTelephony                    = {};
+  CoreText                         = { inherit CoreFoundation CoreGraphics; };
+  CoreVideo                        = { inherit ApplicationServices CoreFoundation CoreGraphics IOSurface Metal OpenGL; };
+  CoreWLAN                         = { inherit Foundation IOKit; };
+  CryptoKit                        = { inherit CoreFoundation CoreGraphics Foundation IOKit LocalAuthentication Security; };
+  CryptoTokenKit                   = { inherit CoreFoundation CoreGraphics Foundation IOKit Security; };
+  DVDPlayback                      = { inherit ApplicationServices CoreFoundation Security; };
+  DeveloperToolsSupport            = { inherit Foundation; };
+  DeviceCheck                      = { inherit Foundation; };
+  DirectoryService                 = { inherit CoreFoundation; };
+  DiscRecording                    = { inherit CoreServices Foundation; };
+  DiscRecordingUI                  = { inherit Carbon Cocoa DiscRecording; };
+  DiskArbitration                  = { inherit CoreFoundation IOKit; };
+  DriverKit                        = {};
+  EventKit                         = { inherit CoreGraphics CoreLocation Foundation; };
+  ExceptionHandling                = { inherit Foundation; };
+  ExecutionPolicy                  = { inherit Foundation; };
+  ExternalAccessory                = { inherit Foundation; };
+  FWAUserLib                       = { inherit IOKit; };
+  FileProvider                     = { inherit CoreGraphics Foundation; };
+  FileProviderUI                   = { inherit AppKit FileProvider Foundation; };
+  FinderSync                       = { inherit AppKit Foundation; };
+  ForceFeedback                    = { inherit CoreFoundation IOKit; };
+  Foundation                       = { inherit ApplicationServices Combine CoreFoundation CoreGraphics CoreServices IOKit Security; };
+  GLKit                            = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal ModelIO OpenGL QuartzCore simd; };
+  GLUT                             = { inherit OpenGL; };
+  GSS                              = { inherit CoreFoundation; };
+  GameController                   = { inherit AppKit Foundation IOKit; };
+  GameKit                          = { inherit AppKit Cocoa Contacts CoreGraphics Foundation GameController GameplayKit Metal MetalKit ModelIO SceneKit SpriteKit simd; };
+  GameplayKit                      = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation GLKit IOKit Metal ModelIO QuartzCore SceneKit SpriteKit simd; };
+  HIDDriverKit                     = { inherit IOKit USBDriverKit; };
+  Hypervisor                       = {};
+  ICADevices                       = { inherit CoreFoundation CoreGraphics CoreServices IOBluetooth; };
+  IMServicePlugIn                  = { inherit Foundation; };
+  IOBluetooth                      = { inherit CoreAudio CoreFoundation CoreServices Foundation IOKit; };
+  IOBluetoothUI                    = { inherit Cocoa IOBluetooth; };
+  IOKit                            = { inherit CoreFoundation; };
+  IOSurface                        = { inherit CoreFoundation Foundation IOKit; };
+  IOUSBHost                        = { inherit Foundation IOKit; };
+  IdentityLookup                   = { inherit Foundation; };
+  ImageCaptureCore                 = { inherit Cocoa CoreGraphics Foundation; };
+  ImageIO                          = { inherit CoreFoundation CoreGraphics; };
+  InputMethodKit                   = { inherit Carbon Cocoa Foundation; };
+  InstallerPlugins                 = {};
+  InstantMessage                   = {};
+  Intents                          = { inherit CoreFoundation CoreGraphics CoreLocation Foundation IOKit; };
+  JavaNativeFoundation             = { inherit Foundation; };
+  JavaRuntimeSupport               = { inherit ApplicationServices Cocoa Foundation QuartzCore; };
+  JavaScriptCore                   = { inherit CoreFoundation CoreGraphics Foundation; };
+  Kerberos                         = {};
+  Kernel                           = {};
+  KernelManagement                 = { inherit Foundation; };
+  LDAP                             = {};
+  LatentSemanticMapping            = { inherit Carbon CoreFoundation; };
+  LinkPresentation                 = { inherit AppKit Foundation; };
+  LocalAuthentication              = { inherit Foundation; };
+  MLCompute                        = { inherit CoreFoundation CoreGraphics Foundation IOKit Metal; };
+  MapKit                           = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal QuartzCore; };
+  MediaAccessibility               = { inherit CoreFoundation CoreGraphics CoreText QuartzCore; };
+  MediaLibrary                     = { inherit Foundation; };
+  MediaPlayer                      = { inherit AVFoundation CoreGraphics Foundation; };
+  MediaToolbox                     = { inherit AudioToolbox CoreFoundation CoreMedia; };
+  Message                          = {};
+  Metal                            = { inherit CoreFoundation CoreGraphics Foundation IOKit IOSurface; };
+  MetalKit                         = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal ModelIO QuartzCore simd; };
+  MetalPerformanceShaders          = { inherit CoreGraphics Foundation Metal simd; };
+  MetalPerformanceShadersGraph     = { inherit Foundation MetalPerformanceShaders; };
+  MetricKit                        = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  ModelIO                          = { inherit CoreFoundation CoreGraphics Foundation IOKit simd; };
+  MultipeerConnectivity            = { inherit Cocoa Foundation; };
+  NaturalLanguage                  = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  NearbyInteraction                = { inherit CoreFoundation CoreGraphics Foundation IOKit simd; };
+  NetFS                            = { inherit CoreFoundation; };
+  Network                          = { inherit CoreFoundation Foundation Security; };
+  NetworkExtension                 = { inherit Foundation Network Security; };
+  NetworkingDriverKit              = {};
+  NotificationCenter               = { inherit AppKit Foundation; };
+  OSAKit                           = { inherit Carbon Cocoa; };
+  OSLog                            = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  OpenAL                           = {};
+  OpenCL                           = { inherit OpenGL; };
+  OpenDirectory                    = { inherit CoreFoundation Foundation; };
+  OpenGL                           = {};
+  PCIDriverKit                     = { inherit IOKit; };
+  PCSC                             = {};
+  PDFKit                           = { inherit AppKit Cocoa; };
+  ParavirtualizedGraphics          = { inherit AppKit CoreVideo Foundation IOSurface Metal; };
+  PassKit                          = { inherit AppKit Contacts CoreGraphics Foundation; };
+  PencilKit                        = { inherit AppKit CloudKit Cocoa CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal QuartzCore; };
+  Photos                           = { inherit AVFoundation CoreAudio CoreFoundation CoreGraphics CoreImage CoreLocation CoreMIDI CoreMedia Foundation IOKit ImageIO Metal QuartzCore UniformTypeIdentifiers simd; };
+  PhotosUI                         = { inherit AppKit Foundation MapKit Photos; };
+  PreferencePanes                  = { inherit Cocoa; };
+  PushKit                          = { inherit Foundation; };
+  Python                           = { inherit Carbon; };
+  QTKit                            = {};
+  Quartz                           = { inherit AppKit ApplicationServices Cocoa Foundation ImageCaptureCore OpenGL PDFKit QuartzCore QuickLook; };
+  QuartzCore                       = { inherit CoreFoundation CoreGraphics CoreImage CoreVideo Foundation IOKit Metal OpenGL; };
+  QuickLook                        = { inherit ApplicationServices CoreFoundation; };
+  QuickLookThumbnailing            = { inherit CoreGraphics Foundation UniformTypeIdentifiers; };
+  RealityKit                       = { inherit AVFoundation AppKit AudioToolbox CloudKit Combine CoreAudio CoreData CoreFoundation CoreGraphics CoreImage CoreLocation CoreMIDI CoreText Foundation IOKit Metal MultipeerConnectivity QuartzCore simd; };
+  ReplayKit                        = { inherit AVFoundation AppKit Foundation; };
+  Ruby                             = {};
+  SafariServices                   = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit Metal QuartzCore; };
+  SceneKit                         = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation GLKit IOKit Metal ModelIO QuartzCore simd; };
+  ScreenSaver                      = { inherit AppKit Foundation; };
+  ScreenTime                       = { inherit AppKit Foundation; };
+  ScriptingBridge                  = { inherit ApplicationServices CoreServices Foundation; };
+  Security                         = { inherit CoreFoundation; };
+  SecurityFoundation               = { inherit Foundation Security; };
+  SecurityInterface                = { inherit AppKit Cocoa Security SecurityFoundation; };
+  SensorKit                        = { inherit CoreFoundation CoreLocation Foundation; };
+  ServiceManagement                = { inherit CoreFoundation Security; };
+  Social                           = { inherit AppKit Foundation; };
+  SoundAnalysis                    = { inherit AVFoundation CoreML CoreMedia Foundation; };
+  Speech                           = { inherit AVFoundation CoreAudio CoreFoundation CoreGraphics CoreImage CoreMIDI CoreMedia Foundation IOKit Metal QuartzCore UniformTypeIdentifiers simd; };
+  SpriteKit                        = { inherit AppKit CloudKit Cocoa CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation GLKit IOKit Metal ModelIO QuartzCore simd; };
+  StoreKit                         = { inherit AppKit CoreGraphics Foundation; };
+  SwiftUI                          = { inherit AppKit CloudKit Combine CoreData CoreFoundation CoreGraphics CoreImage CoreLocation DeveloperToolsSupport Foundation IOKit Metal QuartzCore UniformTypeIdentifiers; };
+  SyncServices                     = {};
+  System                           = {};
+  SystemConfiguration              = { inherit CoreFoundation Security; };
+  SystemExtensions                 = { inherit Foundation; };
+  TWAIN                            = {};
+  Tcl                              = {};
+  Tk                               = {};
+  USBDriverKit                     = { inherit IOKit; };
+  UniformTypeIdentifiers           = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  UserNotifications                = { inherit Foundation; };
+  UserNotificationsUI              = { inherit AppKit; };
+  VideoDecodeAcceleration          = {};
+  VideoSubscriberAccount           = { inherit Foundation; };
+  VideoToolbox                     = { inherit CoreFoundation CoreGraphics CoreMedia CoreVideo; };
+  Virtualization                   = { inherit CoreFoundation CoreGraphics Foundation IOKit; };
+  Vision                           = { inherit CoreAudio CoreFoundation CoreGraphics CoreML CoreMedia CoreVideo Foundation IOKit ImageIO Metal simd; };
+  WebKit                           = { inherit AppKit CloudKit CoreData CoreFoundation CoreGraphics CoreImage CoreLocation Foundation IOKit JavaScriptCore Metal OpenGL QuartzCore; };
+  WidgetKit                        = { inherit Combine CoreFoundation CoreGraphics CoreVideo Foundation IOKit Intents Metal SwiftUI; };
+  iTunesLibrary                    = { inherit Foundation; };
+  vmnet                            = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix
new file mode 100644
index 000000000000..7be670425d7a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix
@@ -0,0 +1,87 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libSystem";
+  version = MacOSX-SDK.version;
+
+  dontBuild = true;
+  dontUnpack = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.rewrite-tbd ];
+
+  includeDirs = [
+    "CommonCrypto" "_types" "architecture" "arpa" "atm" "bank" "bsd" "bsm"
+    "corecrypto" "corpses" "default_pager" "device" "dispatch" "hfs" "i386"
+    "iokit" "kern" "libkern" "mach" "mach-o" "mach_debug" "machine" "malloc"
+    "miscfs" "net" "netinet" "netinet6" "netkey" "nfs" "os" "osfmk" "pexpert"
+    "platform" "protocols" "pthread" "rpc" "rpcsvc" "secure" "security"
+    "servers" "sys" "uuid" "vfs" "voucher" "xlocale"
+  ] ++ [
+    "arm" "xpc" "arm64"
+  ];
+
+  csu = [
+    "bundle1.o" "crt0.o" "crt1.10.5.o" "crt1.10.6.o" "crt1.o" "dylib1.10.5.o"
+    "dylib1.o" "gcrt1.o" "lazydylib1.o"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/{include,lib/swift}
+
+    for dir in $includeDirs; do
+      from=${MacOSX-SDK}/usr/include/$dir
+      if [ -e "$from" ]; then
+        cp -dr $from $out/include
+      else
+        echo "Header directory '$from' doesn't exist: skipping"
+      fi
+    done
+
+    cp -d \
+      ${MacOSX-SDK}/usr/include/*.h \
+      ${MacOSX-SDK}/usr/include/*.modulemap \
+      $out/include
+
+    rm $out/include/tk*.h $out/include/tcl*.h
+
+    cp -dr \
+      ${MacOSX-SDK}/usr/lib/libSystem.* \
+      ${MacOSX-SDK}/usr/lib/system \
+      $out/lib
+
+    # Extra libraries
+    for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.1 resolv; do
+      cp -d \
+        ${MacOSX-SDK}/usr/lib/lib$name.tbd \
+        ${MacOSX-SDK}/usr/lib/lib$name.*.tbd \
+        $out/lib
+    done
+
+    for name in os Dispatch; do
+      cp -dr \
+        ${MacOSX-SDK}/usr/lib/swift/$name.swiftmodule \
+        ${MacOSX-SDK}/usr/lib/swift/libswift$name.tbd \
+        $out/lib/swift
+    done
+
+    for f in $csu; do
+      from=${MacOSX-SDK}/usr/lib/$f
+      if [ -e "$from" ]; then
+        cp -d $from $out/lib
+      else
+        echo "Csu file '$from' doesn't exist: skipping"
+      fi
+    done
+
+    chmod u+w -R $out/lib
+    find $out -name '*.tbd' -type f | while read tbd; do
+      rewrite-tbd \
+        -c /usr/lib/libsystem.dylib:$out/lib/libsystem.dylib \
+        -p /usr/lib/system/:$out/lib/system/ \
+        -p /usr/lib/swift/:$out/lib/swift/ \
+        -r ${builtins.storeDir} \
+        "$tbd"
+    done
+  '';
+}
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix
new file mode 100644
index 000000000000..bf55037ab605
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix
@@ -0,0 +1,16 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libcharset";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.checkReexportsHook ];
+
+  installPhase = ''
+    mkdir -p $out/{include,lib}
+    cp ${MacOSX-SDK}/usr/lib/libcharset* $out/lib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix
new file mode 100644
index 000000000000..2e5c0593bf40
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix
@@ -0,0 +1,20 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+let self = stdenvNoCC.mkDerivation {
+  pname = "libnetwork";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/lib
+    cp ${MacOSX-SDK}/usr/lib/libnetwork* $out/lib
+  '';
+
+  passthru = {
+    tbdRewrites = {
+      const."/usr/lib/libnetwork.dylib" = "${self}/lib/libnetwork.dylib";
+    };
+  };
+}; in self
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix
new file mode 100644
index 000000000000..9288097ef369
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix
@@ -0,0 +1,24 @@
+{ stdenvNoCC, MacOSX-SDK, libcharset }:
+
+let self = stdenvNoCC.mkDerivation {
+  pname = "libobjc";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/{include,lib/swift}
+    cp -r ${MacOSX-SDK}/usr/include/objc $out/include
+    cp ${MacOSX-SDK}/usr/lib/libobjc* $out/lib
+    cp -r ${MacOSX-SDK}/usr/lib/swift/ObjectiveC.swiftmodule $out/lib/swift
+    cp ${MacOSX-SDK}/usr/lib/swift/libswiftObjectiveC.tbd $out/lib/swift
+  '';
+
+  passthru = {
+    tbdRewrites = {
+      const."/usr/lib/libobjc.A.dylib" = "${self}/lib/libobjc.A.dylib";
+      const."/usr/lib/swift/libswiftObjectiveC.dylib" = "${self}/lib/swift/libswiftObjectiveC.dylib";
+    };
+  };
+}; in self
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libpm.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libpm.nix
new file mode 100644
index 000000000000..995f2b20ce70
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libpm.nix
@@ -0,0 +1,23 @@
+{ stdenvNoCC, MacOSX-SDK, checkReexportsHook }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libpm";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [ checkReexportsHook ];
+
+  installPhase = ''
+    mkdir -p $out/lib
+    cp ${MacOSX-SDK}/usr/lib/libpm* $out/lib
+  '';
+
+  passthru = {
+    tbdRewrites = {
+      const."/usr/lib/libpmenergy.dylib" = "${placeholder "out"}/lib/libpmenergy.dylib";
+      const."/usr/lib/libpmsample.dylib" = "${placeholder "out"}/lib/libpmsample.dylib";
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix
new file mode 100644
index 000000000000..885780eba75c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix
@@ -0,0 +1,24 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libunwind";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.checkReexportsHook ];
+
+  installPhase = ''
+    mkdir -p $out/include/mach-o
+
+    cp \
+      ${MacOSX-SDK}/usr/include/libunwind.h \
+      ${MacOSX-SDK}/usr/include/unwind.h \
+      $out/include
+
+    cp \
+      ${MacOSX-SDK}/usr/include/mach-o/compact_unwind_encoding.h \
+      $out/include/mach-o
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix
new file mode 100644
index 000000000000..4566c8af84f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix
@@ -0,0 +1,32 @@
+{ frameworks, libobjc }: with frameworks;
+# generated by hand to avoid exposing all private frameworks
+# frameworks here are only the necessary ones used by public frameworks.
+{
+  Apple80211 = {};
+  AVFCapture = {};
+  AVFCore = {};
+  AddressBookCore = { inherit ContactsPersistence; };
+  AudioToolboxCore = {};
+  ContactsPersistence = {};
+  GameCenterFoundation = {};
+  GameCenterUI = {};
+  GameCenterUICore = {};
+  MediaRemote = {};
+  PassKitCore = {};
+  SignpostMetrics = {};
+  SkyLight = {};
+  UIFoundation = {};
+  URLFormatting = {};
+
+  # Also expose CoreSymbolication; used by `root` package.
+  CoreSymbolication = {};
+
+  # Also expose DebugSymbols; used by `llvmPackages_8.lldb` package.
+  DebugSymbols = {};
+
+  # Also expose DisplayServices; used by `sketchybar` package.
+  DisplayServices = { inherit libobjc; };
+
+  # Also expose MultitouchSupport; used by `chuck` package.
+  MultitouchSupport = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh
new file mode 100644
index 000000000000..5d0f58f48b48
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh
@@ -0,0 +1,9 @@
+linkSystemCoreFoundationFramework() {
+  NIX_CFLAGS_COMPILE="-F@out@/Library/Frameworks${NIX_CFLAGS_COMPILE:+ }${NIX_CFLAGS_COMPILE-}"
+  # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not
+  # in the opensource release
+  # if the package needs private headers, we assume they also want to link with system CF
+  NIX_LDFLAGS+=" @out@/Library/Frameworks/CoreFoundation.framework/CoreFoundation.tbd"
+}
+
+preConfigureHooks+=(linkSystemCoreFoundationFramework)
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix
new file mode 100644
index 000000000000..5484ba5acb18
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix
@@ -0,0 +1,354 @@
+{ stdenv, fetchurl, cpio, pbzx, pkgs, lib, darwin-stubs, print-reexports }:
+
+let
+  # sadly needs to be exported because security_tool needs it
+  sdk = stdenv.mkDerivation rec {
+    pname = "MacOS_SDK";
+    version = "10.12";
+
+    # This URL comes from https://swscan.apple.com/content/catalogs/others/index-10.12.merged-1.sucatalog, which we found by:
+    #  1. Google: site:swscan.apple.com and look for a name that seems appropriate for your version
+    #  2. In the resulting file, search for a file called DevSDK ending in .pkg
+    #  3. ???
+    #  4. Profit
+    src = fetchurl {
+      url    = "http://swcdn.apple.com/content/downloads/33/36/041-90419-A_7JJ4H9ZHO2/xs88ob5wjz6riz7g6764twblnvksusg4ps/DevSDK_OSX1012.pkg";
+      sha256 = "13xq34sb7383b37hwy076gnhf96prpk1b4087p87xnwswxbrisih";
+    };
+
+    nativeBuildInputs = [ cpio pbzx ];
+
+    outputs = [ "out" "dev" "man" ];
+
+    unpackPhase = ''
+      pbzx $src | cpio -idm
+    '';
+
+    sourceRoot = ".";
+
+    installPhase = ''
+      mkdir -p $out
+
+      cp -R System/Library $out
+      cp -R usr/* $out
+
+      pushd $out/lib
+      cp ${darwin-stubs}/usr/lib/libcups*.tbd .
+      ln -s libcups.2.tbd      libcups.tbd
+      ln -s libcupscgi.1.tbd   libcupscgi.tbd
+      ln -s libcupsimage.2.tbd libcupsimage.tbd
+      ln -s libcupsmime.1.tbd  libcupsmime.tbd
+      ln -s libcupsppdc.1.tbd  libcupsppdc.tbd
+      popd
+    '';
+
+    meta = with lib; {
+      description = "Apple SDK ${version}";
+      maintainers = with maintainers; [ copumpkin ];
+      platforms   = platforms.darwin;
+    };
+  };
+
+  mkFrameworkSubs = name: deps:
+  let
+    deps' = deps // { "${name}" = placeholder "out"; };
+    substArgs = lib.concatMap (x: [ "--subst-var-by" x deps'."${x}" ]) (lib.attrNames deps');
+  in lib.escapeShellArgs substArgs;
+
+  framework = name: deps: stdenv.mkDerivation {
+    name = "apple-framework-${name}";
+
+    dontUnpack = true;
+
+    # because we copy files from the system
+    preferLocalBuild = true;
+
+    disallowedRequisites = [ sdk ];
+
+    nativeBuildInputs = [ print-reexports ];
+
+    extraTBDFiles = [];
+
+    installPhase = ''
+      linkFramework() {
+        local path="$1"
+        local nested_path="$1"
+        if [ "$path" == "JavaNativeFoundation.framework" ]; then
+          local nested_path="JavaVM.framework/Versions/A/Frameworks/JavaNativeFoundation.framework"
+        fi
+        if [ "$path" == "JavaRuntimeSupport.framework" ]; then
+          local nested_path="JavaVM.framework/Versions/A/Frameworks/JavaRuntimeSupport.framework"
+        fi
+        local name="$(basename "$path" .framework)"
+        local current="$(readlink "/System/Library/Frameworks/$nested_path/Versions/Current")"
+        if [ -z "$current" ]; then
+          current=A
+        fi
+
+        local dest="$out/Library/Frameworks/$path"
+
+        mkdir -p "$dest/Versions/$current"
+        pushd "$dest/Versions/$current" >/dev/null
+
+        if [ -d "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current/Headers" ]; then
+          cp -R "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current/Headers" .
+        elif [ -d "${sdk.out}/Library/Frameworks/$name.framework/Versions/$current/Headers" ]; then
+          current="$(readlink "/System/Library/Frameworks/$name.framework/Versions/Current")"
+          cp -R "${sdk.out}/Library/Frameworks/$name.framework/Versions/$current/Headers" .
+        fi
+
+        local tbd_source=${darwin-stubs}/System/Library/Frameworks/$nested_path/Versions/$current
+        if [ "${name}" != "Kernel" ]; then
+          # The Kernel.framework has headers but no actual library component.
+          cp -v $tbd_source/*.tbd .
+        fi
+
+        if [ -d "$tbd_source/Libraries" ]; then
+          mkdir Libraries
+          cp -v $tbd_source/Libraries/*.tbd Libraries/
+        fi
+
+        ln -s -L "/System/Library/Frameworks/$nested_path/Versions/$current/Resources"
+
+        if [ -f "/System/Library/Frameworks/$nested_path/module.map" ]; then
+          ln -s "/System/Library/Frameworks/$nested_path/module.map"
+        fi
+
+        pushd "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current" >/dev/null
+        local children=$(echo Frameworks/*.framework)
+        popd >/dev/null
+
+        for child in $children; do
+          childpath="$path/Versions/$current/$child"
+          linkFramework "$childpath"
+        done
+
+        pushd ../.. >/dev/null
+        ln -s "$current" Versions/Current
+        ln -s Versions/Current/* .
+        popd >/dev/null
+
+        popd >/dev/null
+      }
+
+      linkFramework "${name}.framework"
+
+      # linkFramework is recursive, the rest of the processing is not.
+
+      local tbd_source=${darwin-stubs}/System/Library/Frameworks/${name}.framework
+      for tbd in $extraTBDFiles; do
+        local tbd_dest_dir=$out/Library/Frameworks/${name}.framework/$(dirname "$tbd")
+        mkdir -p "$tbd_dest_dir"
+        cp -v "$tbd_source/$tbd" "$tbd_dest_dir"
+      done
+
+      # Fix and check tbd re-export references
+      find $out -name '*.tbd' | while read tbd; do
+        echo "Fixing re-exports in $tbd"
+        substituteInPlace "$tbd" ${mkFrameworkSubs name deps}
+
+        echo "Checking re-exports in $tbd"
+        print-reexports "$tbd" | while read target; do
+          local expected="''${target%.dylib}.tbd"
+          if ! [ -e "$expected" ]; then
+            echo -e "Re-export missing:\n\t$target\n\t(expected $expected)"
+            echo -e "While processing\n\t$tbd"
+            exit 1
+          else
+            echo "Re-exported target $target ok"
+          fi
+        done
+      done
+    '';
+
+    propagatedBuildInputs = builtins.attrValues deps;
+
+    # don't use pure CF for dylibs that depend on frameworks
+    setupHook = ./framework-setup-hook.sh;
+
+    # Not going to be more specific than this for now
+    __propagatedImpureHostDeps = lib.optionals (name != "Kernel") [
+      # The setup-hook ensures that everyone uses the impure CoreFoundation who uses these SDK frameworks, so let's expose it
+      "/System/Library/Frameworks/CoreFoundation.framework"
+      "/System/Library/Frameworks/${name}.framework"
+      "/System/Library/Frameworks/${name}.framework/${name}"
+    ];
+
+    meta = with lib; {
+      description = "Apple SDK framework ${name}";
+      maintainers = with maintainers; [ copumpkin ];
+      platforms   = platforms.darwin;
+    };
+  };
+
+  tbdOnlyFramework = name: { private ? true }: stdenv.mkDerivation {
+    name = "apple-framework-${name}";
+    dontUnpack = true;
+    installPhase = ''
+      mkdir -p $out/Library/Frameworks/
+      cp -r ${darwin-stubs}/System/Library/${lib.optionalString private "Private"}Frameworks/${name}.framework \
+        $out/Library/Frameworks
+
+      cd $out/Library/Frameworks/${name}.framework
+
+      versions=(./Versions/*)
+      if [ "''${#versions[@]}" != 1 ]; then
+        echo "Unable to determine current version of framework ${name}"
+        exit 1
+      fi
+      current=$(basename ''${versions[0]})
+
+      chmod u+w -R .
+      ln -s "$current" Versions/Current
+      ln -s Versions/Current/* .
+
+      # NOTE there's no re-export checking here, this is probably wrong
+    '';
+  };
+in rec {
+  libs = {
+    xpc = stdenv.mkDerivation {
+      name   = "apple-lib-xpc";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        cp -r "${lib.getDev sdk}/include/xpc" $out/include/xpc
+        cp "${lib.getDev sdk}/include/launch.h" $out/include/launch.h
+        popd >/dev/null
+      '';
+    };
+
+    Xplugin = stdenv.mkDerivation {
+      name   = "apple-lib-Xplugin";
+      dontUnpack = true;
+
+      # Not enough
+      __propagatedImpureHostDeps = [ "/usr/lib/libXplugin.1.dylib" ];
+
+      propagatedBuildInputs = with frameworks; [
+        OpenGL ApplicationServices Carbon IOKit CoreGraphics CoreServices CoreText
+      ];
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${lib.getDev sdk}/include/Xplugin.h" $out/include/Xplugin.h
+        cp ${darwin-stubs}/usr/lib/libXplugin.1.tbd $out/lib
+        ln -s libXplugin.1.tbd $out/lib/libXplugin.tbd
+      '';
+    };
+
+    utmp = stdenv.mkDerivation {
+      name   = "apple-lib-utmp";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        ln -s "${lib.getDev sdk}/include/utmp.h"
+        ln -s "${lib.getDev sdk}/include/utmpx.h"
+        popd >/dev/null
+      '';
+    };
+
+    sandbox = stdenv.mkDerivation {
+      name = "apple-lib-sandbox";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${lib.getDev sdk}/include/sandbox.h" $out/include/sandbox.h
+        cp "${darwin-stubs}/usr/lib/libsandbox.1.tbd" $out/lib
+        ln -s libsandbox.1.tbd $out/lib/libsandbox.tbd
+      '';
+    };
+  };
+
+  overrides = super: {
+    AppKit = lib.overrideDerivation super.AppKit (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/PrivateFrameworks/"
+      ];
+    });
+
+    Carbon = lib.overrideDerivation super.Carbon (drv: {
+      extraTBDFiles = [ "Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering.tbd" ];
+    });
+
+    CoreFoundation = lib.overrideDerivation super.CoreFoundation (drv: {
+      setupHook = ./cf-setup-hook.sh;
+    });
+
+    CoreMedia = lib.overrideDerivation super.CoreMedia (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/Frameworks/CoreImage.framework"
+      ];
+    });
+
+    CoreMIDI = lib.overrideDerivation super.CoreMIDI (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/PrivateFrameworks/"
+      ];
+      setupHook = ./private-frameworks-setup-hook.sh;
+    });
+
+    IMServicePlugIn = lib.overrideDerivation super.IMServicePlugIn (drv: {
+      extraTBDFiles = [ "Versions/A/Frameworks/IMServicePlugInSupport.framework/Versions/A/IMServicePlugInSupport.tbd" ];
+    });
+
+    Security = lib.overrideDerivation super.Security (drv: {
+      setupHook = ./security-setup-hook.sh;
+    });
+
+    QuartzCore = lib.overrideDerivation super.QuartzCore (drv: {
+      installPhase = drv.installPhase + ''
+        f="$out/Library/Frameworks/QuartzCore.framework/Headers/CoreImage.h"
+        substituteInPlace "$f" \
+          --replace "QuartzCore/../Frameworks/CoreImage.framework/Headers" "CoreImage"
+      '';
+    });
+
+    MetalKit = lib.overrideDerivation super.MetalKit (drv: {
+      installPhase = drv.installPhase + ''
+        mkdir -p $out/include/simd
+        cp ${lib.getDev sdk}/include/simd/*.h $out/include/simd/
+      '';
+    });
+
+    System = lib.overrideDerivation super.System (drv: {
+      installPhase = ''
+        mkdir -p $out/Library/Frameworks/System.framework/Versions/B
+        ln -s $out/Library/Frameworks/System.framework/Versions/{B,Current}
+        ln -s ${pkgs.darwin.Libsystem}/lib/libSystem.B.tbd $out/Library/Frameworks/System.framework/Versions/B/System.tbd
+        ln -s $out/Library/Frameworks/System.framework/{Versions/Current/,}System.tbd
+      '';
+    });
+
+    WebKit = lib.overrideDerivation super.WebKit (drv: {
+      extraTBDFiles = [
+        "Versions/A/Frameworks/WebCore.framework/Versions/A/WebCore.tbd"
+        "Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitLegacy.tbd"
+      ];
+    });
+  } // lib.genAttrs [
+    "ContactsPersistence"
+    "CoreSymbolication"
+    "DebugSymbols"
+    "DisplayServices"
+    "GameCenter"
+    "MultitouchSupport"
+    "SkyLight"
+    "UIFoundation"
+  ]
+    (x: tbdOnlyFramework x {});
+
+  bareFrameworks = lib.mapAttrs framework (import ./frameworks.nix {
+    inherit frameworks libs;
+    inherit (pkgs.darwin) libobjc;
+  });
+
+  frameworks = bareFrameworks // overrides bareFrameworks;
+
+  inherit sdk;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh
new file mode 100644
index 000000000000..b0d5915fc1fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh
@@ -0,0 +1,42 @@
+# On macOS, frameworks are linked to the system CoreFoundation but
+# dynamic libraries built with nix use a pure version of CF this
+# causes segfaults for binaries that depend on it at runtime.  This
+# can be solved in two ways.
+# 1. Rewrite references to the pure CF using this setup hook, this
+# works for the simple case but this can still cause problems if other
+# dependencies (eg. python) use the pure CF.
+# 2. Create a wrapper for the binary that sets DYLD_FRAMEWORK_PATH to
+# /System/Library/Frameworks.  This will make everything load the
+# system's CoreFoundation framework while still keeping the
+# dependencies pure for other packages.
+
+fixupOutputHooks+=('fixDarwinFrameworksIn $prefix')
+
+fixDarwinFrameworks() {
+    local systemPrefix='/System/Library/Frameworks'
+
+    for fn in "$@"; do
+        if [ -L "$fn" ]; then continue; fi
+        echo "$fn: fixing dylib"
+
+        for framework in $(otool -L "$fn" | awk '/CoreFoundation\.framework/ {print $1}'); do
+          install_name_tool -change "$framework" "$systemPrefix/CoreFoundation.framework/Versions/A/CoreFoundation" "$fn" >&2
+        done
+    done
+}
+
+fixDarwinFrameworksIn() {
+    local dir="$1"
+    fixDarwinFrameworks $(find "$dir" -name "*.dylib")
+}
+
+
+# This configures the stdenv to use /System/Library/Frameworks/CoreFoundation.framework
+# instead of the nix version by including the system frameworks path
+# as an rpath entry when creating binaries.
+
+useSystemCoreFoundationFramework () {
+  export NIX_COREFOUNDATION_RPATH=/System/Library/Frameworks
+}
+
+addEnvHooks "$hostOffset" useSystemCoreFoundationFramework
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix
new file mode 100644
index 000000000000..a9fbcc066a3c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix
@@ -0,0 +1,130 @@
+# Current as of 10.12
+# Epic weird knot-tying happening here.
+# TODO: clean up the process for generating this and include it
+
+{ frameworks, libs, libobjc, }:
+
+with frameworks; with libs; {
+  AGL                     = { inherit Carbon OpenGL; };
+  AVFoundation            = { inherit ApplicationServices CoreGraphics CoreMedia MediaToolbox; };
+  AVKit                   = {};
+  Accounts                = {};
+  AddressBook             = { inherit libobjc Carbon ContactsPersistence; };
+  AppKit                  = { inherit ApplicationServices AudioToolbox AudioUnit Foundation QuartzCore UIFoundation; };
+  AppKitScripting         = {};
+  AppleScriptKit          = {};
+  AppleScriptObjC         = {};
+  AudioToolbox            = { inherit CoreAudio CoreMIDI; };
+  AudioUnit               = { inherit AudioToolbox Carbon CoreAudio; };
+  AudioVideoBridging      = { inherit Foundation; };
+  Automator               = {};
+  CFNetwork               = {};
+  CalendarStore           = {};
+  Cocoa                   = { inherit AppKit CoreData; };
+  Collaboration           = {};
+  # Impure version of CoreFoundation, this should not be used unless another
+  # framework includes headers that are not available in the pure version.
+  CoreFoundation          = {};
+  CoreAudio               = { inherit IOKit; };
+  CoreAudioKit            = { inherit AudioUnit; };
+  CoreData                = {};
+  CoreGraphics            = { inherit Accelerate IOKit IOSurface SystemConfiguration; };
+  CoreImage               = {};
+  CoreLocation            = {};
+  CoreMIDI                = {};
+  CoreMIDIServer          = { inherit CoreMIDI; };
+  CoreMedia               = { inherit ApplicationServices AudioToolbox AudioUnit CoreAudio CoreGraphics CoreVideo; };
+  CoreMediaIO             = { inherit CoreMedia; };
+  CoreText                = { inherit CoreGraphics; };
+  CoreVideo               = { inherit ApplicationServices CoreGraphics IOSurface OpenGL; };
+  CoreWLAN                = { inherit SecurityFoundation; };
+  DVDPlayback             = {};
+  DirectoryService        = {};
+  DiscRecording           = { inherit libobjc CoreServices IOKit; };
+  DiscRecordingUI         = {};
+  DiskArbitration         = { inherit IOKit; };
+  EventKit                = {};
+  ExceptionHandling       = {};
+  FWAUserLib              = {};
+  ForceFeedback           = { inherit IOKit; };
+  Foundation              = { inherit libobjc CoreFoundation Security ApplicationServices SystemConfiguration; };
+  GLKit                   = {};
+  GLUT                    = { inherit OpenGL; };
+  GSS                     = {};
+  GameCenter              = {};
+  GameController          = {};
+  GameKit                 = { inherit Cocoa Foundation GameCenter GameController GameplayKit Metal MetalKit ModelIO SceneKit SpriteKit; };
+  GameplayKit             = {};
+  Hypervisor              = {};
+  ICADevices              = { inherit libobjc Carbon IOBluetooth; };
+  IMServicePlugIn         = {};
+  IOBluetoothUI           = { inherit IOBluetooth; };
+  IOKit                   = {};
+  IOSurface               = { inherit IOKit xpc; };
+  ImageCaptureCore        = {};
+  ImageIO                 = { inherit CoreGraphics; };
+  InputMethodKit          = { inherit Carbon; };
+  InstallerPlugins        = {};
+  InstantMessage          = {};
+  JavaFrameEmbedding      = {};
+  JavaNativeFoundation    = {};
+  JavaRuntimeSupport      = {};
+  JavaScriptCore          = { inherit libobjc; };
+  Kerberos                = {};
+  Kernel                  = { inherit IOKit; };
+  LDAP                    = {};
+  LatentSemanticMapping   = { inherit Carbon; };
+  LocalAuthentication     = {};
+  MapKit                  = {};
+  MediaAccessibility      = { inherit CoreGraphics CoreText QuartzCore; };
+  MediaPlayer             = {};
+  MediaToolbox            = { inherit AudioToolbox AudioUnit CoreMedia; };
+  Metal                   = {};
+  MetalKit                = { inherit ModelIO Metal; };
+  ModelIO                 = {};
+  NetFS                   = {};
+  OSAKit                  = { inherit Carbon; };
+  OpenAL                  = {};
+  OpenCL                  = { inherit IOSurface OpenGL; };
+  OpenGL                  = {};
+  PCSC                    = { inherit CoreData; };
+  PreferencePanes         = {};
+  PubSub                  = {};
+  QTKit                   = { inherit CoreMediaIO CoreMedia MediaToolbox QuickTime VideoToolbox; };
+  QuickLook               = { inherit ApplicationServices; };
+  SceneKit                = {};
+  ScreenSaver             = {};
+  Scripting               = {};
+  ScriptingBridge         = {};
+  Security                = { inherit IOKit; };
+  SecurityFoundation      = {};
+  SecurityInterface       = { inherit Security SecurityFoundation; };
+  ServiceManagement       = { inherit Security; };
+  Social                  = {};
+  SpriteKit               = {};
+  StoreKit                = {};
+  SyncServices            = {};
+  System                  = {};
+  SystemConfiguration     = { inherit Security; };
+  TWAIN                   = { inherit Carbon; };
+  Tcl                     = {};
+  VideoDecodeAcceleration = { inherit CoreVideo; };
+  VideoToolbox            = { inherit CoreMedia CoreVideo; };
+  WebKit                  = { inherit libobjc ApplicationServices Carbon JavaScriptCore OpenGL; };
+
+  # Umbrellas
+  Accelerate          = { inherit CoreWLAN IOBluetooth; };
+  ApplicationServices = { inherit CoreGraphics CoreServices CoreText ImageIO; };
+  Carbon              = { inherit libobjc ApplicationServices CoreServices Foundation IOKit Security QuartzCore; };
+  CoreBluetooth       = {};
+  # TODO: figure out which part of the umbrella depends on CoreFoundation and move it there.
+  CoreServices        = { inherit CFNetwork CoreFoundation CoreAudio CoreData DiskArbitration Security NetFS OpenDirectory ServiceManagement; };
+  IOBluetooth         = { inherit CoreBluetooth IOKit; };
+  JavaVM              = {};
+  OpenDirectory       = {};
+  Quartz              = { inherit QuartzCore QuickLook QTKit; };
+  QuartzCore          = { inherit libobjc ApplicationServices CoreVideo OpenCL CoreImage Metal; };
+  QuickTime           = { inherit ApplicationServices AudioUnit Carbon CoreAudio CoreServices OpenGL QuartzCore; };
+
+  vmnet = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
new file mode 100644
index 000000000000..c111492f2b3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
@@ -0,0 +1,256 @@
+rec {
+  CFNetwork = [
+    "/System/Library/Frameworks/CFNetwork.framework"
+    "/usr/lib/libsqlite3.dylib"
+    "/usr/lib/libxml2.2.dylib"
+  ];
+  ForceFeedback = [
+    "/System/Library/Frameworks/ForceFeedback.framework"
+  ];
+  AGL = [
+    "/System/Library/Frameworks/AGL.framework"
+  ];
+  IOKit = [
+    "/System/Library/Frameworks/IOKit.framework"
+  ];
+  JavaScriptCore = [
+    "/System/Library/Frameworks/JavaScriptCore.framework"
+  ];
+  QuickLook = [
+    "/System/Library/Frameworks/QuickLook.framework"
+  ];
+  Quartz = [
+    "/System/Library/Frameworks/Quartz.framework"
+    "/System/Library/PrivateFrameworks/AppleSystemInfo.framework/Versions/A/AppleSystemInfo"
+    "/System/Library/PrivateFrameworks/CorePDF.framework/Versions/A/CorePDF"
+    "/usr/lib/libspindump.dylib"
+  ];
+  ImageCaptureCore = [
+    "/System/Library/Frameworks/ImageCaptureCore.framework"
+  ];
+  VideoToolbox = [
+    "/System/Library/Frameworks/VideoToolbox.framework"
+    "/System/Library/PrivateFrameworks/AppleVA.framework/Versions/A/AppleVA"
+  ];
+  QuickTime = [
+    "/System/Library/Frameworks/QuickTime.framework"
+  ];
+  CoreMedia = [
+    "/System/Library/Frameworks/CoreMedia.framework"
+  ];
+  CoreMediaIO = [
+    "/System/Library/Frameworks/CoreMediaIO.framework"
+    "/System/Library/PrivateFrameworks/AppSandbox.framework/Versions/A/AppSandbox"
+    "/System/Library/PrivateFrameworks/AppContainer.framework/Versions/A/AppContainer"
+    "/System/Library/PrivateFrameworks/SecCodeWrapper.framework/Versions/A/SecCodeWrapper"
+    "/System/Library/PrivateFrameworks/XPCService.framework/Versions/A/XPCService"
+    "/usr/lib/libsandbox.1.dylib"
+    "/usr/lib/libMatch.1.dylib"
+  ];
+  MediaToolbox = [
+    "/System/Library/Frameworks/MediaToolbox.framework"
+    "/System/Library/PrivateFrameworks/CoreAUC.framework/Versions/A/CoreAUC"
+    "/System/Library/PrivateFrameworks/NetworkStatistics.framework/Versions/A/NetworkStatistics"
+  ];
+  QTKit = [
+    "/System/Library/Frameworks/QTKit.framework"
+    "/System/Library/PrivateFrameworks/CoreMediaAuthoring.framework/Versions/A/CoreMediaAuthoring"
+  ];
+  OSAKit = [
+    "/System/Library/Frameworks/OSAKit.framework"
+    "/usr/lib/libexslt.0.dylib"
+  ];
+  WebKit = [
+    "/System/Library/Frameworks/WebKit.framework"
+  ];
+  DiskArbitration = [
+    "/System/Library/Frameworks/DiskArbitration.framework"
+  ];
+  Security = [
+    "/System/Library/Frameworks/Security.framework"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libbz2.1.0.dylib"
+    "/usr/lib/libpam.2.dylib"
+    "/usr/lib/libxar.1.dylib"
+    "/usr/lib/libxml2.2.dylib"
+    "/usr/lib/libsqlite3.dylib"
+  ];
+  GSS = [
+    "/System/Library/Frameworks/GSS.framework"
+  ];
+  Kerberos = [
+    "/System/Library/Frameworks/Kerberos.framework"
+  ];
+  CoreServices = [
+    "/System/Library/Frameworks/CoreServices.framework"
+    "/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/DataDetectorsCore"
+    "/System/Library/PrivateFrameworks/TCC.framework/Versions/A/TCC"
+    "/System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling"
+    "/usr/lib/libmecabra.dylib"
+    "/usr/lib/libcmph.dylib"
+    "/usr/lib/libiconv.2.dylib"
+    "/usr/lib/libxslt.1.dylib"
+  ] ++ Foundation;
+  IOSurface = [
+    "/System/Library/Frameworks/IOSurface.framework"
+  ];
+  CoreGraphics = [
+    "/System/Library/Frameworks/CoreGraphics.framework"
+    "/System/Library/PrivateFrameworks/MultitouchSupport.framework/Versions/A/MultitouchSupport"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libz.1.dylib"
+  ];
+  CoreText = [
+    "/System/Library/Frameworks/CoreText.framework"
+  ];
+  ImageIO = [
+    "/System/Library/Frameworks/ImageIO.framework"
+  ];
+  ApplicationServices = [
+    "/System/Library/Frameworks/ApplicationServices.framework"
+    "/usr/lib/libcups.2.dylib"
+    "/usr/lib/libresolv.9.dylib"
+  ] ++ AudioToolbox;
+  OpenGL = [
+    "/System/Library/Frameworks/OpenGL.framework"
+  ];
+  CoreVideo = [
+    "/System/Library/Frameworks/CoreVideo.framework"
+  ];
+  QuartzCore = [
+    "/System/Library/Frameworks/QuartzCore.framework"
+    "/System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport"
+  ];
+  PCSC = [
+    "/System/Library/Frameworks/PCSC.framework"
+  ];
+  AppKit = [
+    "/System/Library/Frameworks/AppKit.framework"
+    "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Apple80211"
+    "/System/Library/PrivateFrameworks/AppleJPEG.framework/Versions/A/AppleJPEG"
+    "/System/Library/PrivateFrameworks/AppleVPA.framework/Versions/A/AppleVPA"
+    "/System/Library/PrivateFrameworks/Backup.framework/Versions/A/Backup"
+    "/System/Library/PrivateFrameworks/ChunkingLibrary.framework/Versions/A/ChunkingLibrary"
+    "/System/Library/PrivateFrameworks/CommonAuth.framework/Versions/A/CommonAuth"
+    "/System/Library/PrivateFrameworks/CoreSymbolication.framework/Versions/A/CoreSymbolication"
+    "/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI"
+    "/System/Library/PrivateFrameworks/CoreWiFi.framework/Versions/A/CoreWiFi"
+    "/System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport"
+    "/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/DataDetectorsCore"
+    "/System/Library/PrivateFrameworks/DebugSymbols.framework/Versions/A/DebugSymbols"
+    "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv"
+    "/System/Library/PrivateFrameworks/FaceCore.framework/Versions/A/FaceCore"
+    "/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/GenerationalStorage"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Heimdal"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/Current"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/A/Heimdal"
+    "/System/Library/PrivateFrameworks/IconServices.framework/Versions/A/IconServices"
+    "/System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling"
+    "/System/Library/PrivateFrameworks/MultitouchSupport.framework/Versions/A/MultitouchSupport"
+    "/System/Library/PrivateFrameworks/NetAuth.framework/Versions/A/NetAuth"
+    "/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/PerformanceAnalysis"
+    "/System/Library/PrivateFrameworks/RemoteViewServices.framework/Versions/A/RemoteViewServices"
+    "/System/Library/PrivateFrameworks/Sharing.framework/Versions/A/Sharing"
+    "/System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/SpeechRecognitionCore"
+    "/System/Library/PrivateFrameworks/Symbolication.framework/Versions/A/Symbolication"
+    "/System/Library/PrivateFrameworks/TCC.framework/Versions/A/TCC"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A/UIFoundation"
+    "/System/Library/PrivateFrameworks/login.framework/Versions/A/Frameworks/loginsupport.framework/Versions/A/loginsupport"
+    "/usr/lib/libCRFSuite.dylib"
+    "/usr/lib/libOpenScriptingUtil.dylib"
+    "/usr/lib/libarchive.2.dylib"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libbz2.1.0.dylib"
+    "/usr/lib/libc++.1.dylib"
+    "/usr/lib/libc++abi.dylib"
+    "/usr/lib/libcmph.dylib"
+    "/usr/lib/libcups.2.dylib"
+    "/usr/lib/libextension.dylib"
+    "/usr/lib/libheimdal-asn1.dylib"
+    "/usr/lib/libiconv.2.dylib"
+    "/usr/lib/libicucore.A.dylib"
+    "/usr/lib/liblangid.dylib"
+    "/usr/lib/liblzma.5.dylib"
+    "/usr/lib/libmecabra.dylib"
+    "/usr/lib/libpam.2.dylib"
+    "/usr/lib/libresolv.9.dylib"
+    "/usr/lib/libsqlite3.dylib"
+    "/usr/lib/libxar.1.dylib"
+    "/usr/lib/libxml2.2.dylib"
+    "/usr/lib/libxslt.1.dylib"
+    "/usr/lib/libz.1.dylib"
+  ];
+  Foundation = [
+    "/System/Library/Frameworks/Foundation.framework"
+    "/usr/lib/libextension.dylib"
+    "/usr/lib/libarchive.2.dylib"
+    "/usr/lib/liblzma.5.dylib"
+    "/usr/lib/liblangid.dylib"
+    "/usr/lib/libCRFSuite.dylib"
+  ];
+  CoreData = [
+    "/System/Library/Frameworks/CoreData.framework"
+  ];
+  Cocoa = [
+    "/System/Library/Frameworks/Cocoa.framework"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A/UIFoundation"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A"
+  ];
+  Carbon = [
+    "/System/Library/Frameworks/Carbon.framework"
+    "/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI"
+    "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv"
+    "/System/Library/PrivateFrameworks/IconServices.framework/Versions/A/IconServices"
+    "/System/Library/PrivateFrameworks/ChunkingLibrary.framework/Versions/A/ChunkingLibrary"
+    "/System/Library/PrivateFrameworks/Sharing.framework/Versions/A/Sharing"
+    "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Apple80211"
+    "/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/GenerationalStorage"
+  ];
+  CoreAudio = [
+    "/System/Library/Frameworks/CoreAudio.framework"
+  ];
+  AudioUnit = [
+    "/System/Library/Frameworks/AudioUnit.framework"
+  ];
+  CoreMIDI = [
+    "/System/Library/Frameworks/CoreMIDI.framework"
+  ];
+  AudioToolbox = [
+    "/System/Library/Frameworks/AudioToolbox.framework"
+  ];
+  SystemConfiguration = [
+    "/System/Library/Frameworks/SystemConfiguration.framework"
+  ];
+  NetFS = [
+    "/System/Library/Frameworks/NetFS.framework"
+    "/System/Library/PrivateFrameworks/NetAuth.framework/Versions/A/NetAuth"
+    "/System/Library/PrivateFrameworks/login.framework/Versions/A/Frameworks/loginsupport.framework/Versions/A/loginsupport"
+  ];
+  Accelerate = [
+    "/System/Library/Frameworks/Accelerate.framework"
+  ];
+  OpenDirectory = [
+    "/System/Library/Frameworks/OpenDirectory.framework"
+  ];
+  ServiceManagement = [
+    "/System/Library/Frameworks/ServiceManagement.framework"
+  ];
+  OpenCL = [
+    "/System/Library/Frameworks/OpenCL.framework"
+  ];
+  CoreWLAN = [
+    "/System/Library/Frameworks/CoreWLAN.framework"
+  ];
+  IOBluetooth = [
+    "/System/Library/Frameworks/IOBluetooth.framework"
+  ] ++ AudioUnit ++ CoreBluetooth;
+  CoreBluetooth = [
+    "/System/Library/Frameworks/CoreBluetooth.framework"
+  ];
+  SecurityFoundation = [
+    "/System/Library/Frameworks/SecurityFoundation.framework"
+  ];
+  Kernel = [
+    "/System/Library/Frameworks/Kernel.framework"
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh
new file mode 100644
index 000000000000..a351c39de130
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh
@@ -0,0 +1,8 @@
+addPrivateFrameworks() {
+    flag="-F/System/Library/PrivateFrameworks"
+    if [[ "${NIX_CFLAGS_COMPILE-}" != *$flag* ]]; then
+        NIX_CFLAGS_COMPILE+=" $flag"
+    fi
+}
+
+addEnvHooks "$hostOffset" addPrivateFrameworks
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh
new file mode 100644
index 000000000000..35cea773f98b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh
@@ -0,0 +1,10 @@
+noDeprecatedDeclarations() {
+  # Security.framework has about 2000 deprecated constants, all of which the user will be
+  # warned about at compilation time
+  flag="-Wno-deprecated-declarations"
+  if [[ "${NIX_CFLAGS_COMPILE-}" != *$flag* ]]; then
+    NIX_CFLAGS_COMPILE+=" $flag"
+  fi
+}
+
+addEnvHooks "$hostOffset" noDeprecatedDeclarations
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
new file mode 100644
index 000000000000..25e1df3773db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
@@ -0,0 +1,20 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp MacTypes.h          $out/include
+    cp ConditionalMacros.h $out/include
+
+    substituteInPlace $out/include/MacTypes.h \
+      --replace "CarbonCore/" ""
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
new file mode 100644
index 000000000000..36013fe307ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
@@ -0,0 +1,42 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include/CommonCrypto
+    cp include/* $out/include/CommonCrypto
+  '';
+
+  appleHeaders = ''
+    CommonCrypto/CommonBaseXX.h
+    CommonCrypto/CommonBigNum.h
+    CommonCrypto/CommonCMACSPI.h
+    CommonCrypto/CommonCRC.h
+    CommonCrypto/CommonCrypto.h
+    CommonCrypto/CommonCryptoError.h
+    CommonCrypto/CommonCryptoPriv.h
+    CommonCrypto/CommonCryptor.h
+    CommonCrypto/CommonCryptorSPI.h
+    CommonCrypto/CommonDH.h
+    CommonCrypto/CommonDigest.h
+    CommonCrypto/CommonDigestSPI.h
+    CommonCrypto/CommonECCryptor.h
+    CommonCrypto/CommonHMAC.h
+    CommonCrypto/CommonHMacSPI.h
+    CommonCrypto/CommonKeyDerivation.h
+    CommonCrypto/CommonKeyDerivationSPI.h
+    CommonCrypto/CommonNumerics.h
+    CommonCrypto/CommonRSACryptor.h
+    CommonCrypto/CommonRandom.h
+    CommonCrypto/CommonRandomSPI.h
+    CommonCrypto/CommonSymmetricKeywrap.h
+    CommonCrypto/aes.h
+    CommonCrypto/lionCompat.h
+    CommonCrypto/module.modulemap
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
new file mode 100644
index 000000000000..cc73c0ac9415
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
@@ -0,0 +1,29 @@
+{ lib, appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+
+  prePatch = ''
+    substituteInPlace Makefile \
+      --replace /usr/lib /lib \
+      --replace /usr/local/lib /lib \
+      --replace /usr/bin "" \
+      --replace /bin/ "" \
+      --replace "CC = " "#" \
+      --replace "SDK_DIR = " "SDK_DIR = . #" \
+
+    # Mac OS didn't support rpaths back before 10.5, but we don't care about it.
+    substituteInPlace Makefile \
+      --replace -mmacosx-version-min=10.4 -mmacosx-version-min=10.6 \
+      --replace -mmacosx-version-min=10.5 -mmacosx-version-min=10.6
+  '';
+
+  installFlags = [ "DSTROOT=$(out)" ];
+  enableParallelInstalling = false; # cp: cannot create regular file '$out/lib/crt1.10.6.o'
+
+  meta = with lib; {
+    description = "Apple's common startup stubs for darwin";
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix
new file mode 100644
index 000000000000..ed5e998714af
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix
@@ -0,0 +1,86 @@
+{ appleDerivation, lib, stdenv, buildPackages, python3 }:
+
+let
+  formatVersionNumeric = version:
+    let
+      versionParts = lib.versions.splitVersion version;
+      major = lib.toInt (lib.elemAt versionParts 0);
+      minor = lib.toInt (lib.elemAt versionParts 1);
+      patch = if lib.length versionParts > 2 then lib.toInt (lib.elemAt versionParts 2) else 0;
+    in toString (major * 10000 + minor * 100 + patch);
+in
+
+appleDerivation {
+  nativeBuildInputs = [ python3 ];
+
+  depsBuildBuild = lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ buildPackages.stdenv.cc ];
+
+  postPatch = ''
+    substituteInPlace makefile \
+      --replace "/usr/bin/" "" \
+      --replace "xcrun --sdk macosx --find" "echo -n" \
+      --replace "xcrun --sdk macosx.internal --show-sdk-path" "echo -n /dev/null" \
+      --replace "-install_name " "-install_name $out"
+
+    substituteInPlace icuSources/config/mh-darwin \
+      --replace "-install_name " "-install_name $out/"
+
+    # drop using impure /var/db/timezone/icutz
+    substituteInPlace makefile \
+      --replace '-DU_TIMEZONE_FILES_DIR=\"\\\"$(TZDATA_LOOKUP_DIR)\\\"\" -DU_TIMEZONE_PACKAGE=\"\\\"$(TZDATA_PACKAGE)\\\"\"' ""
+
+    # FIXME: This will cause `ld: warning: OS version (12.0) too small, changing to 13.0.0`, APPLE should fix it.
+    substituteInPlace makefile \
+      --replace "ZIPPERING_LDFLAGS=-Wl,-iosmac_version_min,12.0" "ZIPPERING_LDFLAGS="
+
+    # skip test for missing encodingSamples data
+    substituteInPlace icuSources/test/cintltst/ucsdetst.c \
+      --replace "&TestMailFilterCSS" "NULL"
+
+    patchShebangs icuSources
+  '' + lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
+
+    # This looks like a bug in the makefile. It defines ENV_BUILDHOST to
+    # propagate the correct value of CC, CXX, etc, but has the following double
+    # expansion that results in the empty string.
+    substituteInPlace makefile \
+      --replace '$($(ENV_BUILDHOST))' '$(ENV_BUILDHOST)'
+  '';
+
+  # APPLE is using makefile to save its default configuration and call ./configure, so we hack makeFlags
+  # instead of configuring ourself, trying to stay abreast of APPLE.
+  dontConfigure = true;
+  makeFlags = [
+    "DSTROOT=$(out)"
+
+    # remove /usr prefix on include and lib
+    "PRIVATE_HDR_PREFIX="
+    "libdir=/lib/"
+
+    "DATA_INSTALL_DIR=/share/icu/"
+    "DATA_LOOKUP_DIR=$(DSTROOT)$(DATA_INSTALL_DIR)"
+  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # darwin* platform properties are only defined on darwin
+    # hack to use our lower macos version
+    "MAC_OS_X_VERSION_MIN_REQUIRED=${formatVersionNumeric stdenv.hostPlatform.darwinMinVersion}"
+    "ICU_TARGET_VERSION=-m${stdenv.hostPlatform.darwinPlatform}-version-min=${stdenv.hostPlatform.darwinMinVersion}"
+  ]
+  ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+    "CROSS_BUILD=YES"
+    "BUILD_TYPE="
+    "RC_ARCHS=${stdenv.hostPlatform.darwinArch}"
+    "HOSTCC=cc"
+    "HOSTCXX=c++"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "CXX=${stdenv.cc.targetPrefix}c++"
+    "HOSTISYSROOT="
+    "OSX_HOST_VERSION_MIN_STRING=${stdenv.buildPlatform.darwinMinVersion}"
+  ];
+
+  doCheck = true;
+  checkTarget = "check";
+
+  postInstall = ''
+    # we don't need all those in usr/local
+    rm -rf $out/usr
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
new file mode 100644
index 000000000000..aeeb5c06b34c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
@@ -0,0 +1,188 @@
+{ lib, appleDerivation', stdenv, IOKitSrcs, xnu, darwin-stubs }:
+
+# Someday it'll make sense to split these out into their own packages, but today is not that day.
+appleDerivation' stdenv {
+  srcs = lib.attrValues IOKitSrcs;
+  sourceRoot = ".";
+
+  __propagatedImpureHostDeps = [
+    "/System/Library/Frameworks/IOKit.framework/IOKit"
+    "/System/Library/Frameworks/IOKit.framework/Resources"
+    "/System/Library/Frameworks/IOKit.framework/Versions"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/IOKit.framework
+
+    ###### IMPURITIES
+    ln -s /System/Library/Frameworks/IOKit.framework/Resources \
+      $out/Library/Frameworks/IOKit.framework
+
+    ###### STUBS
+    cp ${darwin-stubs}/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit.tbd \
+      $out/Library/Frameworks/IOKit.framework
+
+    ###### HEADERS
+
+    export dest=$out/Library/Frameworks/IOKit.framework/Headers
+    mkdir -p $dest
+
+    pushd $dest
+    mkdir audio avc DV firewire graphics hid hidsystem i2c kext ndrvsupport
+    mkdir network ps pwr_mgt sbp2 scsi serial storage stream usb video
+    popd
+
+    # root: complete
+    cp IOKitUser-*/IOCFBundle.h                                       $dest
+    cp IOKitUser-*/IOCFPlugIn.h                                       $dest
+    cp IOKitUser-*/IOCFSerialize.h                                    $dest
+    cp IOKitUser-*/IOCFUnserialize.h                                  $dest
+    cp IOKitUser-*/IOCFURLAccess.h                                    $dest
+    cp IOKitUser-*/IODataQueueClient.h                                $dest
+    cp IOKitUser-*/IOKitLib.h                                         $dest
+    cp IOKitUser-*/iokitmig.h                                         $dest
+    cp ${xnu}/Library/PrivateFrameworks/IOKit.framework/Versions/A/Headers/*.h $dest
+
+    # audio: complete
+    cp IOAudioFamily-*/IOAudioDefines.h          $dest/audio
+    cp IOKitUser-*/audio.subproj/IOAudioLib.h    $dest/audio
+    cp IOAudioFamily-*/IOAudioTypes.h            $dest/audio
+
+    # avc: complete
+    cp IOFireWireAVC-*/IOFireWireAVC/IOFireWireAVCConsts.h $dest/avc
+    cp IOFireWireAVC-*/IOFireWireAVCLib/IOFireWireAVCLib.h $dest/avc
+
+    # DV: complete
+    cp IOFWDVComponents-*/DVFamily.h $dest/DV
+
+    # firewire: complete
+    cp IOFireWireFamily-*/IOFireWireFamily.kmodproj/IOFireWireFamilyCommon.h $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireLib.CFPlugInProj/IOFireWireLib.h         $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireLib.CFPlugInProj/IOFireWireLibIsoch.h    $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireFamily.kmodproj/IOFWIsoch.h              $dest/firewire
+
+    # graphics: missing AppleGraphicsDeviceControlUserCommand.h
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelClientConnect.h     $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelSurfaceConnect.h    $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelTypes.h             $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOFramebufferShared.h      $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsEngine.h         $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsInterface.h      $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsInterfaceTypes.h $dest/graphics
+    cp IOKitUser-*/graphics.subproj/IOGraphicsLib.h                            $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsTypes.h          $dest/graphics
+
+    # hid: complete
+    cp IOKitUser-*/hid.subproj/IOHIDBase.h          $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDDevice.h        $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDDevicePlugIn.h  $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDElement.h       $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDLib.h           $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDManager.h       $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDQueue.h         $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDTransaction.h   $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDValue.h         $dest/hid
+    cp IOHIDFamily-*/IOHIDFamily/IOHIDKeys.h        $dest/hid
+    cp IOHIDFamily-*/IOHIDFamily/IOHIDUsageTables.h $dest/hid
+    cp IOHIDFamily-*/IOHIDLib/IOHIDLibObsolete.h    $dest/hid
+
+    # hidsystem: complete
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/ev_keymap.h      $dest/hidsystem
+    cp IOKitUser-*/hidsystem.subproj/event_status_driver.h        $dest/hidsystem
+    cp IOKitUser-*/hidsystem.subproj/IOHIDLib.h                   $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDParameter.h $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDShared.h    $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDTypes.h     $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOLLEvent.h      $dest/hidsystem
+
+
+    # i2c: complete
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/i2c/IOI2CInterface.h $dest/i2c
+
+    # kext: complete
+    cp IOKitUser-*/kext.subproj/KextManager.h $dest/kext
+
+    # ndrvsupport: complete
+    cp IOGraphics-*/IONDRVSupport/IOKit/ndrvsupport/IOMacOSTypes.h $dest/ndrvsupport
+    cp IOGraphics-*/IONDRVSupport/IOKit/ndrvsupport/IOMacOSVideo.h $dest/ndrvsupport
+
+    # network: complete
+    cp IONetworkingFamily-*/IOEthernetController.h       $dest/network
+    cp IONetworkingFamily-*/IOEthernetInterface.h        $dest/network
+    cp IONetworkingFamily-*/IOEthernetStats.h            $dest/network
+    cp IONetworkingFamily-*/IONetworkController.h        $dest/network
+    cp IONetworkingFamily-*/IONetworkData.h              $dest/network
+    cp IONetworkingFamily-*/IONetworkInterface.h         $dest/network
+    cp IOKitUser-*/network.subproj/IONetworkLib.h        $dest/network
+    cp IONetworkingFamily-*/IONetworkMedium.h            $dest/network
+    cp IONetworkingFamily-*/IONetworkStack.h             $dest/network
+    cp IONetworkingFamily-*/IONetworkStats.h             $dest/network
+    cp IONetworkingFamily-*/IONetworkUserClient.h        $dest/network
+
+    # ps: missing IOUPSPlugIn.h
+    cp IOKitUser-*/ps.subproj/IOPowerSources.h $dest/ps
+    cp IOKitUser-*/ps.subproj/IOPSKeys.h       $dest/ps
+
+    # pwr_mgt: complete
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMKeys.h                                          $dest/pwr_mgt
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMLib.h                                           $dest/pwr_mgt
+    cp ${xnu}/Library/PrivateFrameworks/IOKit.framework/Versions/A/Headers/pwr_mgt/*.h $dest/pwr_mgt
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMLibPrivate.h                                    $dest/pwr_mgt # Private
+
+    # sbp2: complete
+    cp IOFireWireSBP2-*/IOFireWireSBP2Lib/IOFireWireSBP2Lib.h $dest/sbp2
+
+    # scsi: omitted for now
+
+    # serial: complete
+    cp IOSerialFamily-*/IOSerialFamily.kmodproj/IOSerialKeys.h $dest/serial
+    cp IOSerialFamily-*/IOSerialFamily.kmodproj/ioss.h         $dest/serial
+
+    # storage: complete
+    # Needs ata subdirectory
+    cp IOStorageFamily-*/IOAppleLabelScheme.h                                    $dest/storage
+    cp IOStorageFamily-*/IOApplePartitionScheme.h                                $dest/storage
+    cp IOBDStorageFamily-*/IOBDBlockStorageDevice.h                              $dest/storage
+    cp IOBDStorageFamily-*/IOBDMedia.h                                           $dest/storage
+    cp IOBDStorageFamily-*/IOBDMediaBSDClient.h                                  $dest/storage
+    cp IOBDStorageFamily-*/IOBDTypes.h                                           $dest/storage
+    cp IOStorageFamily-*/IOBlockStorageDevice.h                                  $dest/storage
+    cp IOStorageFamily-*/IOBlockStorageDriver.h                                  $dest/storage
+    cp IOCDStorageFamily-*/IOCDBlockStorageDevice.h                              $dest/storage
+    cp IOCDStorageFamily-*/IOCDMedia.h                                           $dest/storage
+    cp IOCDStorageFamily-*/IOCDMediaBSDClient.h                                  $dest/storage
+    cp IOCDStorageFamily-*/IOCDPartitionScheme.h                                 $dest/storage
+    cp IOCDStorageFamily-*/IOCDTypes.h                                           $dest/storage
+    cp IODVDStorageFamily-*/IODVDBlockStorageDevice.h                            $dest/storage
+    cp IODVDStorageFamily-*/IODVDMedia.h                                         $dest/storage
+    cp IODVDStorageFamily-*/IODVDMediaBSDClient.h                                $dest/storage
+    cp IODVDStorageFamily-*/IODVDTypes.h                                         $dest/storage
+    cp IOStorageFamily-*/IOFDiskPartitionScheme.h                                $dest/storage
+    cp IOStorageFamily-*/IOFilterScheme.h                                        $dest/storage
+    cp IOFireWireSerialBusProtocolTransport-*/IOFireWireStorageCharacteristics.h $dest/storage
+    cp IOStorageFamily-*/IOGUIDPartitionScheme.h                                 $dest/storage
+    cp IOStorageFamily-*/IOMedia.h                                               $dest/storage
+    cp IOStorageFamily-*/IOMediaBSDClient.h                                      $dest/storage
+    cp IOStorageFamily-*/IOPartitionScheme.h                                     $dest/storage
+    cp IOStorageFamily-*/IOStorage.h                                             $dest/storage
+    cp IOStorageFamily-*/IOStorageCardCharacteristics.h                          $dest/storage
+    cp IOStorageFamily-*/IOStorageDeviceCharacteristics.h                        $dest/storage
+    cp IOStorageFamily-*/IOStorageProtocolCharacteristics.h                      $dest/storage
+
+    # stream: missing altogether
+
+    # usb: complete
+    cp IOUSBFamily*-630.4.5/IOUSBFamily/Headers/IOUSBLib.h            $dest/usb
+    cp IOUSBFamily*-630.4.5/IOUSBUserClient/Headers/IOUSBUserClient.h $dest/usb
+    cp IOUSBFamily*-560.4.2/IOUSBFamily/Headers/USB.h                 $dest/usb # This file is empty in 630.4.5!
+    cp IOUSBFamily*-630.4.5/IOUSBFamily/Headers/USBSpec.h             $dest/usb
+
+    # video: missing altogether
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
new file mode 100644
index 000000000000..2ba67734c544
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
@@ -0,0 +1,47 @@
+From 187d0e8847d080790b22724352e51de50d214dd8 Mon Sep 17 00:00:00 2001
+From: toonn <toonn@toonn.io>
+Date: Tue, 27 Jul 2021 15:12:14 +0200
+Subject: [PATCH] Define TARGET_OS_EMBEDDED in std{lib,io} if not defined
+
+Originally attempted including `TargetConditionals.h` but this had
+knock-on effects, for example, breaking the zlib build because of
+`TARGET_OS_MAC` getting defined.
+
+This should be the lowest impact solution and corresponds to the default
+behavior IIUC.
+---
+ include/stdio.h  | 3 +++
+ include/stdlib.h | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/include/stdio.h b/include/stdio.h
+index d0cf7a5..487496e 100644
+--- a/include/stdio.h
++++ b/include/stdio.h
+@@ -351,6 +351,9 @@ __END_DECLS
+ /* Additional functionality provided by:
+  * POSIX.2-1992 C Language Binding Option
+  */
++#ifndef TARGET_OS_EMBEDDED
++#  define TARGET_OS_EMBEDDED 0
++#endif
+ #if TARGET_OS_EMBEDDED
+ #define __swift_unavailable_on(osx_msg, ios_msg) __swift_unavailable(ios_msg)
+ #else
+diff --git a/include/stdlib.h b/include/stdlib.h
+index c04d3a7..0b454ba 100644
+--- a/include/stdlib.h
++++ b/include/stdlib.h
+@@ -183,6 +183,9 @@ unsigned long long
+ #ifndef LIBC_ALIAS_SYSTEM
+ //End-Libc
+ 
++#ifndef TARGET_OS_EMBEDDED
++#  define TARGET_OS_EMBEDDED 0
++#endif
+ #if TARGET_OS_EMBEDDED
+ #define __swift_unavailable_on(osx_msg, ios_msg) __swift_unavailable(ios_msg)
+ #else
+-- 
+2.17.2 (Apple Git-113)
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h
new file mode 100644
index 000000000000..a1cbb72b9176
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/***********************************************************************
+ * Not to be installed in /usr/local/include
+ ***********************************************************************/
+
+#ifndef _LIBC_CRASHREPORTERCLIENT_H
+#define _LIBC_CRASHREPORTERCLIENT_H
+
+#include "stdint.h"
+
+/* Fake the CrashReporterClient API */
+#define CRGetCrashLogMessage() 0
+#define CRSetCrashLogMessage(m) true
+
+#define CRASH_REPORTER_CLIENT_HIDDEN __attribute__((visibility("hidden")))
+#define CRASHREPORTER_ANNOTATIONS_VERSION 4
+#define CRASHREPORTER_ANNOTATIONS_SECTION "__crash_info"
+
+struct crashreporter_annotations_t {
+	uint64_t version;		// unsigned long
+	uint64_t message;		// char *
+	uint64_t signature_string;	// char *
+	uint64_t backtrace;		// char *
+	uint64_t message2;		// char *
+	uint64_t thread;		// uint64_t
+	uint64_t dialog_mode;		// unsigned int
+};
+
+#endif
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix
new file mode 100644
index 000000000000..6ff3cec2f1eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix
@@ -0,0 +1,23 @@
+{ appleDerivation', stdenvNoCC, ed, unifdef, Libc_10-9 }:
+
+appleDerivation' stdenvNoCC {
+  nativeBuildInputs = [ ed unifdef ];
+
+  patches = [
+    ./0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
+  ];
+
+  installPhase = ''
+    export SRCROOT=$PWD
+    export DSTROOT=$out
+    export PUBLIC_HEADERS_FOLDER_PATH=include
+    export PRIVATE_HEADERS_FOLDER_PATH=include
+    bash xcodescripts/headers.sh
+
+    cp ${./CrashReporterClient.h} $out/include/CrashReporterClient.h
+
+    cp ${Libc_10-9}/include/NSSystemDirectories.h $out/include
+  '';
+
+  appleHeaders = builtins.readFile ./headers.txt;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt
new file mode 100644
index 000000000000..c7cad6343d8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt
@@ -0,0 +1,125 @@
+CrashReporterClient.h
+NSSystemDirectories.h
+_locale.h
+_types.h
+_types/_intmax_t.h
+_types/_nl_item.h
+_types/_uint16_t.h
+_types/_uint32_t.h
+_types/_uint64_t.h
+_types/_uint8_t.h
+_types/_uintmax_t.h
+_types/_wctrans_t.h
+_types/_wctype_t.h
+_wctype.h
+_xlocale.h
+aio.h
+alloca.h
+ar.h
+arpa/ftp.h
+arpa/inet.h
+arpa/nameser_compat.h
+arpa/telnet.h
+arpa/tftp.h
+assert.h
+bitstring.h
+cpio.h
+crt_externs.h
+ctype.h
+db.h
+dirent.h
+disktab.h
+err.h
+errno.h
+execinfo.h
+fcntl.h
+fmtmsg.h
+fnmatch.h
+fsproperties.h
+fstab.h
+fts.h
+ftw.h
+get_compat.h
+getopt.h
+glob.h
+inttypes.h
+iso646.h
+langinfo.h
+libc.h
+libc_private.h
+libgen.h
+limits.h
+locale.h
+memory.h
+monetary.h
+monitor.h
+mpool.h
+msgcat.h
+ndbm.h
+nl_types.h
+nlist.h
+os/assumes.h
+os/debug_private.h
+paths.h
+poll.h
+printf.h
+protocols/routed.h
+protocols/rwhod.h
+protocols/talkd.h
+protocols/timed.h
+ranlib.h
+readpassphrase.h
+regex.h
+runetype.h
+search.h
+secure/_common.h
+secure/_stdio.h
+secure/_string.h
+semaphore.h
+sgtty.h
+signal.h
+stab.h
+standards.h
+stddef.h
+stdint.h
+stdio.h
+stdlib.h
+strhash.h
+string.h
+stringlist.h
+strings.h
+struct.h
+sys/acl.h
+sys/rbtree.h
+sys/statvfs.h
+sysexits.h
+syslog.h
+tar.h
+termios.h
+time.h
+timeconv.h
+ttyent.h
+tzfile.h
+ulimit.h
+unistd.h
+util.h
+utime.h
+utmpx.h
+utmpx_thread.h
+vis.h
+wchar.h
+wctype.h
+wordexp.h
+xlocale.h
+xlocale/__wctype.h
+xlocale/_ctype.h
+xlocale/_inttypes.h
+xlocale/_langinfo.h
+xlocale/_monetary.h
+xlocale/_regex.h
+xlocale/_stdio.h
+xlocale/_stdlib.h
+xlocale/_string.h
+xlocale/_time.h
+xlocale/_wchar.h
+xlocale/_wctype.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix
new file mode 100644
index 000000000000..789e536b8a7f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix
@@ -0,0 +1,50 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    substituteInPlace xcodescripts/install_files.sh \
+      --replace "/usr/local/" "/" \
+      --replace "/usr/" "/" \
+      --replace '-o "$INSTALL_OWNER" -g "$INSTALL_GROUP"' "" \
+      --replace "ln -h" "ln -n"
+
+    export DSTROOT=$out
+    sh xcodescripts/install_files.sh
+  '';
+
+  appleHeaders = ''
+    aliasdb.h
+    bootparams.h
+    configuration_profile.h
+    grp.h
+    ifaddrs.h
+    ils.h
+    kvbuf.h
+    libinfo.h
+    libinfo_muser.h
+    membership.h
+    membershipPriv.h
+    netdb.h
+    netdb_async.h
+    ntsid.h
+    printerdb.h
+    pwd.h
+    rpc/auth.h
+    rpc/auth_unix.h
+    rpc/clnt.h
+    rpc/pmap_clnt.h
+    rpc/pmap_prot.h
+    rpc/pmap_rmt.h
+    rpc/rpc.h
+    rpc/rpc_msg.h
+    rpc/svc.h
+    rpc/svc_auth.h
+    rpc/types.h
+    rpc/xdr.h
+    rpcsvc/yp_prot.h
+    rpcsvc/ypclnt.h
+    si_data.h
+    si_module.h
+    thread_data.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix
new file mode 100644
index 000000000000..931bebeae5dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix
@@ -0,0 +1,18 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  patches = [
+    # The source release version of math.h is missing some symbols that are actually present
+    # in newer SDKs. Patch them into the header to avoid implicit function declaration errors
+    # when compiling with newer versions of clang.
+    ./missing-declarations.patch
+  ];
+
+  installPhase = ''
+    mkdir -p $out/include
+
+    cp Source/Intel/math.h $out/include
+    cp Source/Intel/fenv.h $out/include
+    cp Source/complex.h    $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/missing-declarations.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/missing-declarations.patch
new file mode 100644
index 000000000000..e56934e59d4c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/missing-declarations.patch
@@ -0,0 +1,292 @@
+--- a/Source/Intel/math.h	2023-10-20 09:43:42.640416006 -0400
++++ b/Source/Intel/math.h	2023-10-20 09:47:59.743127003 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2002 Apple Computer, Inc. All rights reserved.
++ * Copyright (c) 2002-2015 Apple Inc. All rights reserved.
+  *
+  * @APPLE_LICENSE_HEADER_START@
+  * 
+@@ -27,14 +27,17 @@
+ *     Contains: typedefs, prototypes, and macros germane to C99 floating point.*
+ *                                                                              *
+ *******************************************************************************/
++#ifndef __MATH_H__
++#define __MATH_H__
++
+ #ifndef __MATH__
+ #define __MATH__
++#endif
+ 
+-#include <sys/cdefs.h> /* For definition of __DARWIN_UNIX03 et al */
++#include <sys/cdefs.h>
++#include <Availability.h>
+ 
+-#ifdef __cplusplus
+-extern "C" {
+-#endif
++__BEGIN_DECLS
+ 
+ /******************************************************************************
+ *       Floating point data types                                             *
+@@ -87,14 +90,26 @@
+ #define FP_SUBNORMAL    5
+ #define FP_SUPERNORMAL  6 /* meaningful only on PowerPC */
+ 
+-/* fma() *function call* is more costly than equivalent (in-line) multiply and add operations    */
+-/* For single and double precision, the cost isn't too bad, because we can fall back on higher   */
+-/* precision hardware, with the necessary range to handle infinite precision products. However,  */
+-/* expect the long double fma to be at least an order of magnitude slower than a simple multiply */
+-/* and an add.                                                                                   */
+-#undef FP_FAST_FMA
+-#undef FP_FAST_FMAF
+-#undef FP_FAST_FMAL
++#if defined __arm64__ || defined __ARM_VFPV4__
++/*  On these architectures, fma(), fmaf( ), and fmal( ) are generally about as
++    fast as (or faster than) separate multiply and add of the same operands.  */
++#   define FP_FAST_FMA     1
++#   define FP_FAST_FMAF    1
++#   define FP_FAST_FMAL    1
++#elif (defined __i386__ || defined __x86_64__) && (defined __FMA__)
++/*  When targeting the FMA ISA extension, fma() and fmaf( ) are generally
++    about as fast as (or faster than) separate multiply and add of the same
++    operands, but fmal( ) may be more costly.                                 */
++#   define FP_FAST_FMA     1
++#   define FP_FAST_FMAF    1
++#   undef  FP_FAST_FMAL
++#else
++/*  On these architectures, fma( ), fmaf( ), and fmal( ) function calls are
++    significantly more costly than separate multiply and add operations.      */
++#   undef  FP_FAST_FMA
++#   undef  FP_FAST_FMAF
++#   undef  FP_FAST_FMAL
++#endif
+ 
+ /* The values returned by `ilogb' for 0 and NaN respectively. */
+ #define FP_ILOGB0	(-2147483647 - 1)
+@@ -191,6 +206,23 @@
+ 	static __inline__  int __inline_isnormalf( float __x ) { float fabsf = __builtin_fabsf(__x); if( __x != __x ) return 0; return fabsf < __builtin_inff() && fabsf >= __FLT_MIN__; }  
+ 	static __inline__  int __inline_isnormald( double __x ) { double fabsf = __builtin_fabs(__x); if( __x != __x ) return 0; return fabsf < __builtin_inf() && fabsf >= __DBL_MIN__; }  
+ 	static __inline__  int __inline_isnormal( long double __x ) { long double fabsf = __builtin_fabsl(__x); if( __x != __x ) return 0; return fabsf < __builtin_infl() && fabsf >= __LDBL_MIN__; }  
++
++#if defined __i386__ || defined __x86_64__
++__header_always_inline int __inline_signbitl(long double __x) {
++    union {
++        long double __ld;
++        struct{ unsigned long long __m; unsigned short __sexp; } __p;
++    } __u;
++    __u.__ld = __x;
++    return (int)(__u.__p.__sexp >> 15);
++}
++#else
++__header_always_inline int __inline_signbitl(long double __x) {
++    union { long double __f; unsigned long long __u;} __u;
++    __u.__f = __x;
++    return (int)(__u.__u >> 63);
++}
++#endif
+ 	
+ #else
+ 
+@@ -509,7 +541,112 @@
+ extern long double  __infl( void );
+ extern float  		__nan( void ); /* 10.3 (and later) must retain in ABI for backward compatability */
+ 
+-#if !defined(_ANSI_SOURCE)
++
++/******************************************************************************
++ *  Apple extensions to the C standard                                        *
++ ******************************************************************************/
++
++/*  Because these functions are not specified by any relevant standard, they
++    are prefixed with __, which places them in the implementor's namespace, so
++    they should not conflict with any developer or third-party code.  If they
++    are added to a relevant standard in the future, un-prefixed names may be
++    added to the library and they may be moved out of this section of the
++    header.                                                                   
++ 
++    Because these functions are non-standard, they may not be available on non-
++    Apple platforms.                                                          */
++
++/*  __exp10(x) returns 10**x.  Edge cases match those of exp( ) and exp2( ).  */
++extern float __exp10f(float) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern double __exp10(double) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++
++/*  __sincos(x,sinp,cosp) computes the sine and cosine of x with a single
++    function call, storing the sine in the memory pointed to by sinp, and
++    the cosine in the memory pointed to by cosp. Edge cases match those of
++    separate calls to sin( ) and cos( ).                                      */
++__header_always_inline void __sincosf(float __x, float *__sinp, float *__cosp);
++__header_always_inline void __sincos(double __x, double *__sinp, double *__cosp);
++
++/*  __sinpi(x) returns the sine of pi times x; __cospi(x) and __tanpi(x) return
++    the cosine and tangent, respectively.  These functions can produce a more
++    accurate answer than expressions of the form sin(M_PI * x) because they
++    avoid any loss of precision that results from rounding the result of the
++    multiplication M_PI * x.  They may also be significantly more efficient in
++    some cases because the argument reduction for these functions is easier
++    to compute.  Consult the man pages for edge case details.                 */
++extern float __cospif(float) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern double __cospi(double) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern float __sinpif(float) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern double __sinpi(double) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern float __tanpif(float) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++extern double __tanpi(double) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
++
++#if (defined __MAC_OS_X_VERSION_MIN_REQUIRED && __MAC_OS_X_VERSION_MIN_REQUIRED < 1090) || \
++    (defined __IPHONE_OS_VERSION_MIN_REQUIRED && __IPHONE_OS_VERSION_MIN_REQUIRED < 70000)
++/*  __sincos and __sincosf were introduced in OSX 10.9 and iOS 7.0.  When
++    targeting an older system, we simply split them up into discrete calls
++    to sin( ) and cos( ).                                                     */
++__header_always_inline void __sincosf(float __x, float *__sinp, float *__cosp) {
++  *__sinp = sinf(__x);
++  *__cosp = cosf(__x);
++}
++
++__header_always_inline void __sincos(double __x, double *__sinp, double *__cosp) {
++  *__sinp = sin(__x);
++  *__cosp = cos(__x);
++}
++#else
++/*  __sincospi(x,sinp,cosp) computes the sine and cosine of pi times x with a
++    single function call, storing the sine in the memory pointed to by sinp,
++    and the cosine in the memory pointed to by cosp.  Edge cases match those
++    of separate calls to __sinpi( ) and __cospi( ), and are documented in the
++    man pages.
++ 
++    These functions were introduced in OSX 10.9 and iOS 7.0.  Because they are
++    implemented as header inlines, weak-linking does not function as normal,
++    and they are simply hidden when targeting earlier OS versions.            */
++__header_always_inline void __sincospif(float __x, float *__sinp, float *__cosp);
++__header_always_inline void __sincospi(double __x, double *__sinp, double *__cosp);
++
++/*  Implementation details of __sincos and __sincospi allowing them to return
++    two results while allowing the compiler to optimize away unnecessary load-
++    store traffic.  Although these interfaces are exposed in the math.h header
++    to allow compilers to generate better code, users should call __sincos[f]
++    and __sincospi[f] instead and allow the compiler to emit these calls.     */
++struct __float2 { float __sinval; float __cosval; };
++struct __double2 { double __sinval; double __cosval; };
++
++extern struct __float2 __sincosf_stret(float);
++extern struct __double2 __sincos_stret(double);
++extern struct __float2 __sincospif_stret(float);
++extern struct __double2 __sincospi_stret(double);
++
++__header_always_inline void __sincosf(float __x, float *__sinp, float *__cosp) {
++    const struct __float2 __stret = __sincosf_stret(__x);
++    *__sinp = __stret.__sinval; *__cosp = __stret.__cosval;
++}
++
++__header_always_inline void __sincos(double __x, double *__sinp, double *__cosp) {
++    const struct __double2 __stret = __sincos_stret(__x);
++    *__sinp = __stret.__sinval; *__cosp = __stret.__cosval;
++}
++
++__header_always_inline void __sincospif(float __x, float *__sinp, float *__cosp) {
++    const struct __float2 __stret = __sincospif_stret(__x);
++    *__sinp = __stret.__sinval; *__cosp = __stret.__cosval;
++}
++
++__header_always_inline void __sincospi(double __x, double *__sinp, double *__cosp) {
++    const struct __double2 __stret = __sincospi_stret(__x);
++    *__sinp = __stret.__sinval; *__cosp = __stret.__cosval;
++}
++#endif
++
++/******************************************************************************
++ *  POSIX/UNIX extensions to the C standard                                   *
++ ******************************************************************************/
++
++#if __DARWIN_C_LEVEL >= 199506L
+ extern double j0 ( double );
+ 
+ extern double j1 ( double );
+@@ -543,14 +680,32 @@
+ extern int signgam;     /* required for unix 2003 */
+ 
+ 
+-#endif /* !defined(_ANSI_SOURCE) */
++#endif /* __DARWIN_C_LEVEL >= 199506L */
+ 
+-#if !defined(__NOEXTENSIONS__) && (!defined(_POSIX_C_SOURCE) || defined(_DARWIN_C_SOURCE))
+-#define __WANT_EXTENSIONS__
+-#endif
++/*  Long-double versions of M_E, etc for convenience on Intel where long-
++    double is not the same as double.  Define __MATH_LONG_DOUBLE_CONSTANTS
++    to make these constants available.                                        */
++#if defined __MATH_LONG_DOUBLE_CONSTANTS
++#define M_El        0xa.df85458a2bb4a9bp-2L
++#define M_LOG2El    0xb.8aa3b295c17f0bcp-3L
++#define M_LOG10El   0xd.e5bd8a937287195p-5L
++#define M_LN2l      0xb.17217f7d1cf79acp-4L
++#define M_LN10l     0x9.35d8dddaaa8ac17p-2L
++#define M_PIl       0xc.90fdaa22168c235p-2L
++#define M_PI_2l     0xc.90fdaa22168c235p-3L
++#define M_PI_4l     0xc.90fdaa22168c235p-4L
++#define M_1_PIl     0xa.2f9836e4e44152ap-5L
++#define M_2_PIl     0xa.2f9836e4e44152ap-4L
++#define M_2_SQRTPIl 0x9.06eba8214db688dp-3L
++#define M_SQRT2l    0xb.504f333f9de6484p-3L
++#define M_SQRT1_2l  0xb.504f333f9de6484p-4L
++#endif /* defined __MATH_LONG_DOUBLE_CONSTANTS */
+ 
+-#ifdef __WANT_EXTENSIONS__
++/******************************************************************************
++ *  Legacy BSD extensions to the C standard                                   *
++ ******************************************************************************/
+ 
++#if __DARWIN_C_LEVEL >= __DARWIN_C_FULL
+ #define FP_SNAN		FP_NAN
+ #define FP_QNAN		FP_NAN
+ 
+@@ -560,11 +715,6 @@
+ /* Legacy API: please use C99 lround() instead. */
+ extern long int roundtol ( double );
+ 
+-/*
+- * XOPEN/SVID
+- */
+-#if !defined(_ANSI_SOURCE) && (!defined(_POSIX_C_SOURCE) || defined(_DARWIN_C_SOURCE))
+-#if (!defined(_XOPEN_SOURCE) || defined(_DARWIN_C_SOURCE))
+ #if !defined(__cplusplus)
+ /* used by matherr below */
+ struct exception {
+@@ -592,19 +742,12 @@
+ #define	TLOSS		5
+ #define	PLOSS		6
+ 
+-#endif /* (!_XOPEN_SOURCE || _DARWIN_C_SOURCE) */
+-#endif /* !_ANSI_SOURCE && (!_POSIX_C_SOURCE || _DARWIN_C_SOURCE) */
+-
+-#if !defined( __STRICT_ANSI__) && !defined(_ANSI_SOURCE) && (!defined(_POSIX_C_SOURCE) || defined(_DARWIN_C_SOURCE))
+-    
+ /* Legacy API: please use C99 isfinite() instead. */
+ extern int finite ( double );
+     
+ /* Legacy API: please use C99 tgamma() instead. */
+ extern double gamma ( double );
+ 
+-#if (!defined(_XOPEN_SOURCE) || defined(_DARWIN_C_SOURCE))
+-
+ #if !defined(__cplusplus)
+ extern int matherr ( struct exception * );
+ #endif
+@@ -633,14 +776,8 @@
+ 	extern double lgamma_r ( double, int * ) AVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER;
+ 	extern long double lgammal_r ( long double, int * ) AVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER;
+ #endif /* _REENTRANT */
+-	
+-#endif /* (!_XOPEN_SOURCE || _DARWIN_C_SOURCE) */
+-#endif /* !_ANSI_SOURCE && (!_POSIX_C_SOURCE || _DARWIN_C_SOURCE) */
+-
+-#endif /* __WANT_EXTENSIONS__ */
+ 
+-#ifdef __cplusplus
+-}
+-#endif
++#endif /* __DARWIN_C_LEVEL >= __DARWIN_C_FULL */
+ 
+-#endif /* __MATH__ */
++__END_DECLS
++#endif /* __MATH_H__ */
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix
new file mode 100644
index 000000000000..969e64427c9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix
@@ -0,0 +1,9 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+    cp notify.h      $out/include
+    cp notify_keys.h $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
new file mode 100644
index 000000000000..1bf6396d47fd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
@@ -0,0 +1,22 @@
+{ lib, appleDerivation, developer_cmds }:
+
+appleDerivation {
+  buildInputs = [ developer_cmds ];
+
+  installPhase = ''
+    export DSTROOT=$out
+    export SRCROOT=$PWD
+    export OBJROOT=$PWD
+
+    . ./xcodescripts/install_rpcsvc.sh
+
+    mv $out/usr/* $out
+    rmdir $out/usr/
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ matthewbauer ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
new file mode 100644
index 000000000000..c9cc99a6550e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
@@ -0,0 +1,186 @@
+{ lib, stdenv, buildPackages, fetchzip, fetchFromGitHub
+, appleDerivation', xnu, Libc, Libm, libdispatch, Libinfo
+, dyld, Csu, architecture, libclosure, CarbonHeaders, ncurses, CommonCrypto
+, copyfile, removefile, libresolvHeaders, libresolv, Libnotify, libmalloc, libplatform, libpthread
+, mDNSResponder, launchd, libutilHeaders, hfsHeaders, darwin-stubs
+, headersOnly ? false
+, withLibresolv ? !headersOnly
+}:
+
+let
+  darling.src = fetchzip {
+    url = "https://github.com/darlinghq/darling/archive/d2cc5fa748003aaa70ad4180fff0a9a85dc65e9b.tar.gz";
+    sha256 = "11b51fw47nl505h63bgx5kqiyhf3glhp1q6jkpb6nqfislnzzkrf";
+    postFetch = ''
+      # The archive contains both `src/opendirectory` and `src/OpenDirectory`,
+      # pre-create the directory to choose the canonical case on
+      # case-insensitive filesystems.
+      mkdir -p $out/src/OpenDirectory
+
+      cd $out
+      tar -xzf $downloadedFile --strip-components=1
+      rm -r $out/src/libm
+
+      # If `src/opendirectory` and `src/OpenDirectory` refer to different
+      # things, then combine them into `src/OpenDirectory` to match the result
+      # on case-insensitive filesystems.
+      if [ "$(stat -c %i src/opendirectory)" != "$(stat -c %i src/OpenDirectory)" ]; then
+        mv src/opendirectory/* src/OpenDirectory/
+        rmdir src/opendirectory
+      fi
+    '';
+  };
+
+  # Libsystem needs `asl.h` from syslog. This is the version corresponding to the 10.12 SDK
+  # source release, but it hasn’t changed in newer versions.
+  syslog.src = fetchFromGitHub {
+    owner = "apple-oss-distributions";
+    repo = "syslog";
+    rev = "syslog-349.50.5";
+    hash = "sha256-tXLW/TNsluhO1X9Rv3FANyzyOe5TE/hZz0gVo7JGvHA=";
+  };
+in
+appleDerivation' stdenv {
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    export NIX_ENFORCE_PURITY=
+
+    mkdir -p $out/lib $out/include
+
+    function copyHierarchy () {
+      mkdir -p $1
+      while read f; do
+        mkdir -p $1/$(dirname $f)
+        cp --parents -pn $f $1
+      done
+    }
+
+    # Set up our include directories
+    (cd ${xnu}/include && find . -name '*.h' -or -name '*.defs' | copyHierarchy $out/include)
+    cp ${xnu}/Library/Frameworks/Kernel.framework/Versions/A/Headers/Availability*.h $out/include
+    cp ${xnu}/Library/Frameworks/Kernel.framework/Versions/A/Headers/stdarg.h        $out/include
+
+    for dep in ${Libc} ${Libm} ${Libinfo} ${dyld} ${architecture} \
+               ${libclosure} ${CarbonHeaders} ${libdispatch} ${ncurses.dev} \
+               ${CommonCrypto} ${copyfile} ${removefile} ${libresolvHeaders} \
+               ${Libnotify} ${libplatform} ${mDNSResponder} ${launchd} \
+               ${libutilHeaders} ${libmalloc} ${libpthread} ${hfsHeaders}; do
+      (cd $dep/include && find . -name '*.h' | copyHierarchy $out/include)
+    done
+
+    (cd ${buildPackages.darwin.cctools.dev}/include/mach-o && find . -name '*.h' | copyHierarchy $out/include/mach-o)
+
+    for header in pthread.h pthread_impl.h pthread_spis.h sched.h; do
+      ln -s "$out/include/pthread/$header" "$out/include/$header"
+    done
+
+    # Copy `asl.h` from the syslog sources since it is no longer provided as part of Libc.
+    cp ${syslog.src}/libsystem_asl.tproj/include/asl.h $out/include
+
+    mkdir -p $out/include/os
+
+    cp ${darling.src}/src/libc/os/activity.h $out/include/os
+    cp ${darling.src}/src/libc/os/log.h $out/include/os
+    cp ${darling.src}/src/duct/include/os/trace.h $out/include/os
+
+    cat <<EOF > $out/include/os/availability.h
+    #ifndef __OS_AVAILABILITY__
+    #define __OS_AVAILABILITY__
+    #include <AvailabilityInternal.h>
+
+    #if defined(__has_feature) && defined(__has_attribute) && __has_attribute(availability)
+      #define API_AVAILABLE(...) __API_AVAILABLE_GET_MACRO(__VA_ARGS__, __API_AVAILABLE4, __API_AVAILABLE3, __API_AVAILABLE2, __API_AVAILABLE1)(__VA_ARGS__)
+      #define API_DEPRECATED(...) __API_DEPRECATED_MSG_GET_MACRO(__VA_ARGS__, __API_DEPRECATED_MSG5, __API_DEPRECATED_MSG4, __API_DEPRECATED_MSG3, __API_DEPRECATED_MSG2, __API_DEPRECATED_MSG1)(__VA_ARGS__)
+      #define API_DEPRECATED_WITH_REPLACEMENT(...) __API_DEPRECATED_REP_GET_MACRO(__VA_ARGS__, __API_DEPRECATED_REP5, __API_DEPRECATED_REP4, __API_DEPRECATED_REP3, __API_DEPRECATED_REP2, __API_DEPRECATED_REP1)(__VA_ARGS__)
+      #define API_UNAVAILABLE(...) __API_UNAVAILABLE_GET_MACRO(__VA_ARGS__, __API_UNAVAILABLE3, __API_UNAVAILABLE2, __API_UNAVAILABLE1)(__VA_ARGS__)
+    #else
+
+      #define API_AVAILABLE(...)
+      #define API_DEPRECATED(...)
+      #define API_DEPRECATED_WITH_REPLACEMENT(...)
+      #define API_UNAVAILABLE(...)
+
+    #endif
+    #endif
+    EOF
+
+    cat <<EOF > $out/include/TargetConditionals.h
+    #ifndef __TARGETCONDITIONALS__
+    #define __TARGETCONDITIONALS__
+    #define TARGET_OS_MAC               1
+    #define TARGET_OS_WIN32             0
+    #define TARGET_OS_UNIX              0
+    #define TARGET_OS_OSX               1
+    #define TARGET_OS_IPHONE            0
+    #define TARGET_OS_IOS               0
+    #define TARGET_OS_WATCH             0
+    #define TARGET_OS_BRIDGE            0
+    #define TARGET_OS_TV                0
+    #define TARGET_OS_SIMULATOR         0
+    #define TARGET_OS_EMBEDDED          0
+    #define TARGET_OS_EMBEDDED_OTHER    0 /* Used in configd */
+    #define TARGET_IPHONE_SIMULATOR     TARGET_OS_SIMULATOR /* deprecated */
+    #define TARGET_OS_NANO              TARGET_OS_WATCH /* deprecated */
+    #define TARGET_OS_LINUX             0
+
+    #define TARGET_CPU_PPC          0
+    #define TARGET_CPU_PPC64        0
+    #define TARGET_CPU_68K          0
+    #define TARGET_CPU_X86          0
+    #define TARGET_CPU_X86_64       1
+    #define TARGET_CPU_ARM          0
+    #define TARGET_CPU_ARM64        0
+    #define TARGET_CPU_MIPS         0
+    #define TARGET_CPU_SPARC        0
+    #define TARGET_CPU_ALPHA        0
+    #define TARGET_RT_MAC_CFM       0
+    #define TARGET_RT_MAC_MACHO     1
+    #define TARGET_RT_LITTLE_ENDIAN 1
+    #define TARGET_RT_BIG_ENDIAN    0
+    #define TARGET_RT_64_BIT        1
+    #endif  /* __TARGETCONDITIONALS__ */
+    EOF
+  '' + lib.optionalString (!headersOnly) ''
+
+    # The startup object files
+    cp ${Csu}/lib/* $out/lib
+
+    cp -vr \
+      ${darwin-stubs}/usr/lib/libSystem.B.tbd \
+      ${darwin-stubs}/usr/lib/system \
+      $out/lib
+
+    substituteInPlace $out/lib/libSystem.B.tbd \
+      --replace "/usr/lib/system/" "$out/lib/system/"
+    ln -s libSystem.B.tbd $out/lib/libSystem.tbd
+
+    # Set up links to pretend we work like a conventional unix (Apple's design, not mine!)
+    for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do
+      ln -s libSystem.tbd $out/lib/lib$name.tbd
+    done
+  '' + lib.optionalString withLibresolv ''
+
+    # This probably doesn't belong here, but we want to stay similar to glibc, which includes resolv internally...
+    cp ${libresolv}/lib/libresolv.9.dylib $out/lib/libresolv.9.dylib
+    resolv_libSystem=$(${stdenv.cc.bintools.targetPrefix}otool -L "$out/lib/libresolv.9.dylib" | tail -n +3 | grep -o "$NIX_STORE.*-\S*") || true
+    echo $libs
+
+    chmod +w $out/lib/libresolv.9.dylib
+    ${stdenv.cc.bintools.targetPrefix}install_name_tool \
+      -id $out/lib/libresolv.9.dylib \
+      -change "$resolv_libSystem" /usr/lib/libSystem.dylib \
+      $out/lib/libresolv.9.dylib
+    ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+  '';
+
+  appleHeaders = builtins.readFile ./headers.txt;
+
+  meta = with lib; {
+    description = "The Mac OS libc/libSystem (tapi library with pure headers)";
+    maintainers = with maintainers; [ copumpkin gridaphobe ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt
new file mode 100644
index 000000000000..b6e608f81ebf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt
@@ -0,0 +1,1724 @@
+AssertMacros.h
+Availability.h
+AvailabilityInternal.h
+AvailabilityMacros.h
+Block.h
+Block_private.h
+CommonCrypto/CommonBaseXX.h
+CommonCrypto/CommonBigNum.h
+CommonCrypto/CommonCMACSPI.h
+CommonCrypto/CommonCRC.h
+CommonCrypto/CommonCrypto.h
+CommonCrypto/CommonCryptoError.h
+CommonCrypto/CommonCryptoPriv.h
+CommonCrypto/CommonCryptor.h
+CommonCrypto/CommonCryptorSPI.h
+CommonCrypto/CommonDH.h
+CommonCrypto/CommonDigest.h
+CommonCrypto/CommonDigestSPI.h
+CommonCrypto/CommonECCryptor.h
+CommonCrypto/CommonHMAC.h
+CommonCrypto/CommonHMacSPI.h
+CommonCrypto/CommonKeyDerivation.h
+CommonCrypto/CommonKeyDerivationSPI.h
+CommonCrypto/CommonNumerics.h
+CommonCrypto/CommonRSACryptor.h
+CommonCrypto/CommonRandom.h
+CommonCrypto/CommonRandomSPI.h
+CommonCrypto/CommonSymmetricKeywrap.h
+CommonCrypto/aes.h
+CommonCrypto/lionCompat.h
+ConditionalMacros.h
+CrashReporterClient.h
+ExtentManager.h
+MacTypes.h
+NSSystemDirectories.h
+TargetConditionals.h
+_errno.h
+_libkernel_init.h
+_locale.h
+_simple.h
+_types.h
+_types/_intmax_t.h
+_types/_nl_item.h
+_types/_uint16_t.h
+_types/_uint32_t.h
+_types/_uint64_t.h
+_types/_uint8_t.h
+_types/_uintmax_t.h
+_types/_wctrans_t.h
+_types/_wctype_t.h
+_wctype.h
+_xlocale.h
+aio.h
+aliasdb.h
+alloca.h
+ar.h
+architecture/alignment.h
+architecture/byte_order.h
+architecture/i386/alignment.h
+architecture/i386/asm_help.h
+architecture/i386/byte_order.h
+architecture/i386/cpu.h
+architecture/i386/desc.h
+architecture/i386/fpu.h
+architecture/i386/frame.h
+architecture/i386/io.h
+architecture/i386/pio.h
+architecture/i386/reg_help.h
+architecture/i386/sel.h
+architecture/i386/table.h
+architecture/i386/tss.h
+arpa/ftp.h
+arpa/inet.h
+arpa/nameser.h
+arpa/nameser_compat.h
+arpa/telnet.h
+arpa/tftp.h
+asl.h
+assert.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bitstring.h
+bootparams.h
+bootstrap.h
+bootstrap_priv.h
+bsd/bsm/audit.h
+bsd/dev/random/randomdev.h
+bsd/i386/_limits.h
+bsd/i386/_mcontext.h
+bsd/i386/_param.h
+bsd/i386/_types.h
+bsd/i386/endian.h
+bsd/i386/limits.h
+bsd/i386/param.h
+bsd/i386/profile.h
+bsd/i386/signal.h
+bsd/i386/types.h
+bsd/i386/vmparam.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/spl.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebugevents.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/wait.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+checkint.h
+complex.h
+configuration_profile.h
+copyfile.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_debug.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/cccmac.h
+corecrypto/ccder.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/ccmd5.h
+corecrypto/ccmode.h
+corecrypto/ccmode_factory.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccpbkdf2.h
+corecrypto/ccrc4.h
+corecrypto/ccrng.h
+corecrypto/ccrng_system.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corpses/task_corpse.h
+cpio.h
+crt_externs.h
+ctype.h
+curses.h
+cursesapp.h
+cursesf.h
+cursesm.h
+cursesp.h
+cursesw.h
+cursslk.h
+db.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+dirent.h
+disktab.h
+dispatch/base.h
+dispatch/benchmark.h
+dispatch/block.h
+dispatch/data.h
+dispatch/data_private.h
+dispatch/dispatch.h
+dispatch/group.h
+dispatch/introspection.h
+dispatch/introspection_private.h
+dispatch/io.h
+dispatch/io_private.h
+dispatch/layout_private.h
+dispatch/mach_private.h
+dispatch/object.h
+dispatch/once.h
+dispatch/private.h
+dispatch/queue.h
+dispatch/queue_private.h
+dispatch/semaphore.h
+dispatch/source.h
+dispatch/source_private.h
+dispatch/time.h
+dlfcn.h
+dns.h
+dns_sd.h
+dns_util.h
+err.h
+errno.h
+eti.h
+etip.h
+execinfo.h
+fcntl.h
+fenv.h
+fmtmsg.h
+fnmatch.h
+form.h
+fsproperties.h
+fstab.h
+fts.h
+ftw.h
+get_compat.h
+gethostuuid.h
+gethostuuid_private.h
+getopt.h
+glob.h
+grp.h
+hfs/BTreeScanner.h
+hfs/BTreesInternal.h
+hfs/BTreesPrivate.h
+hfs/CatalogPrivate.h
+hfs/FileMgrInternal.h
+hfs/HFSUnicodeWrappers.h
+hfs/UCStringCompareData.h
+hfs/hfs.h
+hfs/hfs_alloc_trace.h
+hfs/hfs_attrlist.h
+hfs/hfs_btreeio.h
+hfs/hfs_catalog.h
+hfs/hfs_cnode.h
+hfs/hfs_cprotect.h
+hfs/hfs_dbg.h
+hfs/hfs_endian.h
+hfs/hfs_extents.h
+hfs/hfs_format.h
+hfs/hfs_fsctl.h
+hfs/hfs_hotfiles.h
+hfs/hfs_iokit.h
+hfs/hfs_journal.h
+hfs/hfs_kdebug.h
+hfs/hfs_key_roll.h
+hfs/hfs_macos_defs.h
+hfs/hfs_mount.h
+hfs/hfs_quota.h
+hfs/hfs_unistr.h
+hfs/kext-config.h
+hfs/rangelist.h
+i386/_limits.h
+i386/_mcontext.h
+i386/_param.h
+i386/_types.h
+i386/eflags.h
+i386/endian.h
+i386/fasttrap_isa.h
+i386/limits.h
+i386/param.h
+i386/profile.h
+i386/signal.h
+i386/types.h
+i386/user_ldt.h
+i386/vmparam.h
+ifaddrs.h
+ils.h
+inttypes.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+iso646.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+kvbuf.h
+langinfo.h
+launch.h
+launch_internal.h
+launch_priv.h
+libc.h
+libc_private.h
+libgen.h
+libinfo.h
+libinfo_muser.h
+libkern/OSAtomic.h
+libkern/OSAtomicDeprecated.h
+libkern/OSAtomicQueue.h
+libkern/OSByteOrder.h
+libkern/OSCacheControl.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSSpinLockDeprecated.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/i386/OSByteOrder.h
+libkern/i386/_OSByteOrder.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/i386/OSByteOrder.h
+libkern/libkern/i386/_OSByteOrder.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/base.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/object_private.h
+libkern/os/overflow.h
+libkern/os/trace.h
+libproc.h
+libutil.h
+limits.h
+locale.h
+mach-o/arch.h
+mach-o/arm/reloc.h
+mach-o/arm64/reloc.h
+mach-o/dyld-interposing.h
+mach-o/dyld.h
+mach-o/dyld_gdb.h
+mach-o/dyld_images.h
+mach-o/dyld_priv.h
+mach-o/dyld_process_info.h
+mach-o/fat.h
+mach-o/getsect.h
+mach-o/hppa/reloc.h
+mach-o/hppa/swap.h
+mach-o/i386/swap.h
+mach-o/i860/reloc.h
+mach-o/i860/swap.h
+mach-o/ldsyms.h
+mach-o/loader.h
+mach-o/m68k/swap.h
+mach-o/m88k/reloc.h
+mach-o/m88k/swap.h
+mach-o/nlist.h
+mach-o/ppc/reloc.h
+mach-o/ppc/swap.h
+mach-o/ranlib.h
+mach-o/reloc.h
+mach-o/sparc/reloc.h
+mach-o/sparc/swap.h
+mach-o/stab.h
+mach-o/swap.h
+mach-o/x86_64/reloc.h
+mach/audit_triggers.defs
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/i386/_structs.h
+mach/i386/asm.h
+mach/i386/boolean.h
+mach/i386/exception.h
+mach/i386/fp_reg.h
+mach/i386/kern_return.h
+mach/i386/ndr_def.h
+mach/i386/processor_info.h
+mach/i386/rpc.h
+mach/i386/sdt_isa.h
+mach/i386/thread_state.h
+mach/i386/thread_status.h
+mach/i386/vm_param.h
+mach/i386/vm_types.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+malloc/malloc.h
+math.h
+membership.h
+membershipPriv.h
+memory.h
+menu.h
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+mntopts.h
+monetary.h
+monitor.h
+mpool.h
+msgcat.h
+nameser.h
+nc_tparm.h
+ncurses.h
+ncurses_dll.h
+ndbm.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netdb.h
+netdb_async.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+nl_types.h
+nlist.h
+notify.h
+notify_keys.h
+ntsid.h
+objc-shared-cache.h
+os/activity.h
+os/alloc_once_impl.h
+os/assumes.h
+os/availability.h
+os/base.h
+os/base_private.h
+os/debug_private.h
+os/internal/atomic.h
+os/internal/crashlog.h
+os/internal/internal_shared.h
+os/lock.h
+os/lock_private.h
+os/log.h
+os/object.h
+os/object_private.h
+os/once_private.h
+os/overflow.h
+os/semaphore_private.h
+os/trace.h
+os/tsd.h
+os/voucher_activity_private.h
+os/voucher_private.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/i386/apic.h
+osfmk/i386/asm.h
+osfmk/i386/atomic.h
+osfmk/i386/bit_routines.h
+osfmk/i386/cpu_capabilities.h
+osfmk/i386/cpu_data.h
+osfmk/i386/cpu_number.h
+osfmk/i386/cpu_topology.h
+osfmk/i386/cpuid.h
+osfmk/i386/eflags.h
+osfmk/i386/io_map_entries.h
+osfmk/i386/lapic.h
+osfmk/i386/lock.h
+osfmk/i386/locks.h
+osfmk/i386/machine_cpu.h
+osfmk/i386/machine_routines.h
+osfmk/i386/mp.h
+osfmk/i386/mp_desc.h
+osfmk/i386/mp_events.h
+osfmk/i386/mtrr.h
+osfmk/i386/pal_hibernate.h
+osfmk/i386/pal_native.h
+osfmk/i386/pal_routines.h
+osfmk/i386/panic_hooks.h
+osfmk/i386/pmCPU.h
+osfmk/i386/pmap.h
+osfmk/i386/proc_reg.h
+osfmk/i386/rtclock_protos.h
+osfmk/i386/seg.h
+osfmk/i386/simple_lock.h
+osfmk/i386/smp.h
+osfmk/i386/tsc.h
+osfmk/i386/tss.h
+osfmk/i386/ucode.h
+osfmk/i386/vmx.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/call_entry.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/timer_call.h
+osfmk/kern/waitq.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperf_timer.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/boolean.h
+osfmk/mach/branch_predicates.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/i386/_structs.h
+osfmk/mach/i386/asm.h
+osfmk/mach/i386/boolean.h
+osfmk/mach/i386/exception.h
+osfmk/mach/i386/fp_reg.h
+osfmk/mach/i386/kern_return.h
+osfmk/mach/i386/ndr_def.h
+osfmk/mach/i386/processor_info.h
+osfmk/mach/i386/rpc.h
+osfmk/mach/i386/sdt_isa.h
+osfmk/mach/i386/syscall_sw.h
+osfmk/mach/i386/thread_state.h
+osfmk/mach/i386/thread_status.h
+osfmk/mach/i386/vm_param.h
+osfmk/mach/i386/vm_types.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_routines.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+osfmk/x86_64/machine_kpc.h
+panel.h
+paths.h
+pexpert/boot.h
+pexpert/i386/boot.h
+pexpert/i386/efi.h
+pexpert/i386/protos.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/i386/boot.h
+pexpert/pexpert/i386/efi.h
+pexpert/pexpert/i386/protos.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+platform/compat.h
+platform/introspection_private.h
+platform/string.h
+poll.h
+printerdb.h
+printf.h
+protocols/routed.h
+protocols/rwhod.h
+protocols/talkd.h
+protocols/timed.h
+pthread/introspection.h
+pthread/pthread.h
+pthread/pthread_impl.h
+pthread/pthread_spis.h
+pthread/qos.h
+pthread/sched.h
+pthread/spawn.h
+pwd.h
+ranlib.h
+readpassphrase.h
+reboot2.h
+regex.h
+removefile.h
+resolv.h
+rpc/auth.h
+rpc/auth_unix.h
+rpc/clnt.h
+rpc/pmap_clnt.h
+rpc/pmap_prot.h
+rpc/pmap_rmt.h
+rpc/rpc.h
+rpc/rpc_msg.h
+rpc/svc.h
+rpc/svc_auth.h
+rpc/types.h
+rpc/xdr.h
+rpcsvc/yp_prot.h
+rpcsvc/ypclnt.h
+runetype.h
+search.h
+secure/_common.h
+secure/_stdio.h
+secure/_string.h
+security/audit/audit_ioctl.h
+security/mac.h
+security/mac_policy.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_alloc.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+semaphore.h
+servers/bootstrap.h
+servers/bootstrap_defs.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+setjmp.h
+sgtty.h
+si_data.h
+si_module.h
+signal.h
+spawn.h
+stab.h
+standards.h
+stdarg.h
+stddef.h
+stdint.h
+stdio.h
+stdlib.h
+strhash.h
+string.h
+stringlist.h
+strings.h
+struct.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_pthread/_pthread_attr_t.h
+sys/_pthread/_pthread_cond_t.h
+sys/_pthread/_pthread_condattr_t.h
+sys/_pthread/_pthread_key_t.h
+sys/_pthread/_pthread_mutex_t.h
+sys/_pthread/_pthread_mutexattr_t.h
+sys/_pthread/_pthread_once_t.h
+sys/_pthread/_pthread_rwlock_t.h
+sys/_pthread/_pthread_rwlockattr_t.h
+sys/_pthread/_pthread_t.h
+sys/_pthread/_pthread_types.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_pthread_attr_t.h
+sys/_types/_pthread_cond_t.h
+sys/_types/_pthread_condattr_t.h
+sys/_types/_pthread_key_t.h
+sys/_types/_pthread_mutex_t.h
+sys/_types/_pthread_mutexattr_t.h
+sys/_types/_pthread_once_t.h
+sys/_types/_pthread_rwlock_t.h
+sys/_types/_pthread_rwlockattr_t.h
+sys/_types/_pthread_t.h
+sys/_types/_pthread_types.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/acl.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/qos.h
+sys/qos_private.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/rbtree.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/statvfs.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+sysexits.h
+syslog.h
+tar.h
+term.h
+term_entry.h
+termcap.h
+termios.h
+thread_data.h
+tic.h
+time.h
+timeconv.h
+ttyent.h
+tzfile.h
+tzlink.h
+tzlink_internal.h
+ucontext.h
+ulimit.h
+unctrl.h
+unistd.h
+util.h
+utime.h
+utmpx.h
+utmpx_thread.h
+uuid/uuid.h
+vfs/vfs_support.h
+vis.h
+voucher/ipc_pthread_priority_types.h
+vproc.h
+vproc_internal.h
+vproc_priv.h
+wchar.h
+wctype.h
+wipefs.h
+wordexp.h
+xlocale.h
+xlocale/__wctype.h
+xlocale/_ctype.h
+xlocale/_inttypes.h
+xlocale/_langinfo.h
+xlocale/_monetary.h
+xlocale/_regex.h
+xlocale/_stdio.h
+xlocale/_stdlib.h
+xlocale/_string.h
+xlocale/_time.h
+xlocale/_wchar.h
+xlocale/_wctype.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
new file mode 100644
index 000000000000..1ec6c6332cf4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
@@ -0,0 +1,1320 @@
+__CurrentRuneLocale
+__DefaultRuneLocale
+__Exit
+__NSGetArgc
+__NSGetArgv
+__NSGetEnviron
+__NSGetMachExecuteHeader
+__NSGetProgname
+__PathLocale
+__Read_RuneMagi
+___Balloc_D2A
+___Bfree_D2A
+___ULtod_D2A
+____mb_cur_max
+____mb_cur_max_l
+____runetype
+____runetype_l
+____tolower
+____tolower_l
+____toupper
+____toupper_l
+___add_ovflpage
+___addel
+___any_on_D2A
+___assert_rtn
+___b2d_D2A
+___big_delete
+___big_insert
+___big_keydata
+___big_return
+___big_split
+___bigtens_D2A
+___bt_close
+___bt_cmp
+___bt_defcmp
+___bt_defpfx
+___bt_delete
+___bt_dleaf
+___bt_fd
+___bt_free
+___bt_get
+___bt_new
+___bt_open
+___bt_pgin
+___bt_pgout
+___bt_put
+___bt_ret
+___bt_search
+___bt_seq
+___bt_setcur
+___bt_split
+___bt_sync
+___buf_free
+___call_hash
+___cleanup
+___cmp_D2A
+___collate_equiv_match
+___collate_load_error
+___collate_lookup
+___copybits_D2A
+___cxa_atexit
+___cxa_finalize
+___cxa_finalize_ranges
+___cxa_thread_atexit
+___d2b_D2A
+___dbpanic
+___decrement_D2A
+___default_hash
+___default_utx
+___delpair
+___diff_D2A
+___dtoa
+___expand_table
+___fflush
+___fgetwc
+___find_bigpair
+___find_last_page
+___fix_locale_grouping_str
+___fread
+___free_ovflpage
+___freedtoa
+___gdtoa
+___gdtoa_locks
+___get_buf
+___get_page
+___gethex_D2A
+___getonlyClocaleconv
+___hash_open
+___hdtoa
+___hexdig_D2A
+___hexdig_init_D2A
+___hexnan_D2A
+___hi0bits_D2A
+___hldtoa
+___i2b_D2A
+___ibitmap
+___increment_D2A
+___isctype
+___istype
+___istype_l
+___ldtoa
+___libc_init
+___lo0bits_D2A
+___log2
+___lshift_D2A
+___maskrune
+___maskrune_l
+___match_D2A
+___mb_cur_max
+___mb_sb_limit
+___memccpy_chk
+___memcpy_chk
+___memmove_chk
+___memset_chk
+___mult_D2A
+___multadd_D2A
+___nrv_alloc_D2A
+___opendir2
+___opendir2$INODE64
+___ovfl_delete
+___ovfl_get
+___ovfl_put
+___pow5mult_D2A
+___put_page
+___quorem_D2A
+___ratio_D2A
+___rec_close
+___rec_delete
+___rec_dleaf
+___rec_fd
+___rec_fmap
+___rec_fpipe
+___rec_get
+___rec_iput
+___rec_open
+___rec_put
+___rec_ret
+___rec_search
+___rec_seq
+___rec_sync
+___rec_vmap
+___rec_vpipe
+___reclaim_buf
+___rshift_D2A
+___rv_alloc_D2A
+___s2b_D2A
+___sF
+___sclose
+___sdidinit
+___set_ones_D2A
+___setonlyClocaleconv
+___sflags
+___sflush
+___sfp
+___sfvwrite
+___sglue
+___sinit
+___slbexpand
+___smakebuf
+___snprintf_chk
+___split_page
+___sprintf_chk
+___sread
+___srefill
+___srget
+___sseek
+___stack_chk_fail
+___stack_chk_guard
+___stderrp
+___stdinp
+___stdoutp
+___stpcpy_chk
+___stpncpy_chk
+___strcat_chk
+___strcp_D2A
+___strcpy_chk
+___strlcat_chk
+___strlcpy_chk
+___strncat_chk
+___strncpy_chk
+___strtodg
+___strtopdd
+___strtopx
+___sum_D2A
+___svfscanf
+___swbuf
+___swhatbuf
+___swrite
+___swsetup
+___tens_D2A
+___tinytens_D2A
+___tolower
+___tolower_l
+___toupper
+___toupper_l
+___trailz_D2A
+___ulp_D2A
+___ungetc
+___ungetwc
+___vsnprintf_chk
+___vsprintf_chk
+___wcwidth
+___wcwidth_l
+__allocenvstate
+__atexit_receipt
+__c_locale
+__cleanup
+__closeutx
+__copyenv
+__cthread_init_routine
+__deallocenvstate
+__endutxent
+__flockfile_debug_stub
+__fseeko
+__ftello
+__fwalk
+__getenvp
+__getutxent
+__getutxid
+__getutxline
+__inet_aton_check
+__init_clock_port
+__int_to_time
+__libc_fork_child
+__libc_initializer
+__long_to_time
+__mkpath_np
+__mktemp
+__openutx
+__os_assert_log
+__os_assert_log_ctx
+__os_assumes_log
+__os_assumes_log_ctx
+__os_avoid_tail_call
+__os_crash
+__os_crash_callback
+__os_debug_log
+__os_debug_log_error_str
+__putenvp
+__pututxline
+__rand48_add
+__rand48_mult
+__rand48_seed
+__readdir_unlocked
+__readdir_unlocked$INODE64
+__reclaim_telldir
+__seekdir
+__seekdir$INODE64
+__setenvp
+__setutxent
+__sigaction_nobind
+__sigintr
+__signal_nobind
+__sigvec_nobind
+__sread
+__sseek
+__swrite
+__time32_to_time
+__time64_to_time
+__time_to_int
+__time_to_long
+__time_to_time32
+__time_to_time64
+__unsetenvp
+__utmpxname
+_a64l
+_abort
+_abort_report_np
+_abs
+_acl_add_flag_np
+_acl_add_perm
+_acl_calc_mask
+_acl_clear_flags_np
+_acl_clear_perms
+_acl_copy_entry
+_acl_copy_ext
+_acl_copy_ext_native
+_acl_copy_int
+_acl_copy_int_native
+_acl_create_entry
+_acl_create_entry_np
+_acl_delete_def_file
+_acl_delete_entry
+_acl_delete_fd_np
+_acl_delete_file_np
+_acl_delete_flag_np
+_acl_delete_link_np
+_acl_delete_perm
+_acl_dup
+_acl_free
+_acl_from_text
+_acl_get_entry
+_acl_get_fd
+_acl_get_fd_np
+_acl_get_file
+_acl_get_flag_np
+_acl_get_flagset_np
+_acl_get_link_np
+_acl_get_perm_np
+_acl_get_permset
+_acl_get_permset_mask_np
+_acl_get_qualifier
+_acl_get_tag_type
+_acl_init
+_acl_maximal_permset_mask_np
+_acl_set_fd
+_acl_set_fd_np
+_acl_set_file
+_acl_set_flagset_np
+_acl_set_link_np
+_acl_set_permset
+_acl_set_permset_mask_np
+_acl_set_qualifier
+_acl_set_tag_type
+_acl_size
+_acl_to_text
+_acl_valid
+_acl_valid_fd_np
+_acl_valid_file_np
+_acl_valid_link
+_addr2ascii
+_alarm
+_alphasort
+_alphasort$INODE64
+_arc4random
+_arc4random_addrandom
+_arc4random_buf
+_arc4random_stir
+_arc4random_uniform
+_ascii2addr
+_asctime
+_asctime_r
+_asprintf
+_asprintf_l
+_asxprintf
+_asxprintf_exec
+_atexit
+_atexit_b
+_atof
+_atof_l
+_atoi
+_atoi_l
+_atol
+_atol_l
+_atoll
+_atoll_l
+_backtrace
+_backtrace_symbols
+_backtrace_symbols_fd
+_basename
+_basename_r
+_bcmp
+_bcopy
+_brk
+_bsd_signal
+_bsearch
+_bsearch_b
+_btowc
+_btowc_l
+_bzero
+_catclose
+_catgets
+_catopen
+_cfgetispeed
+_cfgetospeed
+_cfmakeraw
+_cfsetispeed
+_cfsetospeed
+_cfsetspeed
+_cgetcap
+_cgetclose
+_cgetent
+_cgetfirst
+_cgetmatch
+_cgetnext
+_cgetnum
+_cgetset
+_cgetstr
+_cgetustr
+_chmodx_np
+_clearerr
+_clearerr_unlocked
+_clock
+_clock_getres
+_clock_gettime
+_clock_gettime_nsec_np
+_clock_port
+_clock_sem
+_clock_settime
+_closedir
+_compat_mode
+_confstr
+_copy_printf_domain
+_creat
+_creat$NOCANCEL
+_crypt
+_ctermid
+_ctermid_r
+_ctime
+_ctime_r
+_daemon
+_daemon$1050
+_daylight
+_dbm_clearerr
+_dbm_close
+_dbm_delete
+_dbm_dirfno
+_dbm_error
+_dbm_fetch
+_dbm_firstkey
+_dbm_nextkey
+_dbm_open
+_dbm_store
+_dbopen
+_devname
+_devname_r
+_difftime
+_digittoint
+_digittoint_l
+_dirfd
+_dirname
+_dirname_r
+_div
+_dprintf
+_dprintf_l
+_drand48
+_duplocale
+_dxprintf
+_dxprintf_exec
+_ecvt
+_encrypt
+_endttyent
+_endusershell
+_endutxent
+_endutxent_wtmp
+_erand48
+_err
+_err_set_exit
+_err_set_exit_b
+_err_set_file
+_errc
+_errx
+_execl
+_execle
+_execlp
+_execv
+_execvP
+_execvp
+_exit
+_f_prealloc
+_fchmodx_np
+_fclose
+_fcvt
+_fdopen
+_fdopen$DARWIN_EXTSN
+_fdopendir
+_fdopendir$INODE64
+_feof
+_feof_unlocked
+_ferror
+_ferror_unlocked
+_fflagstostr
+_fflush
+_fgetc
+_fgetln
+_fgetpos
+_fgetrune
+_fgets
+_fgetwc
+_fgetwc_l
+_fgetwln
+_fgetwln_l
+_fgetws
+_fgetws_l
+_fileno
+_fileno_unlocked
+_filesec_dup
+_filesec_free
+_filesec_get_property
+_filesec_init
+_filesec_query_property
+_filesec_set_property
+_filesec_unset_property
+_flockfile
+_fmtcheck
+_fmtmsg
+_fnmatch
+_fopen
+_fopen$DARWIN_EXTSN
+_fork
+_forkpty
+_fparseln
+_fprintf
+_fprintf_l
+_fpurge
+_fputc
+_fputrune
+_fputs
+_fputwc
+_fputwc_l
+_fputws
+_fputws_l
+_fread
+_free_printf_comp
+_free_printf_domain
+_freelocale
+_freopen
+_fscanf
+_fscanf_l
+_fseek
+_fseeko
+_fsetpos
+_fstatvfs
+_fstatx64_np
+_fstatx_np
+_fstatx_np$INODE64
+_fsync_volume_np
+_ftell
+_ftello
+_ftime
+_ftok
+_ftrylockfile
+_fts_children
+_fts_children$INODE64
+_fts_close
+_fts_close$INODE64
+_fts_open
+_fts_open$INODE64
+_fts_open_b
+_fts_open_b$INODE64
+_fts_read
+_fts_read$INODE64
+_fts_set
+_fts_set$INODE64
+_ftw
+_ftw$INODE64
+_fungetrune
+_funlockfile
+_funopen
+_fwide
+_fwprintf
+_fwprintf_l
+_fwrite
+_fwscanf
+_fwscanf_l
+_fxprintf
+_fxprintf_exec
+_gcvt
+_getbsize
+_getc
+_getc_unlocked
+_getchar
+_getchar_unlocked
+_getcwd
+_getdate
+_getdate_err
+_getdelim
+_getdiskbyname
+_getenv
+_getgroups$DARWIN_EXTSN
+_gethostid
+_gethostname
+_getipv4sourcefilter
+_getlastlogx
+_getlastlogxbyname
+_getline
+_getloadavg
+_getlogin
+_getlogin_r
+_getmntinfo
+_getmntinfo$INODE64
+_getmntinfo64
+_getmode
+_getopt
+_getopt_long
+_getopt_long_only
+_getpagesize
+_getpass
+_getpeereid
+_getprogname
+_gets
+_getsourcefilter
+_getsubopt
+_gettimeofday
+_getttyent
+_getttynam
+_getusershell
+_getutmp
+_getutmpx
+_getutxent
+_getutxent_wtmp
+_getutxid
+_getutxline
+_getvfsbyname
+_getw
+_getwc
+_getwc_l
+_getwchar
+_getwchar_l
+_getwd
+_glob
+_glob$INODE64
+_glob_b
+_glob_b$INODE64
+_globfree
+_gmtime
+_gmtime_r
+_grantpt
+_hash_create
+_hash_destroy
+_hash_purge
+_hash_search
+_hash_stats
+_hash_traverse
+_hcreate
+_hdestroy
+_heapsort
+_heapsort_b
+_hsearch
+_imaxabs
+_imaxdiv
+_index
+_inet_addr
+_inet_aton
+_inet_lnaof
+_inet_makeaddr
+_inet_net_ntop
+_inet_net_pton
+_inet_neta
+_inet_netof
+_inet_network
+_inet_nsap_addr
+_inet_nsap_ntoa
+_inet_ntoa
+_inet_ntop
+_inet_ntop4
+_inet_ntop6
+_inet_pton
+_initstate
+_insque
+_isalnum
+_isalnum_l
+_isalpha
+_isalpha_l
+_isascii
+_isatty
+_isblank
+_isblank_l
+_iscntrl
+_iscntrl_l
+_isdigit
+_isdigit_l
+_isgraph
+_isgraph_l
+_ishexnumber
+_ishexnumber_l
+_isideogram
+_isideogram_l
+_islower
+_islower_l
+_isnumber
+_isnumber_l
+_isphonogram
+_isphonogram_l
+_isprint
+_isprint_l
+_ispunct
+_ispunct_l
+_isrune
+_isrune_l
+_isspace
+_isspace_l
+_isspecial
+_isspecial_l
+_isupper
+_isupper_l
+_iswalnum
+_iswalnum_l
+_iswalpha
+_iswalpha_l
+_iswascii
+_iswblank
+_iswblank_l
+_iswcntrl
+_iswcntrl_l
+_iswctype
+_iswctype_l
+_iswdigit
+_iswdigit_l
+_iswgraph
+_iswgraph_l
+_iswhexnumber
+_iswhexnumber_l
+_iswideogram
+_iswideogram_l
+_iswlower
+_iswlower_l
+_iswnumber
+_iswnumber_l
+_iswphonogram
+_iswphonogram_l
+_iswprint
+_iswprint_l
+_iswpunct
+_iswpunct_l
+_iswrune
+_iswrune_l
+_iswspace
+_iswspace_l
+_iswspecial
+_iswspecial_l
+_iswupper
+_iswupper_l
+_iswxdigit
+_iswxdigit_l
+_isxdigit
+_isxdigit_l
+_jrand48
+_kOSThermalNotificationPressureLevelName
+_killpg
+_l64a
+_labs
+_lchflags
+_lchmod
+_lcong48
+_ldiv
+_lfind
+_link_addr
+_link_ntoa
+_llabs
+_lldiv
+_localeconv
+_localeconv_l
+_localtime
+_localtime_r
+_lockf
+_lockf$NOCANCEL
+_login
+_login_tty
+_logout
+_logwtmp
+_lrand48
+_lsearch
+_lstatx64_np
+_lstatx_np
+_lstatx_np$INODE64
+_lutimes
+_mblen
+_mblen_l
+_mbmb
+_mbrlen
+_mbrlen_l
+_mbrrune
+_mbrtowc
+_mbrtowc_l
+_mbrune
+_mbsinit
+_mbsinit_l
+_mbsnrtowcs
+_mbsnrtowcs_l
+_mbsrtowcs
+_mbsrtowcs_l
+_mbstowcs
+_mbstowcs_l
+_mbtowc
+_mbtowc_l
+_memccpy
+_memchr
+_memcmp
+_memcpy
+_memmem
+_memmove
+_memset
+_memset_pattern16
+_memset_pattern4
+_memset_pattern8
+_memset_s
+_mergesort
+_mergesort_b
+_mkdirx_np
+_mkdtemp
+_mkfifox_np
+_mkostemp
+_mkostemps
+_mkpath_np
+_mkpathat_np
+_mkstemp
+_mkstemp_dprotected_np
+_mkstemps
+_mktemp
+_mktime
+_monaddition
+_moncontrol
+_moncount
+_moninit
+_monitor
+_monoutput
+_monreset
+_monstartup
+_mpool_close
+_mpool_filter
+_mpool_get
+_mpool_new
+_mpool_open
+_mpool_put
+_mpool_sync
+_mrand48
+_nanosleep
+_nanosleep$NOCANCEL
+_new_printf_comp
+_new_printf_domain
+_newlocale
+_nextwctype
+_nextwctype_l
+_nftw
+_nftw$INODE64
+_nice
+_nl_langinfo
+_nl_langinfo_l
+_nrand48
+_nvis
+_off32
+_off64
+_offtime
+_opendev
+_opendir
+_opendir$INODE64
+_openpty
+_openx_np
+_optarg
+_opterr
+_optind
+_optopt
+_optreset
+_pause
+_pause$NOCANCEL
+_pclose
+_perror
+_popen
+_popen$DARWIN_EXTSN
+_posix2time
+_posix_openpt
+_posix_spawnp
+_printf
+_printf_l
+_psignal
+_psort
+_psort_b
+_psort_r
+_ptsname
+_putc
+_putc_unlocked
+_putchar
+_putchar_unlocked
+_putenv
+_puts
+_pututxline
+_putw
+_putwc
+_putwc_l
+_putwchar
+_putwchar_l
+_qsort
+_qsort_b
+_qsort_r
+_querylocale
+_radixsort
+_raise
+_rand
+_rand_r
+_random
+_rb_tree_count
+_rb_tree_find_node
+_rb_tree_find_node_geq
+_rb_tree_find_node_leq
+_rb_tree_init
+_rb_tree_insert_node
+_rb_tree_iterate
+_rb_tree_remove_node
+_readdir
+_readdir$INODE64
+_readdir_r
+_readdir_r$INODE64
+_readpassphrase
+_reallocf
+_realpath
+_realpath$DARWIN_EXTSN
+_recv
+_recv$NOCANCEL
+_regcomp
+_regcomp_l
+_regerror
+_regexec
+_regfree
+_register_printf_domain_function
+_register_printf_domain_render_std
+_regncomp
+_regncomp_l
+_regnexec
+_regwcomp
+_regwcomp_l
+_regwexec
+_regwncomp
+_regwncomp_l
+_regwnexec
+_remove
+_remque
+_rewind
+_rewinddir
+_rewinddir$INODE64
+_rindex
+_sbrk
+_scandir
+_scandir$INODE64
+_scandir_b
+_scandir_b$INODE64
+_scanf
+_scanf_l
+_seed48
+_seekdir
+_seekdir$INODE64
+_send
+_send$NOCANCEL
+_setbuf
+_setbuffer
+_setenv
+_sethostid
+_sethostname
+_setinvalidrune
+_setipv4sourcefilter
+_setkey
+_setlinebuf
+_setlocale
+_setlogin
+_setmode
+_setpgrp
+_setprogname
+_setrgid
+_setruid
+_setrunelocale
+_setsourcefilter
+_setstate
+_settimeofday
+_setttyent
+_setusershell
+_setutxent
+_setutxent_wtmp
+_setvbuf
+_sigaction
+_sigaddset
+_sigaltstack
+_sigblock
+_sigdelset
+_sigemptyset
+_sigfillset
+_sighold
+_sigignore
+_siginterrupt
+_sigismember
+_signal
+_sigpause
+_sigpause$NOCANCEL
+_sigrelse
+_sigset
+_sigsetmask
+_sigvec
+_skip
+_sl_add
+_sl_find
+_sl_free
+_sl_init
+_sleep
+_sleep$NOCANCEL
+_snprintf
+_snprintf_l
+_snvis
+_sockatmark
+_sprintf
+_sprintf_l
+_sradixsort
+_srand
+_srand48
+_sranddev
+_srandom
+_srandomdev
+_sscanf
+_sscanf_l
+_statvfs
+_statx64_np
+_statx_np
+_statx_np$INODE64
+_stpcpy
+_stpncpy
+_strcasecmp
+_strcasecmp_l
+_strcasestr
+_strcasestr_l
+_strcat
+_strchr
+_strcmp
+_strcoll
+_strcoll_l
+_strcpy
+_strcspn
+_strdup
+_strenvisx
+_strerror
+_strerror_r
+_strfmon
+_strfmon_l
+_strftime
+_strftime_l
+_strlcat
+_strlcpy
+_strlen
+_strmode
+_strncasecmp
+_strncasecmp_l
+_strncat
+_strncmp
+_strncpy
+_strndup
+_strnlen
+_strnstr
+_strnunvis
+_strnunvisx
+_strnvis
+_strnvisx
+_strpbrk
+_strptime
+_strptime_l
+_strrchr
+_strsenvisx
+_strsep
+_strsignal
+_strsnvis
+_strsnvisx
+_strspn
+_strstr
+_strsvis
+_strsvisx
+_strtod
+_strtod_l
+_strtof
+_strtof_l
+_strtofflags
+_strtoimax
+_strtoimax_l
+_strtok
+_strtok_r
+_strtol
+_strtol_l
+_strtold
+_strtold_l
+_strtoll
+_strtoll_l
+_strtoq
+_strtoq_l
+_strtoul
+_strtoul_l
+_strtoull
+_strtoull_l
+_strtoumax
+_strtoumax_l
+_strtouq
+_strtouq_l
+_strunvis
+_strunvisx
+_strvis
+_strvisx
+_strxfrm
+_strxfrm_l
+_suboptarg
+_svis
+_swab
+_swprintf
+_swprintf_l
+_swscanf
+_swscanf_l
+_sxprintf
+_sxprintf_exec
+_sync_volume_np
+_sys_errlist
+_sys_nerr
+_sys_siglist
+_sys_signame
+_sysconf
+_sysctl
+_sysctlbyname
+_sysctlnametomib
+_system
+_system$NOCANCEL
+_tcdrain
+_tcdrain$NOCANCEL
+_tcflow
+_tcflush
+_tcgetattr
+_tcgetpgrp
+_tcgetsid
+_tcsendbreak
+_tcsetattr
+_tcsetpgrp
+_tdelete
+_telldir
+_telldir$INODE64
+_tempnam
+_tfind
+_thread_stack_pcs
+_time
+_time2posix
+_timegm
+_timelocal
+_timeoff
+_times
+_timezone
+_timingsafe_bcmp
+_tmpfile
+_tmpnam
+_toascii
+_tolower
+_tolower_l
+_toupper
+_toupper_l
+_towctrans
+_towctrans_l
+_towlower
+_towlower_l
+_towupper
+_towupper_l
+_tre_ast_new_catenation
+_tre_ast_new_iter
+_tre_ast_new_literal
+_tre_ast_new_node
+_tre_ast_new_union
+_tre_compile
+_tre_fill_pmatch
+_tre_free
+_tre_mem_alloc_impl
+_tre_mem_destroy
+_tre_mem_new_impl
+_tre_parse
+_tre_stack_destroy
+_tre_stack_new
+_tre_stack_num_objects
+_tre_tnfa_run_backtrack
+_tre_tnfa_run_parallel
+_tsearch
+_ttyname
+_ttyname_r
+_ttyslot
+_twalk
+_tzname
+_tzset
+_tzsetwall
+_ualarm
+_ulimit
+_umaskx_np
+_uname
+_ungetc
+_ungetwc
+_ungetwc_l
+_unlockpt
+_unsetenv
+_unvis
+_uselocale
+_usleep
+_usleep$NOCANCEL
+_utime
+_utmpxname
+_uuid_clear
+_uuid_compare
+_uuid_copy
+_uuid_generate
+_uuid_generate_random
+_uuid_generate_time
+_uuid_is_null
+_uuid_pack
+_uuid_parse
+_uuid_unpack
+_uuid_unparse
+_uuid_unparse_lower
+_uuid_unparse_upper
+_vasprintf
+_vasprintf_l
+_vasxprintf
+_vasxprintf_exec
+_vdprintf
+_vdprintf_l
+_vdxprintf
+_vdxprintf_exec
+_verr
+_verrc
+_verrx
+_vfprintf
+_vfprintf_l
+_vfscanf
+_vfscanf_l
+_vfwprintf
+_vfwprintf_l
+_vfwscanf
+_vfwscanf_l
+_vfxprintf
+_vfxprintf_exec
+_vis
+_vprintf
+_vprintf_l
+_vscanf
+_vscanf_l
+_vsnprintf
+_vsnprintf_l
+_vsprintf
+_vsprintf_l
+_vsscanf
+_vsscanf_l
+_vswprintf
+_vswprintf_l
+_vswscanf
+_vswscanf_l
+_vsxprintf
+_vsxprintf_exec
+_vwarn
+_vwarnc
+_vwarnx
+_vwprintf
+_vwprintf_l
+_vwscanf
+_vwscanf_l
+_vxprintf
+_vxprintf_exec
+_wait
+_wait$NOCANCEL
+_wait3
+_waitpid
+_waitpid$NOCANCEL
+_warn
+_warnc
+_warnx
+_wcpcpy
+_wcpncpy
+_wcrtomb
+_wcrtomb_l
+_wcscasecmp
+_wcscasecmp_l
+_wcscat
+_wcschr
+_wcscmp
+_wcscoll
+_wcscoll_l
+_wcscpy
+_wcscspn
+_wcsdup
+_wcsftime
+_wcsftime_l
+_wcslcat
+_wcslcpy
+_wcslen
+_wcsncasecmp
+_wcsncasecmp_l
+_wcsncat
+_wcsncmp
+_wcsncpy
+_wcsnlen
+_wcsnrtombs
+_wcsnrtombs_l
+_wcspbrk
+_wcsrchr
+_wcsrtombs
+_wcsrtombs_l
+_wcsspn
+_wcsstr
+_wcstod
+_wcstod_l
+_wcstof
+_wcstof_l
+_wcstoimax
+_wcstoimax_l
+_wcstok
+_wcstol
+_wcstol_l
+_wcstold
+_wcstold_l
+_wcstoll
+_wcstoll_l
+_wcstombs
+_wcstombs_l
+_wcstoul
+_wcstoul_l
+_wcstoull
+_wcstoull_l
+_wcstoumax
+_wcstoumax_l
+_wcswidth
+_wcswidth_l
+_wcsxfrm
+_wcsxfrm_l
+_wctob
+_wctob_l
+_wctomb
+_wctomb_l
+_wctrans
+_wctrans_l
+_wctype
+_wctype_l
+_wcwidth
+_wcwidth_l
+_wmemchr
+_wmemcmp
+_wmemcpy
+_wmemmove
+_wmemset
+_wordexp
+_wordfree
+_wprintf
+_wprintf_l
+_wscanf
+_wscanf_l
+_wtmpxname
+_xprintf
+_xprintf_exec
+mcount
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
new file mode 100644
index 000000000000..7c5b90f95ed7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
@@ -0,0 +1,1172 @@
+_NDR_record
+_____old_semwait_signal_nocancel
+_____sigwait_nocancel
+____kernelVersionNumber
+____kernelVersionString
+___abort_with_payload
+___accept
+___accept_nocancel
+___access_extended
+___aio_suspend_nocancel
+___bind
+___bsdthread_create
+___bsdthread_ctl
+___bsdthread_register
+___bsdthread_terminate
+___carbon_delete
+___channel_get_info
+___channel_get_opt
+___channel_open
+___channel_set_opt
+___channel_sync
+___chmod
+___chmod_extended
+___close_nocancel
+___coalition
+___coalition_info
+___commpage_gettimeofday
+___connect
+___connect_nocancel
+___copyfile
+___csrctl
+___delete
+___disable_threadsignal
+___error
+___exit
+___fchmod
+___fchmod_extended
+___fcntl
+___fcntl_nocancel
+___fork
+___fs_snapshot
+___fstat64_extended
+___fstat_extended
+___fsync_nocancel
+___get_remove_counter
+___getattrlist
+___getdirentries64
+___gethostuuid
+___getlogin
+___getpeername
+___getpid
+___getrlimit
+___getsgroups
+___getsockname
+___gettid
+___gettimeofday
+___getwgroups
+___guarded_open_dprotected_np
+___guarded_open_np
+___identitysvc
+___inc_remove_counter
+___initgroups
+___ioctl
+___iopolicysys
+___kdebug_trace
+___kdebug_trace64
+___kdebug_trace_string
+___kdebug_typefilter
+___kill
+___lchown
+___libkernel_init
+___libkernel_voucher_init
+___listen
+___lseek
+___lstat64_extended
+___lstat_extended
+___mac_execve
+___mac_get_fd
+___mac_get_file
+___mac_get_link
+___mac_get_mount
+___mac_get_pid
+___mac_get_proc
+___mac_getfsstat
+___mac_mount
+___mac_set_fd
+___mac_set_file
+___mac_set_link
+___mac_set_proc
+___mac_syscall
+___microstackshot
+___mkdir_extended
+___mkfifo_extended
+___mmap
+___mprotect
+___msgctl
+___msgrcv_nocancel
+___msgsnd_nocancel
+___msgsys
+___msync
+___msync_nocancel
+___munmap
+___nexus_create
+___nexus_deregister
+___nexus_destroy
+___nexus_get_opt
+___nexus_open
+___nexus_register
+___nexus_set_opt
+___old_semwait_signal
+___open
+___open_dprotected_np
+___open_extended
+___open_nocancel
+___openat
+___openat_nocancel
+___os_nexus_ifattach
+___os_nexus_ifdetach
+___persona
+___pipe
+___poll_nocancel
+___posix_spawn
+___pread_nocancel
+___proc_info
+___process_policy
+___pselect
+___pselect_nocancel
+___psynch_cvbroad
+___psynch_cvclrprepost
+___psynch_cvsignal
+___psynch_cvwait
+___psynch_mutexdrop
+___psynch_mutexwait
+___psynch_rw_downgrade
+___psynch_rw_longrdlock
+___psynch_rw_rdlock
+___psynch_rw_unlock
+___psynch_rw_unlock2
+___psynch_rw_upgrade
+___psynch_rw_wrlock
+___psynch_rw_yieldwrlock
+___pthread_canceled
+___pthread_chdir
+___pthread_fchdir
+___pthread_kill
+___pthread_markcancel
+___pthread_sigmask
+___ptrace
+___pwrite_nocancel
+___read_nocancel
+___readv_nocancel
+___recvfrom
+___recvfrom_nocancel
+___recvmsg
+___recvmsg_nocancel
+___rename
+___renameat
+___renameatx_np
+___rmdir
+___sandbox_me
+___sandbox_mm
+___sandbox_ms
+___sandbox_msp
+___select
+___select_nocancel
+___sem_open
+___sem_wait_nocancel
+___semctl
+___semsys
+___semwait_signal
+___semwait_signal_nocancel
+___sendmsg
+___sendmsg_nocancel
+___sendto
+___sendto_nocancel
+___setattrlist
+___setlogin
+___setpriority
+___setregid
+___setreuid
+___setrlimit
+___setsgroups
+___settid
+___settid_with_pid
+___settimeofday
+___setwgroups
+___sfi_ctl
+___sfi_pidctl
+___shared_region_check_np
+___shared_region_map_and_slide_np
+___shm_open
+___shmctl
+___shmsys
+___sigaction
+___sigaltstack
+___sigreturn
+___sigsuspend
+___sigsuspend_nocancel
+___sigwait
+___socketpair
+___stack_snapshot_with_config
+___stat64_extended
+___stat_extended
+___syscall
+___syscall_logger
+___sysctl
+___sysctlbyname
+___telemetry
+___terminate_with_payload
+___thread_selfid
+___thread_selfusage
+___ulock_wait
+___ulock_wake
+___umask_extended
+___unlink
+___unlinkat
+___vfork
+___wait4
+___wait4_nocancel
+___waitid_nocancel
+___work_interval_ctl
+___workq_kernreturn
+___workq_open
+___write_nocancel
+___writev_nocancel
+__cpu_capabilities
+__cpu_has_altivec
+__exit
+__get_cpu_capabilities
+__getprivatesystemidentifier
+__host_page_size
+__init_cpu_capabilities
+__kernelrpc_host_create_mach_voucher
+__kernelrpc_mach_port_allocate
+__kernelrpc_mach_port_allocate_full
+__kernelrpc_mach_port_allocate_name
+__kernelrpc_mach_port_allocate_qos
+__kernelrpc_mach_port_allocate_trap
+__kernelrpc_mach_port_construct
+__kernelrpc_mach_port_construct_trap
+__kernelrpc_mach_port_deallocate
+__kernelrpc_mach_port_deallocate_trap
+__kernelrpc_mach_port_destroy
+__kernelrpc_mach_port_destroy_trap
+__kernelrpc_mach_port_destruct
+__kernelrpc_mach_port_destruct_trap
+__kernelrpc_mach_port_dnrequest_info
+__kernelrpc_mach_port_extract_member
+__kernelrpc_mach_port_extract_member_trap
+__kernelrpc_mach_port_extract_right
+__kernelrpc_mach_port_get_attributes
+__kernelrpc_mach_port_get_context
+__kernelrpc_mach_port_get_refs
+__kernelrpc_mach_port_get_set_status
+__kernelrpc_mach_port_get_srights
+__kernelrpc_mach_port_guard
+__kernelrpc_mach_port_guard_trap
+__kernelrpc_mach_port_insert_member
+__kernelrpc_mach_port_insert_member_trap
+__kernelrpc_mach_port_insert_right
+__kernelrpc_mach_port_insert_right_trap
+__kernelrpc_mach_port_kernel_object
+__kernelrpc_mach_port_kobject
+__kernelrpc_mach_port_mod_refs
+__kernelrpc_mach_port_mod_refs_trap
+__kernelrpc_mach_port_move_member
+__kernelrpc_mach_port_move_member_trap
+__kernelrpc_mach_port_names
+__kernelrpc_mach_port_peek
+__kernelrpc_mach_port_rename
+__kernelrpc_mach_port_request_notification
+__kernelrpc_mach_port_set_attributes
+__kernelrpc_mach_port_set_context
+__kernelrpc_mach_port_set_mscount
+__kernelrpc_mach_port_set_seqno
+__kernelrpc_mach_port_space_basic_info
+__kernelrpc_mach_port_space_info
+__kernelrpc_mach_port_type
+__kernelrpc_mach_port_unguard
+__kernelrpc_mach_port_unguard_trap
+__kernelrpc_mach_vm_allocate
+__kernelrpc_mach_vm_allocate_trap
+__kernelrpc_mach_vm_deallocate
+__kernelrpc_mach_vm_deallocate_trap
+__kernelrpc_mach_vm_map
+__kernelrpc_mach_vm_map_trap
+__kernelrpc_mach_vm_protect
+__kernelrpc_mach_vm_protect_trap
+__kernelrpc_mach_vm_purgable_control
+__kernelrpc_mach_vm_purgable_control_trap
+__kernelrpc_mach_vm_read
+__kernelrpc_mach_vm_remap
+__kernelrpc_mach_voucher_extract_attr_recipe
+__kernelrpc_task_set_port_space
+__kernelrpc_thread_policy
+__kernelrpc_thread_policy_set
+__kernelrpc_thread_set_policy
+__kernelrpc_vm_map
+__kernelrpc_vm_purgable_control
+__kernelrpc_vm_read
+__kernelrpc_vm_remap
+__mach_errors
+__mach_fork_child
+__mach_snprintf
+__mach_vsnprintf
+__os_alloc_once_table
+__register_gethostuuid_callback
+__thread_set_tsd_base
+_abort_with_payload
+_abort_with_reason
+_accept
+_accept$NOCANCEL
+_access
+_accessx_np
+_acct
+_act_get_state
+_act_set_state
+_adjtime
+_aio_cancel
+_aio_error
+_aio_fsync
+_aio_read
+_aio_return
+_aio_suspend
+_aio_suspend$NOCANCEL
+_aio_write
+_audit
+_audit_session_join
+_audit_session_port
+_audit_session_self
+_auditctl
+_auditon
+_bind
+_bootstrap_port
+_cerror
+_cerror_nocancel
+_change_fdguard_np
+_chdir
+_chflags
+_chmod
+_chown
+_chroot
+_clock_alarm
+_clock_alarm_reply
+_clock_get_attributes
+_clock_get_time
+_clock_set_attributes
+_clock_set_time
+_clock_sleep
+_clock_sleep_trap
+_clonefile
+_clonefileat
+_close
+_close$NOCANCEL
+_coalition_create
+_coalition_info_resource_usage
+_coalition_reap
+_coalition_terminate
+_connect
+_connect$NOCANCEL
+_connectx
+_csops
+_csops_audittoken
+_csr_check
+_csr_get_active_config
+_denap_boost_assertion_token
+_disconnectx
+_dup
+_dup2
+_errno
+_etap_trace_thread
+_exc_server
+_exc_server_routine
+_exception_raise
+_exception_raise_state
+_exception_raise_state_identity
+_exchangedata
+_execve
+_faccessat
+_fchdir
+_fchflags
+_fchmod
+_fchmodat
+_fchown
+_fchownat
+_fclonefileat
+_fcntl
+_fcntl$NOCANCEL
+_fdatasync
+_ffsctl
+_fgetattrlist
+_fgetxattr
+_fhopen
+_fileport_makefd
+_fileport_makeport
+_flistxattr
+_flock
+_fpathconf
+_fremovexattr
+_fs_snapshot_create
+_fs_snapshot_delete
+_fs_snapshot_list
+_fs_snapshot_mount
+_fs_snapshot_rename
+_fs_snapshot_revert
+_fsctl
+_fsetattrlist
+_fsetxattr
+_fsgetpath
+_fstat
+_fstat$INODE64
+_fstat64
+_fstatat
+_fstatat$INODE64
+_fstatat64
+_fstatfs
+_fstatfs$INODE64
+_fstatfs64
+_fsync
+_fsync$NOCANCEL
+_ftruncate
+_futimes
+_getattrlist
+_getattrlistat
+_getattrlistbulk
+_getaudit
+_getaudit_addr
+_getauid
+_getdirentries
+_getdirentriesattr
+_getdtablesize
+_getegid
+_getentropy
+_geteuid
+_getfh
+_getfsstat
+_getfsstat$INODE64
+_getfsstat64
+_getgid
+_getgroups
+_gethostuuid
+_getiopolicy_np
+_getitimer
+_getpeername
+_getpgid
+_getpgrp
+_getpid
+_getppid
+_getpriority
+_getrlimit
+_getrusage
+_getsgroups_np
+_getsid
+_getsockname
+_getsockopt
+_getuid
+_getwgroups_np
+_getxattr
+_grab_pgo_data
+_guarded_close_np
+_guarded_kqueue_np
+_guarded_open_dprotected_np
+_guarded_open_np
+_guarded_pwrite_np
+_guarded_write_np
+_guarded_writev_np
+_host_check_multiuser_mode
+_host_create_mach_voucher
+_host_create_mach_voucher_trap
+_host_default_memory_manager
+_host_get_UNDServer
+_host_get_atm_diagnostic_flag
+_host_get_boot_info
+_host_get_clock_control
+_host_get_clock_service
+_host_get_exception_ports
+_host_get_io_master
+_host_get_multiuser_config_flags
+_host_get_special_port
+_host_info
+_host_kernel_version
+_host_lockgroup_info
+_host_page_size
+_host_priv_statistics
+_host_processor_info
+_host_processor_set_priv
+_host_processor_sets
+_host_processors
+_host_reboot
+_host_register_mach_voucher_attr_manager
+_host_register_well_known_mach_voucher_attr_manager
+_host_request_notification
+_host_security_create_task_token
+_host_security_set_task_token
+_host_self
+_host_self_trap
+_host_set_UNDServer
+_host_set_atm_diagnostic_flag
+_host_set_exception_ports
+_host_set_multiuser_config_flags
+_host_set_special_port
+_host_statistics
+_host_statistics64
+_host_swap_exception_ports
+_host_virtual_physical_table_info
+_i386_get_ldt
+_i386_set_ldt
+_important_boost_assertion_token
+_internal_catch_exc_subsystem
+_ioctl
+_issetugid
+_kas_info
+_kdebug_is_enabled
+_kdebug_signpost
+_kdebug_signpost_end
+_kdebug_signpost_start
+_kdebug_trace
+_kdebug_trace_string
+_kdebug_typefilter
+_kevent
+_kevent64
+_kevent_qos
+_kext_request
+_kill
+_kmod_control
+_kmod_create
+_kmod_destroy
+_kmod_get_info
+_kpersona_alloc
+_kpersona_dealloc
+_kpersona_find
+_kpersona_get
+_kpersona_info
+_kpersona_pidinfo
+_kqueue
+_lchown
+_ledger
+_link
+_linkat
+_lio_listio
+_listen
+_listxattr
+_lock_acquire
+_lock_handoff
+_lock_handoff_accept
+_lock_make_stable
+_lock_release
+_lock_set_create
+_lock_set_destroy
+_lock_try
+_lseek
+_lstat
+_lstat$INODE64
+_lstat64
+_mach_absolute_time
+_mach_approximate_time
+_mach_boottime_usec
+_mach_continuous_approximate_time
+_mach_continuous_time
+_mach_error
+_mach_error_full_diag
+_mach_error_string
+_mach_error_type
+_mach_generate_activity_id
+_mach_get_times
+_mach_host_self
+_mach_init
+_mach_make_memory_entry
+_mach_make_memory_entry_64
+_mach_memory_info
+_mach_memory_object_memory_entry
+_mach_memory_object_memory_entry_64
+_mach_msg
+_mach_msg_destroy
+_mach_msg_overwrite
+_mach_msg_overwrite_trap
+_mach_msg_receive
+_mach_msg_send
+_mach_msg_server
+_mach_msg_server_importance
+_mach_msg_server_once
+_mach_msg_trap
+_mach_notify_dead_name
+_mach_notify_no_senders
+_mach_notify_port_deleted
+_mach_notify_port_destroyed
+_mach_notify_send_once
+_mach_port_allocate
+_mach_port_allocate_full
+_mach_port_allocate_name
+_mach_port_allocate_qos
+_mach_port_construct
+_mach_port_deallocate
+_mach_port_destroy
+_mach_port_destruct
+_mach_port_dnrequest_info
+_mach_port_extract_member
+_mach_port_extract_right
+_mach_port_get_attributes
+_mach_port_get_context
+_mach_port_get_refs
+_mach_port_get_set_status
+_mach_port_get_srights
+_mach_port_guard
+_mach_port_insert_member
+_mach_port_insert_right
+_mach_port_kernel_object
+_mach_port_kobject
+_mach_port_mod_refs
+_mach_port_move_member
+_mach_port_names
+_mach_port_peek
+_mach_port_rename
+_mach_port_request_notification
+_mach_port_set_attributes
+_mach_port_set_context
+_mach_port_set_mscount
+_mach_port_set_seqno
+_mach_port_space_basic_info
+_mach_port_space_info
+_mach_port_type
+_mach_port_unguard
+_mach_ports_lookup
+_mach_ports_register
+_mach_reply_port
+_mach_task_self
+_mach_task_self_
+_mach_thread_self
+_mach_timebase_info
+_mach_timebase_info_trap
+_mach_vm_allocate
+_mach_vm_behavior_set
+_mach_vm_copy
+_mach_vm_deallocate
+_mach_vm_inherit
+_mach_vm_machine_attribute
+_mach_vm_map
+_mach_vm_msync
+_mach_vm_page_info
+_mach_vm_page_query
+_mach_vm_protect
+_mach_vm_purgable_control
+_mach_vm_read
+_mach_vm_read_list
+_mach_vm_read_overwrite
+_mach_vm_region
+_mach_vm_region_recurse
+_mach_vm_remap
+_mach_vm_wire
+_mach_vm_write
+_mach_voucher_attr_command
+_mach_voucher_deallocate
+_mach_voucher_debug_info
+_mach_voucher_extract_all_attr_recipes
+_mach_voucher_extract_attr_content
+_mach_voucher_extract_attr_recipe
+_mach_voucher_extract_attr_recipe_trap
+_mach_wait_until
+_mach_zone_force_gc
+_mach_zone_info
+_macx_backing_store_recovery
+_macx_backing_store_suspend
+_macx_swapoff
+_macx_swapon
+_macx_triggers
+_madvise
+_memorystatus_control
+_memorystatus_get_level
+_mig_allocate
+_mig_dealloc_reply_port
+_mig_deallocate
+_mig_get_reply_port
+_mig_put_reply_port
+_mig_reply_setup
+_mig_strncpy
+_mig_strncpy_zerofill
+_mincore
+_minherit
+_mk_timer_arm
+_mk_timer_cancel
+_mk_timer_create
+_mk_timer_destroy
+_mkdir
+_mkdirat
+_mkfifo
+_mknod
+_mlock
+_mlockall
+_mmap
+_modwatch
+_mount
+_mprotect
+_mremap_encrypted
+_msg_receive
+_msg_rpc
+_msg_send
+_msgctl
+_msgget
+_msgrcv
+_msgrcv$NOCANCEL
+_msgsnd
+_msgsnd$NOCANCEL
+_msgsys
+_msync
+_msync$NOCANCEL
+_munlock
+_munlockall
+_munmap
+_necp_client_action
+_necp_match_policy
+_necp_open
+_netagent_trigger
+_netname_check_in
+_netname_check_out
+_netname_look_up
+_netname_version
+_nfsclnt
+_nfssvc
+_non_boost_assertion_token
+_normal_boost_assertion_token
+_open
+_open$NOCANCEL
+_open_dprotected_np
+_openat
+_openat$NOCANCEL
+_openbyid_np
+_os_channel_advance_slot
+_os_channel_attr_clone
+_os_channel_attr_create
+_os_channel_attr_destroy
+_os_channel_attr_get
+_os_channel_attr_get_key
+_os_channel_attr_set
+_os_channel_attr_set_key
+_os_channel_available_slot_count
+_os_channel_create
+_os_channel_create_extended
+_os_channel_destroy
+_os_channel_get_fd
+_os_channel_get_next_slot
+_os_channel_pending
+_os_channel_read_attr
+_os_channel_read_nexus_extension_info
+_os_channel_ring_id
+_os_channel_rx_ring
+_os_channel_set_slot_properties
+_os_channel_sync
+_os_channel_tx_ring
+_os_channel_write_attr
+_os_nexus_attr_clone
+_os_nexus_attr_create
+_os_nexus_attr_destroy
+_os_nexus_attr_get
+_os_nexus_attr_set
+_os_nexus_controller_alloc_provider_instance
+_os_nexus_controller_bind_provider_instance
+_os_nexus_controller_create
+_os_nexus_controller_deregister_provider
+_os_nexus_controller_destroy
+_os_nexus_controller_free_provider_instance
+_os_nexus_controller_get_fd
+_os_nexus_controller_read_provider_attr
+_os_nexus_controller_register_provider
+_os_nexus_controller_unbind_provider_instance
+_panic
+_panic_init
+_pathconf
+_peeloff
+_pid_for_task
+_pid_hibernate
+_pid_resume
+_pid_shutdown_sockets
+_pid_suspend
+_pipe
+_poll
+_poll$NOCANCEL
+_port_obj_init
+_port_obj_table
+_port_obj_table_size
+_posix_madvise
+_posix_spawn
+_posix_spawn_file_actions_addclose
+_posix_spawn_file_actions_adddup2
+_posix_spawn_file_actions_addinherit_np
+_posix_spawn_file_actions_addopen
+_posix_spawn_file_actions_destroy
+_posix_spawn_file_actions_init
+_posix_spawnattr_destroy
+_posix_spawnattr_get_darwin_role_np
+_posix_spawnattr_get_qos_clamp_np
+_posix_spawnattr_getbinpref_np
+_posix_spawnattr_getcpumonitor
+_posix_spawnattr_getflags
+_posix_spawnattr_getmacpolicyinfo_np
+_posix_spawnattr_getpcontrol_np
+_posix_spawnattr_getpgroup
+_posix_spawnattr_getprocesstype_np
+_posix_spawnattr_getsigdefault
+_posix_spawnattr_getsigmask
+_posix_spawnattr_init
+_posix_spawnattr_set_darwin_role_np
+_posix_spawnattr_set_importancewatch_port_np
+_posix_spawnattr_set_persona_gid_np
+_posix_spawnattr_set_persona_groups_np
+_posix_spawnattr_set_persona_np
+_posix_spawnattr_set_persona_uid_np
+_posix_spawnattr_set_qos_clamp_np
+_posix_spawnattr_setauditsessionport_np
+_posix_spawnattr_setbinpref_np
+_posix_spawnattr_setcoalition_np
+_posix_spawnattr_setcpumonitor
+_posix_spawnattr_setcpumonitor_default
+_posix_spawnattr_setexceptionports_np
+_posix_spawnattr_setflags
+_posix_spawnattr_setjetsam_ext
+_posix_spawnattr_setmacpolicyinfo_np
+_posix_spawnattr_setpcontrol_np
+_posix_spawnattr_setpgroup
+_posix_spawnattr_setprocesstype_np
+_posix_spawnattr_setsigdefault
+_posix_spawnattr_setsigmask
+_posix_spawnattr_setspecialport_np
+_pread
+_pread$NOCANCEL
+_proc_clear_cpulimits
+_proc_clear_delayidlesleep
+_proc_clear_dirty
+_proc_clear_vmpressure
+_proc_denap_assertion_begin_with_msg
+_proc_denap_assertion_complete
+_proc_disable_apptype
+_proc_disable_cpumon
+_proc_disable_wakemon
+_proc_donate_importance_boost
+_proc_enable_apptype
+_proc_get_cpumon_params
+_proc_get_dirty
+_proc_get_wakemon_params
+_proc_importance_assertion_begin_with_msg
+_proc_importance_assertion_complete
+_proc_kmsgbuf
+_proc_libversion
+_proc_list_uptrs
+_proc_listallpids
+_proc_listchildpids
+_proc_listcoalitions
+_proc_listpgrppids
+_proc_listpids
+_proc_listpidspath
+_proc_name
+_proc_pid_rusage
+_proc_pidfdinfo
+_proc_pidfileportinfo
+_proc_pidinfo
+_proc_pidoriginatorinfo
+_proc_pidpath
+_proc_regionfilename
+_proc_resume_cpumon
+_proc_rlimit_control
+_proc_set_cpumon_defaults
+_proc_set_cpumon_params
+_proc_set_cpumon_params_fatal
+_proc_set_delayidlesleep
+_proc_set_dirty
+_proc_set_owner_vmpressure
+_proc_set_wakemon_defaults
+_proc_set_wakemon_params
+_proc_setcpu_percentage
+_proc_setpcontrol
+_proc_setthread_cpupercent
+_proc_suppress
+_proc_terminate
+_proc_trace_log
+_proc_track_dirty
+_proc_uuid_policy
+_processor_assign
+_processor_control
+_processor_exit
+_processor_get_assignment
+_processor_info
+_processor_set_create
+_processor_set_default
+_processor_set_destroy
+_processor_set_info
+_processor_set_max_priority
+_processor_set_policy_control
+_processor_set_policy_disable
+_processor_set_policy_enable
+_processor_set_stack_usage
+_processor_set_statistics
+_processor_set_tasks
+_processor_set_threads
+_processor_start
+_pselect
+_pselect$1050
+_pselect$DARWIN_EXTSN
+_pselect$DARWIN_EXTSN$NOCANCEL
+_pselect$NOCANCEL
+_pthread_getugid_np
+_pthread_setugid_np
+_ptrace
+_pwrite
+_pwrite$NOCANCEL
+_quota
+_quotactl
+_read
+_read$NOCANCEL
+_readlink
+_readlinkat
+_readv
+_readv$NOCANCEL
+_reboot
+_recvfrom
+_recvfrom$NOCANCEL
+_recvmsg
+_recvmsg$NOCANCEL
+_recvmsg_x
+_removexattr
+_rename
+_rename_ext
+_renameat
+_renameatx_np
+_renamex_np
+_revoke
+_rmdir
+_searchfs
+_select
+_select$1050
+_select$DARWIN_EXTSN
+_select$DARWIN_EXTSN$NOCANCEL
+_select$NOCANCEL
+_sem_close
+_sem_destroy
+_sem_getvalue
+_sem_init
+_sem_open
+_sem_post
+_sem_trywait
+_sem_unlink
+_sem_wait
+_sem_wait$NOCANCEL
+_semaphore_create
+_semaphore_destroy
+_semaphore_signal
+_semaphore_signal_all
+_semaphore_signal_all_trap
+_semaphore_signal_thread
+_semaphore_signal_thread_trap
+_semaphore_signal_trap
+_semaphore_timedwait
+_semaphore_timedwait_signal
+_semaphore_timedwait_signal_trap
+_semaphore_timedwait_trap
+_semaphore_wait
+_semaphore_wait_signal
+_semaphore_wait_signal_trap
+_semaphore_wait_trap
+_semctl
+_semget
+_semop
+_semsys
+_sendfile
+_sendmsg
+_sendmsg$NOCANCEL
+_sendmsg_x
+_sendto
+_sendto$NOCANCEL
+_setattrlist
+_setaudit
+_setaudit_addr
+_setauid
+_setegid
+_seteuid
+_setgid
+_setgroups
+_setiopolicy_np
+_setitimer
+_setpgid
+_setpriority
+_setprivexec
+_setquota
+_setregid
+_setreuid
+_setrlimit
+_setsgroups_np
+_setsid
+_setsockopt
+_setuid
+_setwgroups_np
+_setxattr
+_sfi_get_class_offtime
+_sfi_process_get_flags
+_sfi_process_set_flags
+_sfi_set_class_offtime
+_shm_open
+_shm_unlink
+_shmat
+_shmctl
+_shmdt
+_shmget
+_shmsys
+_shutdown
+_sigpending
+_sigprocmask
+_sigsuspend
+_sigsuspend$NOCANCEL
+_socket
+_socket_delegate
+_socketpair
+_stackshot_capture_with_config
+_stackshot_config_create
+_stackshot_config_dealloc
+_stackshot_config_dealloc_buffer
+_stackshot_config_get_stackshot_buffer
+_stackshot_config_get_stackshot_size
+_stackshot_config_set_delta_timestamp
+_stackshot_config_set_flags
+_stackshot_config_set_pid
+_stackshot_config_set_size_hint
+_stat
+_stat$INODE64
+_stat64
+_statfs
+_statfs$INODE64
+_statfs64
+_swapon
+_swtch
+_swtch_pri
+_symlink
+_symlinkat
+_sync
+_syscall
+_syscall_thread_switch
+_system_get_sfi_window
+_system_override
+_system_set_sfi_window
+_task_assign
+_task_assign_default
+_task_create
+_task_for_pid
+_task_generate_corpse
+_task_get_assignment
+_task_get_dyld_image_infos
+_task_get_emulation_vector
+_task_get_exception_ports
+_task_get_mach_voucher
+_task_get_special_port
+_task_get_state
+_task_info
+_task_map_corpse_info
+_task_map_corpse_info_64
+_task_name_for_pid
+_task_policy
+_task_policy_get
+_task_policy_set
+_task_purgable_info
+_task_register_dyld_get_process_state
+_task_register_dyld_image_infos
+_task_register_dyld_set_dyld_state
+_task_register_dyld_shared_cache_image_info
+_task_resume
+_task_resume2
+_task_sample
+_task_self_
+_task_self_trap
+_task_set_emulation
+_task_set_emulation_vector
+_task_set_exception_ports
+_task_set_info
+_task_set_mach_voucher
+_task_set_phys_footprint_limit
+_task_set_policy
+_task_set_port_space
+_task_set_ras_pc
+_task_set_special_port
+_task_set_state
+_task_suspend
+_task_suspend2
+_task_swap_exception_ports
+_task_swap_mach_voucher
+_task_terminate
+_task_threads
+_task_unregister_dyld_image_infos
+_task_zone_info
+_terminate_with_payload
+_terminate_with_reason
+_thread_abort
+_thread_abort_safely
+_thread_assign
+_thread_assign_default
+_thread_create
+_thread_create_running
+_thread_depress_abort
+_thread_get_assignment
+_thread_get_exception_ports
+_thread_get_mach_voucher
+_thread_get_register_pointer_values
+_thread_get_special_port
+_thread_get_state
+_thread_info
+_thread_policy
+_thread_policy_get
+_thread_policy_set
+_thread_resume
+_thread_sample
+_thread_self_trap
+_thread_set_exception_ports
+_thread_set_mach_voucher
+_thread_set_policy
+_thread_set_special_port
+_thread_set_state
+_thread_suspend
+_thread_swap_exception_ports
+_thread_swap_mach_voucher
+_thread_switch
+_thread_terminate
+_thread_wire
+_truncate
+_umask
+_undelete
+_unlink
+_unlinkat
+_unmount
+_usrctl
+_utimes
+_vfork
+_vfs_purge
+_vm_allocate
+_vm_allocate_cpm
+_vm_behavior_set
+_vm_copy
+_vm_deallocate
+_vm_inherit
+_vm_kernel_page_mask
+_vm_kernel_page_shift
+_vm_kernel_page_size
+_vm_machine_attribute
+_vm_map
+_vm_map_page_query
+_vm_msync
+_vm_page_mask
+_vm_page_shift
+_vm_page_size
+_vm_pressure_monitor
+_vm_protect
+_vm_purgable_control
+_vm_read
+_vm_read_list
+_vm_read_overwrite
+_vm_region_64
+_vm_region_recurse_64
+_vm_remap
+_vm_wire
+_vm_write
+_voucher_mach_msg_adopt
+_voucher_mach_msg_clear
+_voucher_mach_msg_revert
+_voucher_mach_msg_set
+_vprintf_stderr_func
+_wait4
+_waitevent
+_waitid
+_waitid$NOCANCEL
+_watchevent
+_work_interval_create
+_work_interval_destroy
+_work_interval_notify
+_work_interval_notify_simple
+_write
+_write$NOCANCEL
+_writev
+_writev$NOCANCEL
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols
new file mode 100644
index 000000000000..75a00acac493
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols
@@ -0,0 +1 @@
+_mach_init_routine
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix
new file mode 100644
index 000000000000..5685d09e54fe
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation, xcbuildHook, IOKit }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ IOKit ];
+  xcbuildFlags = [ "-target" "caffeinate" ];
+  installPhase = ''
+    install -D Products/Deployment/caffeinate $out/bin/caffeinate
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix
new file mode 100644
index 000000000000..f4fe65b8066c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix
@@ -0,0 +1,115 @@
+{ appleDerivation', stdenv, darwin-stubs }:
+
+appleDerivation' stdenv {
+  __propagatedImpureHostDeps = [
+    "/System/Library/Frameworks/Security.framework/Security"
+    "/System/Library/Frameworks/Security.framework/Resources"
+    "/System/Library/Frameworks/Security.framework/PlugIns"
+    "/System/Library/Frameworks/Security.framework/XPCServices"
+    "/System/Library/Frameworks/Security.framework/Versions"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/Security.framework
+
+    ###### IMPURITIES
+    ln -s /System/Library/Frameworks/Security.framework/{Resources,Plugins,XPCServices} \
+      $out/Library/Frameworks/Security.framework
+
+    ###### STUBS
+    cp ${darwin-stubs}/System/Library/Frameworks/Security.framework/Versions/A/Security.tbd \
+      $out/Library/Frameworks/Security.framework
+
+    ###### HEADERS
+
+    export dest=$out/Library/Frameworks/Security.framework/Headers
+    mkdir -p $dest
+
+    cp libsecurity_asn1/lib/SecAsn1Coder.h     $dest
+    cp libsecurity_asn1/lib/SecAsn1Templates.h $dest
+    cp libsecurity_asn1/lib/SecAsn1Types.h     $dest
+    cp libsecurity_asn1/lib/oidsalg.h          $dest
+    cp libsecurity_asn1/lib/oidsattr.h         $dest
+
+    cp libsecurity_authorization/lib/AuthSession.h         $dest
+    cp libsecurity_authorization/lib/Authorization.h       $dest
+    cp libsecurity_authorization/lib/AuthorizationDB.h     $dest
+    cp libsecurity_authorization/lib/AuthorizationPlugin.h $dest
+    cp libsecurity_authorization/lib/AuthorizationTags.h   $dest
+
+    cp libsecurity_cms/lib/CMSDecoder.h $dest
+    cp libsecurity_cms/lib/CMSEncoder.h $dest
+
+    cp libsecurity_codesigning/lib/CSCommon.h       $dest
+    cp libsecurity_codesigning/lib/CodeSigning.h    $dest
+    cp libsecurity_codesigning/lib/SecCode.h        $dest
+    cp libsecurity_codesigning/lib/SecCodeHost.h    $dest
+    cp libsecurity_codesigning/lib/SecRequirement.h $dest
+    cp libsecurity_codesigning/lib/SecStaticCode.h  $dest
+    cp libsecurity_codesigning/lib/SecTask.h        $dest
+
+    cp libsecurity_cssm/lib/certextensions.h $dest
+    cp libsecurity_cssm/lib/cssm.h           $dest
+    cp libsecurity_cssm/lib/cssmaci.h        $dest
+    cp libsecurity_cssm/lib/cssmapi.h        $dest
+    cp libsecurity_cssm/lib/cssmapple.h      $dest
+    cp libsecurity_cssm/lib/cssmcli.h        $dest
+    cp libsecurity_cssm/lib/cssmconfig.h     $dest
+    cp libsecurity_cssm/lib/cssmcspi.h       $dest
+    cp libsecurity_cssm/lib/cssmdli.h        $dest
+    cp libsecurity_cssm/lib/cssmerr.h        $dest
+    cp libsecurity_cssm/lib/cssmkrapi.h      $dest
+    cp libsecurity_cssm/lib/cssmkrspi.h      $dest
+    cp libsecurity_cssm/lib/cssmspi.h        $dest
+    cp libsecurity_cssm/lib/cssmtpi.h        $dest
+    cp libsecurity_cssm/lib/cssmtype.h       $dest
+    cp libsecurity_cssm/lib/eisl.h           $dest
+    cp libsecurity_cssm/lib/emmspi.h         $dest
+    cp libsecurity_cssm/lib/emmtype.h        $dest
+    cp libsecurity_cssm/lib/oidsbase.h       $dest
+    cp libsecurity_cssm/lib/oidscert.h       $dest
+    cp libsecurity_cssm/lib/oidscrl.h        $dest
+    cp libsecurity_cssm/lib/x509defs.h       $dest
+
+    cp libsecurity_keychain/lib/SecACL.h                $dest
+    cp libsecurity_keychain/lib/SecAccess.h             $dest
+    cp libsecurity_keychain/lib/SecBase.h               $dest
+    cp libsecurity_keychain/lib/SecCertificate.h        $dest
+    cp libsecurity_keychain/lib/SecCertificatePriv.h    $dest # Private
+    cp libsecurity_keychain/lib/SecCertificateOIDs.h    $dest
+    cp libsecurity_keychain/lib/SecIdentity.h           $dest
+    cp libsecurity_keychain/lib/SecIdentitySearch.h     $dest
+    cp libsecurity_keychain/lib/SecImportExport.h       $dest
+    cp libsecurity_keychain/lib/SecItem.h               $dest
+    cp libsecurity_keychain/lib/SecKey.h                $dest
+    cp libsecurity_keychain/lib/SecKeychain.h           $dest
+    cp libsecurity_keychain/lib/SecKeychainItem.h       $dest
+    cp libsecurity_keychain/lib/SecKeychainSearch.h     $dest
+    cp libsecurity_keychain/lib/SecPolicy.h             $dest
+    cp libsecurity_keychain/lib/SecPolicySearch.h       $dest
+    cp libsecurity_keychain/lib/SecRandom.h             $dest
+    cp libsecurity_keychain/lib/SecTrust.h              $dest
+    cp libsecurity_keychain/lib/SecTrustSettings.h      $dest
+    cp libsecurity_keychain/lib/SecTrustedApplication.h $dest
+    cp libsecurity_keychain/lib/Security.h              $dest
+
+    cp libsecurity_manifest/lib/SecureDownload.h $dest
+
+    cp libsecurity_mds/lib/mds.h        $dest
+    cp libsecurity_mds/lib/mds_schema.h $dest
+
+    cp libsecurity_ssl/lib/CipherSuite.h     $dest
+    cp libsecurity_ssl/lib/SecureTransport.h $dest
+
+    cp libsecurity_transform/lib/SecCustomTransform.h        $dest
+    cp libsecurity_transform/lib/SecDecodeTransform.h        $dest
+    cp libsecurity_transform/lib/SecDigestTransform.h        $dest
+    cp libsecurity_transform/lib/SecEncodeTransform.h        $dest
+    cp libsecurity_transform/lib/SecEncryptTransform.h       $dest
+    cp libsecurity_transform/lib/SecReadTransform.h          $dest
+    cp libsecurity_transform/lib/SecSignVerifyTransform.h    $dest
+    cp libsecurity_transform/lib/SecTransform.h              $dest
+    cp libsecurity_transform/lib/SecTransformReadTransform.h $dest
+
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix
new file mode 100644
index 000000000000..984910b34c93
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix
@@ -0,0 +1,19 @@
+{ appleDerivation, xcbuildHook, xpc, dtrace, xnu }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook dtrace ];
+  # buildInputs = [ Foundation xpc darling ];
+  buildInputs = [ xpc xnu ];
+
+  xcbuildFlags = [ "-target" "Security_frameworks_osx" ];
+
+  # env.NIX_CFLAGS_COMPILE = "-Wno-error -I${xnu}/include/libkern -DPRIVATE -I${xnu}/Library/Frameworks/System.framework/Headers";
+
+  preBuild = ''
+    dtrace -h -C -s OSX/libsecurity_utilities/lib/security_utilities.d -o OSX/libsecurity_utilities/lib/utilities_dtrace.h
+
+    xcodebuild SYMROOT=$PWD/Products OBJROOT=$PWD/Intermediates -target copyHeadersToSystem
+    NIX_CFLAGS_COMPILE+=" -F./Products/Release"
+    ln -s $PWD/Products/Release/Security.bundle/Contents $PWD/Products/Release/Security.framework
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix
new file mode 100644
index 000000000000..7d1066a25915
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix
@@ -0,0 +1,101 @@
+{ lib, stdenv, buildPackages, appleDerivation, fetchFromGitHub, bsdmake, perl, flex, bison
+}:
+
+# this derivation sucks
+# locale data was removed after adv_cmds-118, so our base is that because it's easier than
+# replicating the bizarre bsdmake file structure
+#
+# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no
+# longer understand
+#
+# the more recent adv_cmds release is used for everything else in this package
+
+let recentAdvCmds = fetchFromGitHub {
+  owner = "apple-oss-distributions";
+  repo = "adv_cmds";
+  rev = "adv_cmds-158";
+  hash = "sha256-1qL69pGHIaefooJJ8eT83XGz9+bW7Yg3k+X9fNkMCHw=";
+};
+
+in appleDerivation {
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ bsdmake perl bison flex ];
+  buildInputs = [ flex ];
+
+  patchPhase = ''
+    substituteInPlace BSDmakefile \
+      --replace chgrp true \
+      --replace /Developer/Makefiles/bin/compress-man-pages.pl true \
+      --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \
+      --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \
+      --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO"
+
+    substituteInPlace Makefile --replace perl true
+
+    substituteInPlace colldef.tproj/scan.l \
+      --replace 'static orderpass = 0;' 'static int orderpass = 0;'
+
+    for subproject in colldef mklocale monetdef msgdef numericdef timedef; do
+      substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \
+        --replace /usr/share/locale "" \
+        --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+        --replace "rsync -a" "cp -r"
+    done
+  '';
+
+  preBuild = ''
+    cp -r --no-preserve=all ${recentAdvCmds}/colldef .
+
+    substituteInPlace colldef/scan.l \
+      --replace 'static orderpass = 0;' 'static int orderpass = 0;'
+
+    pushd colldef
+    mv locale/collate.h .
+    flex -t -8 -i scan.l > scan.c
+    yacc -d parse.y
+    clang *.c -o colldef -lfl
+    popd
+    mv colldef/colldef colldef.tproj/colldef
+
+    cp -r --no-preserve=all ${recentAdvCmds}/mklocale .
+    pushd mklocale
+    flex -t -8 -i lex.l > lex.c
+    yacc -d yacc.y
+    clang *.c -o mklocale -lfl
+    popd
+    mv mklocale/mklocale mklocale.tproj/mklocale
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    bsdmake -C usr-share-locale.tproj
+
+    ${stdenv.cc.targetPrefix}clang ${recentAdvCmds}/ps/*.c -o ps
+  '';
+
+  installPhase = ''
+    bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale"
+
+    # need to get rid of runtime dependency on flex
+    # install -d 0755 $locale/bin
+    # install -m 0755 colldef.tproj/colldef $locale/bin
+    # install -m 0755 mklocale.tproj/mklocale $locale/bin
+
+    install -d 0755 $ps/bin
+    install ps $ps/bin/ps
+    touch "$out"
+  '';
+
+  outputs = [
+    "out"
+    "ps"
+    "locale"
+  ];
+  setOutputFlags = false;
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ gridaphobe ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
new file mode 100644
index 000000000000..3ac338d5c619
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
@@ -0,0 +1,65 @@
+{ stdenv, lib, appleDerivation, xcbuild, ncurses, libutil, Libc }:
+
+let
+  # Libc conflicts with libc++ 16, so provide only the header from it that’s needed to build.
+  msgcat = stdenv.mkDerivation {
+    pname = "Libc-msgcat";
+    version = lib.getVersion Libc;
+
+    buildCommand = ''
+      mkdir -p "$out/include"
+      ln -s ${lib.getDev Libc}/include/msgcat.h "$out/include/"
+    '';
+  };
+in
+appleDerivation {
+  # We can't just run the root build, because https://github.com/facebook/xcbuild/issues/264
+
+  patchPhase = ''
+    substituteInPlace adv_cmds.xcodeproj/project.pbxproj \
+      --replace '/usr/lib/libtermcap.dylib' 'libncurses.dylib'
+    substituteInPlace colldef/scan.l \
+      --replace 'static orderpass = 0;' 'static int orderpass = 0;'
+  '';
+
+  # pkill requires special private headers that are unavailable in
+  # NixPkgs. These ones are needed:
+  #  - xpc/xpxc.h
+  #  - os/base_private.h
+  #  - _simple.h
+  # We disable it here for now. TODO: build pkill inside adv_cmds
+  buildPhase = ''
+    targets=$(xcodebuild -list \
+                | awk '/Targets:/{p=1;print;next} p&&/^\s*$/{p=0};p' \
+                | tail -n +2 | sed 's/^[ \t]*//' \
+                | grep -v -e Desktop -e Embedded -e mklocale -e pkill -e pgrep -e colldef)
+
+    for i in $targets; do
+      xcodebuild SYMROOT=$PWD/Products OBJROOT=$PWD/Intermediates -target $i
+    done
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    mkdir -p $out/System/Library/LaunchDaemons
+    install fingerd/finger.plist $out/System/Library/LaunchDaemons
+
+    # from variant_links.sh
+    # ln -s $out/bin/pkill $out/bin/pgrep
+    # ln -s $out/share/man/man1/pkill.1 $out/share/man/man1/pgrep.1
+  '';
+
+  nativeBuildInputs = [ xcbuild ];
+  buildInputs = [ ncurses libutil msgcat ];
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
new file mode 100644
index 000000000000..e0e27255b72f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
@@ -0,0 +1,39 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+
+  postPatch = ''
+    substituteInPlace Makefile \
+        --replace '/bin/mkdir' 'mkdir' \
+        --replace '/usr/bin/install' 'install'
+  '';
+
+  installFlags = [ "EXPORT_DSTDIR=/include/architecture" ];
+
+  DSTROOT = "$(out)";
+
+  appleHeaders = ''
+    architecture/alignment.h
+    architecture/byte_order.h
+    architecture/i386/alignment.h
+    architecture/i386/asm_help.h
+    architecture/i386/byte_order.h
+    architecture/i386/cpu.h
+    architecture/i386/desc.h
+    architecture/i386/fpu.h
+    architecture/i386/frame.h
+    architecture/i386/io.h
+    architecture/i386/pio.h
+    architecture/i386/reg_help.h
+    architecture/i386/sel.h
+    architecture/i386/table.h
+    architecture/i386/tss.h
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix
new file mode 100644
index 000000000000..7d011d2d8cc8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix
@@ -0,0 +1,32 @@
+{ lib, appleDerivation, xcbuildHook }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+
+  # These PBXcp calls should be patched in xcbuild to allow them to
+  # automatically be prefixed.
+  patchPhase = ''
+    substituteInPlace basic_cmds.xcodeproj/project.pbxproj \
+      --replace "dstPath = /usr/share/man/man1;" "dstPath = $out/share/man/man1;" \
+      --replace "dstPath = /usr/share/man/man5;" "dstPath = $out/share/man/man5;"
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix
new file mode 100644
index 000000000000..ff98ed88804c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix
@@ -0,0 +1,43 @@
+{ lib, appleDerivation, stdenv, bison, flex }:
+
+let
+
+  # Hard to get CC to pull this off without infinite recursion
+  targetTargetPrefix = lib.optionalString
+    (with stdenv; hostPlatform != targetPlatform)
+    (stdenv.targetPlatform.config + "-");
+
+in
+
+appleDerivation {
+  nativeBuildInputs = [ bison flex ];
+
+  buildPhase = ''
+    cd migcom.tproj
+
+    # redundant file, don't know why apple not removing it.
+    rm handler.c
+
+    yacc -d parser.y
+    flex --header-file=lexxer.yy.h -o lexxer.yy.c lexxer.l
+
+    $CC -std=gnu99 -Os -dead_strip -DMIG_VERSION=\"$pname-$version\" -I. -o migcom *.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/libexec $out/share/man/man1
+
+    chmod +x mig.sh
+    cp mig.sh   $out/bin/mig
+    cp migcom   $out/libexec
+    ln -s $out/libexec/migcom $out/bin/migcom
+    cp mig.1    $out/share/man/man1
+    cp migcom.1 $out/share/man/man1
+
+    substituteInPlace $out/bin/mig \
+      --replace 'arch=`/usr/bin/arch`' 'arch=${stdenv.targetPlatform.darwinArch}' \
+      --replace '/usr/bin/' "" \
+      --replace '/bin/rmdir' "rmdir" \
+      --replace 'C=''${MIGCC}' "C=${targetTargetPrefix}cc"
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix
new file mode 100644
index 000000000000..214aa5dfad9e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix
@@ -0,0 +1,55 @@
+{ lib, appleDerivation, makeWrapper }:
+
+appleDerivation {
+  nativeBuildInputs = [ makeWrapper ];
+
+  patchPhase = ''
+    substituteInPlace mk/bsd.prog.mk \
+      --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+      --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' ""
+    substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' ""
+    substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' ""
+    substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' ""
+    substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' ""
+    substituteInPlace mk/bsd.files.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+    substituteInPlace mk/bsd.incs.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+
+    # Workaround for https://github.com/NixOS/nixpkgs/issues/103172
+    # Prevents bsdmake from failing on systems that already had default limits
+    # increased.
+    substituteInPlace main.c \
+      --replace 'err(2, "setrlimit");' 'warn("setrlimit");'
+  '';
+
+  buildPhase = ''
+    objs=()
+    for file in $(find . -name '*.c'); do
+      obj="$(basename "$file" .c).o"
+      objs+=("$obj")
+      $CC -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g
+    done
+    $CC "''${objs[@]}" -o bsdmake
+  '';
+
+  installPhase = ''
+    install -d 0644 $out/bin
+    install -m 0755 bsdmake $out/bin
+    install -d 0644 $out/share/mk
+    install -m 0755 mk/* $out/share/mk
+  '';
+
+  preFixup = ''
+    wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk"
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
new file mode 100644
index 000000000000..998bc867e757
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
@@ -0,0 +1,184 @@
+{ lib, stdenv, runCommand, appleDerivation', launchd, bootstrap_cmds, swift-corelibs-foundation, xnu, xpc, ppp, IOKit, eap8021x, Security
+, headersOnly ? false }:
+
+let
+  privateHeaders = runCommand "swift-corelibs-foundation-private" { } ''
+    mkdir -p $out/include/CoreFoundation
+
+    cp ${swift-corelibs-foundation}/Library/Frameworks/CoreFoundation.framework/PrivateHeaders/* \
+      $out/include/CoreFoundation
+  '';
+in
+appleDerivation' stdenv {
+  meta.broken = stdenv.cc.nativeLibc;
+
+  nativeBuildInputs = lib.optionals (!headersOnly) [ bootstrap_cmds ];
+  buildInputs = lib.optionals (!headersOnly) [ privateHeaders launchd ppp xpc IOKit eap8021x ];
+
+  propagatedBuildInputs = lib.optionals (!headersOnly) [ Security ];
+
+  env = lib.optionalAttrs (!headersOnly) {
+    NIX_CFLAGS_COMPILE = toString [
+      "-ISystemConfiguration.framework/Headers"
+      "-I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders"
+    ];
+  };
+
+  patchPhase = lib.optionalString (!headersOnly) ''
+    substituteInPlace SystemConfiguration.fproj/reachability/SCNetworkReachabilityServer_client.c \
+      --replace '#include <xpc/private.h>' ""
+
+    substituteInPlace SystemConfiguration.fproj/SCNetworkReachability.c \
+      --replace ''$'#define\tHAVE_VPN_STATUS' ""
+  '';
+
+  dontBuild = headersOnly;
+
+  buildPhase = ''
+    pushd SystemConfiguration.fproj >/dev/null
+
+    mkdir -p SystemConfiguration.framework/Resources
+    cp ../get-mobility-info       SystemConfiguration.framework/Resources
+    cp Info.plist                 SystemConfiguration.framework/Resources
+    cp -r English.lproj           SystemConfiguration.framework/Resources
+    cp NetworkConfiguration.plist SystemConfiguration.framework/Resources
+
+    mkdir -p SystemConfiguration.framework/Headers
+    mkdir -p SystemConfiguration.framework/PrivateHeaders
+
+    # The standard public headers
+    cp SCSchemaDefinitions.h        SystemConfiguration.framework/Headers
+    cp SystemConfiguration.h        SystemConfiguration.framework/Headers
+    cp SCDynamicStore.h             SystemConfiguration.framework/Headers
+    cp SCDynamicStoreCopySpecific.h SystemConfiguration.framework/Headers
+    cp SCPreferences.h              SystemConfiguration.framework/Headers
+    cp CaptiveNetwork.h             SystemConfiguration.framework/Headers
+    cp SCPreferencesPath.h          SystemConfiguration.framework/Headers
+    cp SCDynamicStoreKey.h          SystemConfiguration.framework/Headers
+    cp SCPreferencesSetSpecific.h   SystemConfiguration.framework/Headers
+    cp SCNetworkConfiguration.h     SystemConfiguration.framework/Headers
+    cp SCNetworkConnection.h        SystemConfiguration.framework/Headers
+    cp SCNetworkReachability.h      SystemConfiguration.framework/Headers
+    cp DHCPClientPreferences.h      SystemConfiguration.framework/Headers
+    cp SCNetwork.h                  SystemConfiguration.framework/Headers
+    cp SCDynamicStoreCopyDHCPInfo.h SystemConfiguration.framework/Headers
+
+    # TODO: Do we want to preserve private headers or just make them public?
+    cp SCDPlugin.h                         SystemConfiguration.framework/PrivateHeaders
+    cp SCPrivate.h                         SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStorePrivate.h             SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStoreCopySpecificPrivate.h SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStoreSetSpecificPrivate.h  SystemConfiguration.framework/PrivateHeaders
+    cp SCValidation.h                      SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesPrivate.h              SystemConfiguration.framework/PrivateHeaders
+    cp DeviceOnHold.h                      SystemConfiguration.framework/PrivateHeaders
+    cp LinkConfiguration.h                 SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesPathKey.h              SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesSetSpecificPrivate.h   SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkConnectionPrivate.h        SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesGetSpecificPrivate.h   SystemConfiguration.framework/PrivateHeaders
+    cp SCSchemaDefinitionsPrivate.h        SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkConfigurationPrivate.h     SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesKeychainPrivate.h      SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkSignature.h                SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkSignaturePrivate.h         SystemConfiguration.framework/PrivateHeaders
+    cp VPNPrivate.h                        SystemConfiguration.framework/PrivateHeaders
+    cp VPNConfiguration.h                  SystemConfiguration.framework/PrivateHeaders
+    cp VPNTunnelPrivate.h                  SystemConfiguration.framework/PrivateHeaders
+    cp VPNTunnel.h                         SystemConfiguration.framework/PrivateHeaders
+
+    mkdir derived
+
+    cat >derived/SystemConfiguration_vers.c <<EOF
+    const unsigned char SystemConfigurationVersionString[] __attribute__ ((used)) = "@(#)PROGRAM:SystemConfiguration  PROJECT:configd-" "\n"; const double SystemConfigurationVersionNumber __attribute__ ((used)) = (double)0.;
+    EOF
+
+    mig -arch x86_64 -header derived/shared_dns_info.h -user derived/shared_dns_infoUser.c -sheader /dev/null -server /dev/null ../dnsinfo/shared_dns_info.defs
+    mig -arch x86_64 -header derived/config.h          -user derived/configUser.c          -sheader /dev/null -server /dev/null config.defs
+    mig -arch x86_64 -header derived/helper.h          -user derived/helperUser.c          -sheader /dev/null -server /dev/null helper/helper.defs
+    mig -arch x86_64 -header derived/pppcontroller.h   -user derived/pppcontrollerUser.c   -sheader /dev/null -server /dev/null pppcontroller.defs
+
+    $CC -I. -Ihelper -Iderived -F. -c SCSchemaDefinitions.c -o SCSchemaDefinitions.o
+    $CC -I. -Ihelper -Iderived -F. -c SCD.c -o SCD.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDKeys.c -o SCDKeys.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDPrivate.c -o SCDPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDPlugin.c -o SCDPlugin.o
+    $CC -I. -Ihelper -Iderived -F. -c CaptiveNetwork.c -o CaptiveNetwork.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDOpen.c -o SCDOpen.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDList.c -o SCDList.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDAdd.c -o SCDAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDGet.c -o SCDGet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDSet.c -o SCDSet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDRemove.c -o SCDRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotify.c -o SCDNotify.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierSetKeys.c -o SCDNotifierSetKeys.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierAdd.c -o SCDNotifierAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierRemove.c -o SCDNotifierRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierGetChanges.c -o SCDNotifierGetChanges.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierWait.c -o SCDNotifierWait.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaCallback.c -o SCDNotifierInformViaCallback.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaFD.c -o SCDNotifierInformViaFD.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaSignal.c -o SCDNotifierInformViaSignal.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierCancel.c -o SCDNotifierCancel.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDSnapshot.c -o SCDSnapshot.o
+    $CC -I. -Ihelper -Iderived -F. -c SCP.c -o SCP.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPOpen.c -o SCPOpen.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPLock.c -o SCPLock.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPUnlock.c -o SCPUnlock.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPList.c -o SCPList.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPGet.c -o SCPGet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPAdd.c -o SCPAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPSet.c -o SCPSet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPRemove.c -o SCPRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPCommit.c -o SCPCommit.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPApply.c -o SCPApply.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPPath.c -o SCPPath.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDConsoleUser.c -o SCDConsoleUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDHostName.c -o SCDHostName.o
+    $CC -I. -Ihelper -Iderived -F. -c SCLocation.c -o SCLocation.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetwork.c -o SCNetwork.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/pppcontrollerUser.c -o pppcontrollerUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConnection.c -o SCNetworkConnection.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConnectionPrivate.c -o SCNetworkConnectionPrivate.o
+    $CC -I. -Ihelper -Iderived -I../dnsinfo -F. -c SCNetworkReachability.c -o SCNetworkReachability.o
+    $CC -I. -Ihelper -Iderived -F. -c SCProxies.c -o SCProxies.o
+    $CC -I. -Ihelper -Iderived -F. -c DHCP.c -o DHCP.o
+    $CC -I. -Ihelper -Iderived -F. -c moh.c -o moh.o
+    $CC -I. -Ihelper -Iderived -F. -c DeviceOnHold.c -o DeviceOnHold.o
+    $CC -I. -Ihelper -Iderived -F. -c LinkConfiguration.c -o LinkConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c dy_framework.c -o dy_framework.o
+    $CC -I. -Ihelper -Iderived -F. -c VLANConfiguration.c -o VLANConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/configUser.c -o configUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPreferencesPathKey.c -o SCPreferencesPathKey.o
+    $CC -I. -Ihelper -Iderived -I../dnsinfo -F. -c derived/shared_dns_infoUser.c -o shared_dns_infoUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConfigurationInternal.c -o SCNetworkConfigurationInternal.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkInterface.c -o SCNetworkInterface.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkProtocol.c -o SCNetworkProtocol.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkService.c -o SCNetworkService.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkSet.c -o SCNetworkSet.o
+    $CC -I. -Ihelper -Iderived -F. -c BondConfiguration.c -o BondConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c BridgeConfiguration.c -o BridgeConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c helper/SCHelper_client.c -o SCHelper_client.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPreferencesKeychainPrivate.c -o SCPreferencesKeychainPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkSignature.c -o SCNetworkSignature.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNPrivate.c -o VPNPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNConfiguration.c -o VPNConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNTunnel.c -o VPNTunnel.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/helperUser.c -o helperUser.o
+    $CC -I. -Ihelper -Iderived -F. -c reachability/SCNetworkReachabilityServer_client.c -o SCNetworkReachabilityServer_client.o
+    $CC -I. -Ihelper -Iderived -F. -c reachability/rb.c -o rb.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/SystemConfiguration_vers.c -o SystemConfiguration_vers.o
+
+    $CC -dynamiclib *.o -install_name $out/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration -dead_strip -framework CoreFoundation -single_module -o SystemConfiguration.framework/SystemConfiguration
+
+    popd >/dev/null
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp dnsinfo/*.h $out/include/
+  '' + lib.optionalString (!headersOnly) ''
+    mkdir -p $out/Library/Frameworks/
+    mv SystemConfiguration.fproj/SystemConfiguration.framework $out/Library/Frameworks
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix
new file mode 100644
index 000000000000..5e7f38e84d7d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix
@@ -0,0 +1,9 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/
+    cp copyfile.h $out/include/
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix
new file mode 100644
index 000000000000..ab13e91e3735
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix
@@ -0,0 +1,326 @@
+{ lib, stdenv, fetchurl, fetchFromGitHub, pkgs }:
+
+let
+  # This attrset can in theory be computed automatically, but for that to work nicely we need
+  # import-from-derivation to work properly. Currently it's rather ugly when we try to bootstrap
+  # a stdenv out of something like this. With some care we can probably get rid of this, but for
+  # now it's staying here.
+  versions = {
+    "osx-10.12.6" = {
+      xnu           = "3789.70.16";
+      libiconv      = "50";
+      Libnotify     = "165.20.1";
+      objc4         = "709.1";
+      dyld          = "433.5";
+      CommonCrypto  = "60092.50.5";
+      copyfile      = "138";
+      ppp           = "838.50.1";
+      libclosure    = "67";
+      Libinfo       = "503.50.4";
+      Libsystem     = "1238.60.2";
+      removefile    = "45";
+      libmalloc     = "116.50.8";
+      libresolv     = "64";
+      libplatform   = "126.50.8";
+      mDNSResponder = "765.50.9";
+      libutil       = "47.30.1";
+      libunwind     = "35.3";
+      Libc          = "1158.50.2";
+      dtrace        = "209.50.12";
+      libpthread    = "218.60.3";
+      hfs           = "366.70.1";
+    };
+    "osx-10.11.6" = {
+      PowerManagement = "572.50.1";
+      dtrace        = "168";
+      xnu           = "3248.60.10";
+      libpthread    = "138.10.4";
+      libiconv      = "44";
+      Libnotify     = "150.40.1";
+      objc4         = "680";
+      eap8021x      = "222.40.1";
+      dyld          = "360.22";
+      architecture  = "268";
+      CommonCrypto  = "60075.50.1";
+      copyfile      = "127";
+      Csu           = "85";
+      ppp           = "809.50.2";
+      libclosure    = "65";
+      Libinfo       = "477.50.4";
+      Libsystem     = "1226.10.1";
+      removefile    = "41";
+      libresolv     = "60";
+
+      # Their release page is a bit of a mess here, so I'm going to lie a bit and say this version
+      # is the right one, even though it isn't. The version I have here doesn't appear to be linked
+      # to any OS releases, but Apple also doesn't mention mDNSResponder from 10.11 to 10.11.6, and
+      # neither of those versions are publicly available.
+      libplatform   = "125";
+      mDNSResponder = "625.41.2";
+
+      # IOKit contains a set of packages with different versions, so we don't have a general version
+      IOKit         = "";
+
+      libutil       = "43";
+      libunwind     = "35.3";
+      Librpcsvc     = "26";
+      developer_cmds= "62";
+      network_cmds  = "481.20.1";
+      basic_cmds    = "55";
+      adv_cmds      = "163";
+      file_cmds     = "264.1.1";
+      shell_cmds    = "187";
+      system_cmds   = "550.6";
+      diskdev_cmds   = "593";
+      top           = "108";
+      text_cmds     = "99";
+    };
+    "osx-10.11.5" = {
+      Libc          = "1082.50.1"; # 10.11.6 still unreleased :/
+    };
+    "osx-10.10.5" = {
+      adv_cmds      = "158";
+      CF            = "1153.18";
+      ICU           = "531.48";
+      libdispatch   = "442.1.4";
+      Security      = "57031.40.6";
+
+      IOAudioFamily                        = "203.3";
+      IOFireWireFamily                     = "458";
+      IOFWDVComponents                     = "207.4.1";
+      IOFireWireAVC                        = "423";
+      IOFireWireSBP2                       = "427";
+      IOFireWireSerialBusProtocolTransport = "251.0.1";
+      IOGraphics                           = "485.40.1";
+      IOHIDFamily                          = "606.40.1";
+      IONetworkingFamily                   = "101";
+      IOSerialFamily                       = "74.20.1";
+      IOStorageFamily                      = "182.1.1";
+      IOBDStorageFamily                    = "14";
+      IOCDStorageFamily                    = "51";
+      IODVDStorageFamily                   = "35";
+      IOKitUser                            = "1050.20.2";
+    };
+    "osx-10.9.5" = {
+      launchd            = "842.92.1";
+      libauto            = "185.5";
+      Libc               = "997.90.3"; # We use this, but not from here
+      Libsystem          = "1197.1.1";
+      Security           = "55471.14.18";
+      security_dotmac_tp = "55107.1";
+
+      IOStorageFamily = "172";
+    };
+    "osx-10.8.5" = {
+      configd     = "453.19";
+      Libc        = "825.40.1";
+      IOUSBFamily = "630.4.5";
+    };
+    "osx-10.8.4" = {
+      IOUSBFamily = "560.4.2";
+    };
+    "osx-10.7.4" = {
+      Libm = "2026";
+    };
+    "osx-10.6.2" = {
+      CarbonHeaders = "18.1";
+    };
+    "osx-10.5.8" = {
+      adv_cmds = "119";
+    };
+    "dev-tools-7.0" = {
+      bootstrap_cmds = "93";
+    };
+    "dev-tools-5.1" = {
+      bootstrap_cmds = "86";
+    };
+    "dev-tools-3.2.6" = {
+      bsdmake = "24";
+    };
+  };
+
+  fetchApple' = pname: version: sha256: let
+    # When cross-compiling, fetchurl depends on libiconv, resulting
+    # in an infinite recursion without this. It's not clear why this
+    # worked fine when not cross-compiling
+    fetch = if pname == "libiconv"
+      then stdenv.fetchurlBoot
+      else fetchurl;
+  in fetch {
+    url = "https://github.com/apple-oss-distributions/${pname}/archive/refs/tags/${pname}-${version}.tar.gz";
+    inherit sha256;
+  };
+
+  fetchApple = sdkName: sha256: pname: let
+    version = versions.${sdkName}.${pname};
+  in fetchApple' pname version sha256;
+
+  appleDerivation'' = stdenv: pname: version: sdkName: sha256: attrs: stdenv.mkDerivation ({
+    inherit pname version;
+
+    src = if attrs ? srcs then null else (fetchApple' pname version sha256);
+
+    enableParallelBuilding = true;
+
+    # In rare cases, APPLE may drop some headers quietly on new release.
+    doInstallCheck = attrs ? appleHeaders;
+    passAsFile = [ "appleHeaders" ];
+    installCheckPhase = ''
+      cd $out/include
+
+      result=$(diff -u "$appleHeadersPath" <(find * -type f | sort) --label "Listed in appleHeaders" --label "Found in \$out/include" || true)
+
+      if [ -z "$result" ]; then
+        echo "Apple header list is matched."
+      else
+        echo >&2 "\
+      Apple header list is inconsistent, please ensure no header file is unexpectedly dropped.
+      $result
+      "
+        exit 1
+      fi
+    '';
+
+  } // attrs // {
+    meta = (with lib; {
+      platforms = platforms.darwin;
+      license = licenses.apsl20;
+    }) // (attrs.meta or {});
+  });
+
+  IOKitSpecs = {
+    IOAudioFamily                        = fetchApple "osx-10.10.5" "sha256-frs2pm2OpGUOz68ZXsjktlyHlgn5oXM+ltbmAf//Cio=";
+    IOFireWireFamily                     = fetchApple "osx-10.10.5" "sha256-V9fNeo/Wj9dm1/XM4hkOInnMk01M6c9QSjJs5zJKB60=";
+    IOFWDVComponents                     = fetchApple "osx-10.10.5" "sha256-KenCX9C/Z2ErUK8tpKpm65gEmhn2NsXFxlzK7NKomaI=";
+    IOFireWireAVC                        = fetchApple "osx-10.10.5" "sha256-Gd8+PK/mk+xEXgF8dGAx+3jsXv4NX1GiBFyjyrf6sTo=";
+    IOFireWireSBP2                       = fetchApple "osx-10.10.5" "sha256-Z3nP8pX1YG4Fbt7MrnqO06ihE9aYOex5Eib/rqOpoPk=";
+    IOFireWireSerialBusProtocolTransport = fetchApple "osx-10.10.5" "sha256-zdYE0UCKiVhDRGdWaH8L51ArbYTnsQOmcN/OMmpNdFA=";
+    IOGraphics                           = fetchApple "osx-10.10.5" "sha256-lXoW4sx3pyl5fg5Qde3sQi2i8rTLnpeCdDaTHjbfaMI=";
+    IOHIDFamily                          = fetchApple "osx-10.10.5" "sha256-b+S1p3p5d8olYE18VrBns4euerVINaQSFEp34sko5rM=";
+    IONetworkingFamily                   = fetchApple "osx-10.10.5" "sha256-NOpFOBKS6iwFj9DJxduZYZfZJuhDyBQw2QMKHbu7j40=";
+    IOSerialFamily                       = fetchApple "osx-10.10.5" "sha256-hpYrgXsuTul4CYoYIjQjerfvQRqISM2tCcfVXlnjbZo=";
+    IOStorageFamily                      = fetchApple "osx-10.9.5"  "sha256-CeA4rHUrBKHsDeJU9ssIY9LQwDw09a+vQUyruosaLKA=";
+    IOBDStorageFamily                    = fetchApple "osx-10.10.5" "sha256-gD52RKXGKWGga/QGlutxsgsPNSN6gcRfFQRT8v51N3E=";
+    IOCDStorageFamily                    = fetchApple "osx-10.10.5" "sha256-+nyqH6lMPmIkDLYXNVSeR4vBYS165oyJx+DkCkKOGRg=";
+    IODVDStorageFamily                   = fetchApple "osx-10.10.5" "sha256-Jy3UuRzdd0bBdhJgI/f8vLXh2GdGs1RVN3G2iEs86kQ=";
+    # There should be an IOStreamFamily project here, but they haven't released it :(
+    IOUSBFamily                          = fetchApple "osx-10.8.5"  "sha256-FwgGoP97Sj47VGXMxbY0oUugKf7jtxAL1RzL6+315cU="; # This is from 10.8 :(
+    IOUSBFamily_older                    = fetchApple "osx-10.8.4"  "sha256-5apCsqtHK0EC8x1uPTTll43x69eal/nsokfS80qLlxs=" "IOUSBFamily"; # This is even older :(
+    IOKitUser                            = fetchApple "osx-10.10.5" "sha256-3UHM3g91v4RugmONbM+SAPr1SfoUPY3QPcTwTpt+zuY=";
+    # There should be an IOVideo here, but they haven't released it :(
+  };
+
+  IOKitSrcs = lib.mapAttrs (name: value: if lib.isFunction value then value name else value) IOKitSpecs;
+
+in
+
+# darwin package set
+self:
+
+let
+  macosPackages_11_0_1 = import ./macos-11.0.1.nix { inherit applePackage'; };
+  developerToolsPackages_11_3_1 = import ./developer-tools-11.3.1.nix { inherit applePackage'; };
+
+  applePackage' = namePath: version: sdkName: sha256:
+    let
+      pname = builtins.head (lib.splitString "/" namePath);
+      appleDerivation' = stdenv: appleDerivation'' stdenv pname version sdkName sha256;
+      appleDerivation = appleDerivation' stdenv;
+      callPackage = self.newScope { inherit appleDerivation' appleDerivation; };
+    in callPackage (./. + "/${namePath}");
+
+  applePackage = namePath: sdkName: sha256: let
+    pname = builtins.head (lib.splitString "/" namePath);
+    version = versions.${sdkName}.${pname};
+  in applePackage' namePath version sdkName sha256;
+
+  # Only used for bootstrapping. It’s convenient because it was the last version to come with a real makefile.
+  adv_cmds-boot = applePackage "adv_cmds/boot.nix" "osx-10.5.8" "sha256-/OJLNpATyS31W5nWfJgSVO5itp8j55TRwG57/QLT5Fg=" {};
+
+in
+
+developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
+    # TODO: shorten this list, we should cut down to a minimum set of bootstrap or necessary packages here.
+
+    inherit (adv_cmds-boot) ps locale;
+    architecture    = applePackage "architecture"      "osx-10.11.6"     "sha256-cUKeMx6mOAxBSRHIdfzsrR65Qv86m7+20XvpKqVfwVI=" {};
+    bsdmake         = applePackage "bsdmake"           "dev-tools-3.2.6" "sha256-CW8zP5QZMhWTGp+rhrm8oHE/vSLsRlv1VRAGe1OUDmI=" {};
+    CarbonHeaders   = applePackage "CarbonHeaders"     "osx-10.6.2"      "sha256-UNaHvxzYzEBnYYuoMLqWUVprZa6Wqn/3XleoSCco050=" {};
+    CommonCrypto    = applePackage "CommonCrypto"      "osx-10.12.6"     "sha256-FLgODBrfv+XsGaAjddncYAm/BIJJYw6LcwX/z7ncKFM=" {};
+    configd         = applePackage "configd"           "osx-10.8.5"      "sha256-6I3FWNjTgds5abEcZrD++s9b+P9a2+qUf8KFAb72DwI=" {
+      Security      = applePackage "Security/boot.nix" "osx-10.9.5"      "sha256-7qr0IamjCXCobIJ6V9KtvbMBkJDfRCy4C5eqpHJlQLI=" {};
+      inherit (pkgs.darwin.apple_sdk.libs) xpc;
+    };
+    copyfile        = applePackage "copyfile"          "osx-10.12.6"     "sha256-uHqLFOIpXK+n0RHyOZzVsP2DDZcFDivKCnqHBaXvHns=" {};
+    Csu             = applePackage "Csu"               "osx-10.11.6"     "sha256-h6a/sQMEVeFxKNWAPgKBXjWhyL2L2nvX9BQUMaTQ6sY=" {};
+    dtrace          = applePackage "dtrace"            "osx-10.12.6"     "sha256-Icr22ozixHquI0kRB2XZ+LlxD6V46sJHsHy4L/tDXZg=" {};
+    dyld            = applePackage "dyld"              "osx-10.12.6"     "sha256-JmKnOZtBPf96zEx7vhYHLBSTOPyKN71IdYE3R0IeJww=" {};
+    eap8021x        = applePackage "eap8021x"          "osx-10.11.6"     "sha256-54P3+YhVhOanoZQoqswDnr/GbR/AdEERse135nyuIQo=" {};
+    IOKit           = applePackage "IOKit"             "osx-10.11.6"     "" { inherit IOKitSrcs; };
+    launchd         = applePackage "launchd"           "osx-10.9.5"      "sha256-dmV0UK7hG9wvTr+F4Z47nCFXcVZCV+cQ46WbE0DBtJs=" {};
+    libauto         = applePackage "libauto"           "osx-10.9.5"      "sha256-GnRcKq8jRbEsI/PSDphwUjWtpEIEcnLlQL9yxYLgSsU=" {};
+    Libc            = applePackage "Libc"              "osx-10.12.6"     "sha256-LSsL7S3KFgGU9qjK4atu/4wBh8ftgfsk6JOvg+ZTZOY=" {
+      Libc_10-9 = fetchFromGitHub {
+        owner  = "apple-oss-distributions";
+        repo   = "Libc";
+        rev    = "Libc-997.90.3";
+        hash   = "sha256-B18RNO+Rai5XE52TKdJV7eknosTZ+bRERkiU12d/kPU=";
+      };
+    };
+    libclosure      = applePackage "libclosure"        "osx-10.11.6"     "sha256-L5rQ+UBpf3B+W1U+gZKk7fXulslHsc8lxnCsplV+nr0=" {};
+    libdispatch     = applePackage "libdispatch"       "osx-10.10.5"     "sha256-jfAEk0OLrJa9AIZVikIoHomd+l+4rCfc320Xh50qK5M=" {};
+    libiconv        = applePackage "libiconv"          "osx-10.12.6"     "sha256-ZzPFkchK3EU95UQUVVrR0t8iilhi/VnIkjjtP6KT2oI=" {};
+    Libinfo         = applePackage "Libinfo"           "osx-10.11.6"     "sha256-6F7wiwerv4nz/xXHtp1qCHSaFzZgzcRN+jbmXA5oWOQ=" {};
+    Libm            = applePackage "Libm"              "osx-10.7.4"      "sha256-KjMETfT4qJm0m0Ux/F6Rq8bI4Q4UVnFx6IKbKxXd+Es=" {};
+    Libnotify       = applePackage "Libnotify"         "osx-10.12.6"     "sha256-6wvMBxAUfiYcQtmlfYCj1d3kFmFM/jdboTd7hRvi3e4=" {};
+    libmalloc       = if stdenv.isx86_64 then
+      applePackage "libmalloc" "osx-10.12.6" "sha256-brfG4GEF2yZipKdhlPq6DhT2z5hKYSb2MAmffaikdO4=" {}
+    else macosPackages_11_0_1.libmalloc;
+    libplatform     = applePackage "libplatform"       "osx-10.12.6"     "sha256-6McMTjw55xtnCsFI3AB1osRagnuB5pSTqeMKD3gpGtM=" {};
+    libpthread      = applePackage "libpthread"        "osx-10.12.6"     "sha256-QvJ9PERmrCWBiDmOWrLvQUKZ4JxHuh8gS5nlZKDLqE8=" {};
+    libresolv       = applePackage "libresolv"         "osx-10.12.6"     "sha256-FtvwjJKSFX6j9APYPC8WLXVOjbHLZa1Gcoc8yxLy8qE=" {};
+    Libsystem       = applePackage "Libsystem"         "osx-10.12.6"     "sha256-zvRdCP//TjKCGAqm/5nJXPppshU1cv2fg/L/yK/olGQ=" {};
+    libutil         = applePackage "libutil"           "osx-10.12.6"     "sha256-4PFuk+CTLwvd/Ll9GLBkiIM0Sh/CVaiKwh5m1noheRs=" {};
+    libunwind       = applePackage "libunwind"         "osx-10.12.6"     "sha256-CC0sndP/mKYe3dZu3v7fjuDASV4V4w7dAcnWMvpoquE=" {};
+    mDNSResponder   = applePackage "mDNSResponder"     "osx-10.12.6"     "sha256-ddZr6tropkpdMJhq/kUlm3OwO8b0yxtkrMpwec8R4FY=" {};
+    objc4           = applePackage "objc4"             "osx-10.12.6"     "sha256-ZsxRpdsfv3Dxs7yBBCkjbKXKR6aXwkEpxc1XYXz7ueM=" {};
+    ppp             = applePackage "ppp"               "osx-10.12.6"     "sha256-M1zoEjjeKIDUEP6ACbpUJk3OXjobw4g/qzUmxGdX1J0=" {};
+    removefile      = applePackage "removefile"        "osx-10.12.6"     "sha256-UpNk27kGXnZss1ZXWVJU9jLz/NW63ZAZEDLhyCYoi9M=" {};
+    xnu             = if stdenv.isx86_64 then
+    applePackage "xnu"               "osx-10.12.6"     "sha256-C8TPQlUT3RbzAy8YnZPNtr70hpaVG9Llv0h42s3NENI=" {
+      python3 = pkgs.buildPackages.buildPackages.python3; # TODO(@Ericson2314) this shouldn't be needed.
+    }
+    else macosPackages_11_0_1.xnu;
+    hfs             = applePackage "hfs"               "osx-10.12.6"     "sha256-eGi18HQFJrU5UHoBOE0LqO5gQ0xOf8+OJuAWQljfKE4=" {};
+    Librpcsvc       = applePackage "Librpcsvc"         "osx-10.11.6"     "sha256-YHbGws901xONzAbo6sB5zSea4Wp0sgYUJ8YgwVfWxnE=" {};
+    adv_cmds        = applePackage "adv_cmds"          "osx-10.11.6"     "sha256-Ztp8ALWcviEpthoiY8ttWzGI8OcsLzsULjlqe8GIzw8=" {};
+    basic_cmds      = applePackage "basic_cmds"        "osx-10.11.6"     "sha256-BYPPTg4/7x6RPs0WwwQlkNiZxxArV+7EVe6bM+a/I6Q=" {};
+    developer_cmds  = applePackage "developer_cmds"    "osx-10.11.6"     "sha256-h0wMVlS6QdRvKOVJ74W9ziHYGApjvnk77AIR6ukYBRo=" {};
+    diskdev_cmds    = applePackage "diskdev_cmds"      "osx-10.11.6"     "sha256-VX+hcZ7JhOA8EhwLloPlM3Yx79RXp9OYHV9Mi10uw3Q=" {
+      macosPackages_11_0_1 = macosPackages_11_0_1;
+    };
+    network_cmds    = if stdenv.isx86_64 then
+      applePackage "network_cmds" "osx-10.11.6" "sha256-I89CLIswGheewOjiNZwQTgWvWbhm0qtB5+KUqzxnQ5M=" {}
+    else macosPackages_11_0_1.network_cmds;
+    file_cmds       = applePackage "file_cmds"         "osx-10.11.6"     "sha256-JYy6HwmultKeZtLfaysbsyLoWg+OaTh7eJu54JkJC0Q=" {};
+    shell_cmds      = applePackage "shell_cmds"        "osx-10.11.6"     "sha256-kmEOprkiJGMVcl7yHkGX8ymk/5KjE99gWuF8j2hK5hY=" {};
+    system_cmds     = applePackage "system_cmds"       "osx-10.11.6"     "sha256-KBdGlHeXo2PwgRQOOeElJ1RBqCY1Tdhn5KD42CMhdzI=" {};
+    text_cmds       = applePackage "text_cmds"         "osx-10.11.6"     "sha256-KSebU7ZyUsPeqn51nzuGNaNxs9pvmlIQQdkWXIVzDxw=" {};
+    top             = applePackage "top"               "osx-10.11.6"     "sha256-jbz64ODogtpNyLpXGSZj1jCBdFPVXcVcBkL1vc7g5qQ=" {};
+    PowerManagement = applePackage "PowerManagement"   "osx-10.11.6"     "sha256-bYGtYnBOcE5W03AZzfVTJXPZ6GgryGAMt/LgLPxFkVk=" {};
+
+    # `configdHeaders` can’t use an override because `pkgs.darwin.configd` on aarch64-darwin will
+    # be replaced by SystemConfiguration.framework from the macOS SDK.
+    configdHeaders  = applePackage "configd"           "osx-10.8.5"      "sha256-6I3FWNjTgds5abEcZrD++s9b+P9a2+qUf8KFAb72DwI=" {
+      headersOnly = true;
+      Security    = null;
+      xpc         = null;
+    };
+    libutilHeaders  = pkgs.darwin.libutil.override { headersOnly = true; };
+    hfsHeaders      = pkgs.darwin.hfs.override { headersOnly = true; };
+    libresolvHeaders= pkgs.darwin.libresolv.override { headersOnly = true; };
+
+    # TODO(matthewbauer):
+    # To be removed, once I figure out how to build a newer Security version.
+    Security        = applePackage "Security/boot.nix" "osx-10.9.5"      "sha256-7qr0IamjCXCobIJ6V9KtvbMBkJDfRCy4C5eqpHJlQLI=" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix
new file mode 100644
index 000000000000..7eeafec34655
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix
@@ -0,0 +1,8 @@
+# Generated using:  ./generate-sdk-packages.sh developer-tools 11.3.1
+
+{ applePackage' }:
+
+{
+bootstrap_cmds = applePackage' "bootstrap_cmds" "116" "developer-tools-11.3.1" "06nw99ajkd264vdi6n2zv252ppxp3wx3120hqf3jqdh6c1wavy0b" {};
+developer_cmds = applePackage' "developer_cmds" "66" "developer-tools-11.3.1" "0f7vphpscjcypq49gjckbs20xhm7yjalr4nnbphqcqp8v1al56dc" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix
new file mode 100644
index 000000000000..23a5ae006712
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix
@@ -0,0 +1,41 @@
+{ lib, appleDerivation, xcbuildHook, llvmPackages, makeWrapper }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook makeWrapper ];
+
+  patches = [
+    # The following copied from
+    # https://github.com/Homebrew/homebrew-core/commit/712ed3e948868e17f96b7e59972b5f45d4faf688
+    # is needed to build libvirt.
+    ./rpcgen-support-hyper-and-quad-types.patch
+  ];
+
+  postPatch = ''
+    makeWrapper ${llvmPackages.clang}/bin/clang $out/bin/clang-cpp --add-flags "--driver-mode=cpp"
+    substituteInPlace rpcgen/rpc_main.c \
+      --replace "/usr/bin/cpp" "$out/bin/clang-cpp"
+  '';
+
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_btype_2' in:args.o pr_comment.o
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch
new file mode 100644
index 000000000000..481cf0f3e055
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch
@@ -0,0 +1,66 @@
+diff --git a/rpcgen/rpc_parse.c b/rpcgen/rpc_parse.c
+index 52edc9f..db0c1f1 100644
+--- a/rpcgen/rpc_parse.c
++++ b/rpcgen/rpc_parse.c
+@@ -580,6 +580,10 @@ get_type(prefixp, typep, dkind)
+		*typep = "long";
+		(void) peekscan(TOK_INT, &tok);
+		break;
++	case TOK_HYPER:
++		*typep = "int64_t";
++		(void) peekscan(TOK_INT, &tok);
++		break;
+	case TOK_VOID:
+		if (dkind != DEF_UNION && dkind != DEF_PROGRAM) {
+			error("voids allowed only inside union and program definitions with one argument");
+@@ -592,6 +596,7 @@ get_type(prefixp, typep, dkind)
+	case TOK_INT:
+	case TOK_FLOAT:
+	case TOK_DOUBLE:
++	case TOK_QUAD:
+	case TOK_BOOL:
+		*typep = tok.str;
+		break;
+@@ -622,6 +627,11 @@ unsigned_dec(typep)
+		*typep = "u_long";
+		(void) peekscan(TOK_INT, &tok);
+		break;
++	case TOK_HYPER:
++		get_token(&tok);
++		*typep = "u_int64_t";
++		(void) peekscan(TOK_INT, &tok);
++		break;
+	case TOK_INT:
+		get_token(&tok);
+		*typep = "u_int";
+diff --git a/rpcgen/rpc_scan.c b/rpcgen/rpc_scan.c
+index a8df441..4130107 100644
+--- a/rpcgen/rpc_scan.c
++++ b/rpcgen/rpc_scan.c
+@@ -419,8 +419,10 @@ static token symbols[] = {
+	{TOK_UNSIGNED, "unsigned"},
+	{TOK_SHORT, "short"},
+	{TOK_LONG, "long"},
++	{TOK_HYPER, "hyper"},
+	{TOK_FLOAT, "float"},
+	{TOK_DOUBLE, "double"},
++	{TOK_QUAD, "quadruple"},
+	{TOK_STRING, "string"},
+	{TOK_PROGRAM, "program"},
+	{TOK_VERSION, "version"},
+diff --git a/rpcgen/rpc_scan.h b/rpcgen/rpc_scan.h
+index bac2be4..e4c57c8 100644
+--- a/rpcgen/rpc_scan.h
++++ b/rpcgen/rpc_scan.h
+@@ -66,9 +66,11 @@ enum tok_kind {
+	TOK_INT,
+	TOK_SHORT,
+	TOK_LONG,
++	TOK_HYPER,
+	TOK_UNSIGNED,
+	TOK_FLOAT,
+	TOK_DOUBLE,
++	TOK_QUAD,
+	TOK_OPAQUE,
+	TOK_CHAR,
+	TOK_STRING,
\ No newline at end of file
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
new file mode 100644
index 000000000000..e4431c68c9aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
@@ -0,0 +1,46 @@
+{ lib, appleDerivation, xcbuildHook, Libc, stdenv, macosPackages_11_0_1, xnu
+, fetchurl, libutil }:
+
+let
+  xnu-src = if stdenv.isAarch64 then macosPackages_11_0_1.xnu.src else xnu.src;
+  arch = if stdenv.isAarch64 then "arm" else "i386";
+in appleDerivation {
+  patches = [
+    # Fixes a build failure with newer versions of clang that make implicit int an error.
+    ./fix-implicit-int.patch
+  ];
+
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ libutil ];
+
+  env.NIX_CFLAGS_COMPILE = "-I.";
+  NIX_LDFLAGS = "-lutil";
+  prePatch = ''
+    # ugly hacks for missing headers
+    # most are bsd related - probably should make this a drv
+    unpackFile ${Libc.src}
+    unpackFile ${xnu-src}
+    mkdir System sys machine ${arch}
+    cp xnu-*/bsd/sys/disklabel.h sys
+    cp xnu-*/bsd/machine/disklabel.h machine
+    cp xnu-*/bsd/${arch}/disklabel.h ${arch}
+    cp -r xnu-*/bsd/sys System
+    cp -r Libc-*/uuid System
+    substituteInPlace diskdev_cmds.xcodeproj/project.pbxproj \
+      --replace 'DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";' ""
+  '';
+  installPhase = ''
+    install -D Products/Release/libdisk.a $out/lib/libdisk.a
+    rm Products/Release/libdisk.a
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/fix-implicit-int.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/fix-implicit-int.patch
new file mode 100644
index 000000000000..df0fff930daf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/fix-implicit-int.patch
@@ -0,0 +1,11 @@
+diff -ur a/diskdev_cmds.xcodeproj/project.pbxproj b/diskdev_cmds.xcodeproj/project.pbxproj
+--- a/quota.tproj/quota.c	2021-10-06 01:13:40.000000000 -0400
++++ b/quota.tproj/quota.c	2023-10-27 08:24:05.960965958 -0400
+@@ -115,6 +115,7 @@
+ 
+ int
+ main(argc, argv)
++	int argc;
+ 	char *argv[];
+ {
+ 	int ngroups; 
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix
new file mode 100644
index 000000000000..afff7897488e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix
@@ -0,0 +1,57 @@
+{ appleDerivation, xcbuildHook, CoreSymbolication, apple_sdk
+, xnu, bison, flex, stdenv, fixDarwinDylibNames }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook flex bison fixDarwinDylibNames ];
+  buildInputs = [ CoreSymbolication apple_sdk.frameworks.CoreSymbolication xnu ];
+  # -fcommon: workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_kCSRegionMachHeaderName' in: libproc.o dt_module_apple.o
+  env.NIX_CFLAGS_COMPILE = "-DCTF_OLD_VERSIONS -DPRIVATE -DYYDEBUG=1 -I${xnu}/Library/Frameworks/System.framework/Headers -Wno-error=implicit-function-declaration -fcommon";
+  NIX_LDFLAGS = "-L./Products/Release";
+  xcbuildFlags = [ "-target" "dtrace_frameworks" "-target" "dtrace" ];
+
+  doCheck = false;
+  checkPhase = "xcodebuild -target dtrace_tests";
+
+  postPatch = ''
+    substituteInPlace dtrace.xcodeproj/project.pbxproj \
+      --replace "/usr/sbin" ""
+    substituteInPlace libdtrace/dt_open.c \
+      --replace /usr/bin/clang ${stdenv.cc.cc}/bin/clang \
+      --replace /usr/bin/ld ${stdenv.cc.bintools.bintools}/bin/ld \
+      --replace /usr/lib/dtrace/dt_cpp.h $out/include/dt_cpp.h \
+      --replace /usr/lib/dtrace $out/lib/dtrace
+    substituteInPlace libproc/libproc.c \
+      --replace "#include <sandbox/rootless.h>" ""
+  '';
+
+  # hack to handle xcbuild's broken lex handling
+  preBuild = ''
+    pushd libdtrace
+    yacc -d dt_grammar.y
+    flex -l -d dt_lex.l
+    popd
+
+    substituteInPlace dtrace.xcodeproj/project.pbxproj \
+      --replace '6EBC9800099BFBBF0001019C /* dt_grammar.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; name = dt_grammar.y; path = libdtrace/dt_grammar.y; sourceTree = "<group>"; };' '6EBC9800099BFBBF0001019C /* y.tab.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = y.tab.c; path = libdtrace/y.tab.c; sourceTree = "<group>"; };' \
+      --replace '6EBC9808099BFBBF0001019C /* dt_lex.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; name = dt_lex.l; path = libdtrace/dt_lex.l; sourceTree = "<group>"; };' '6EBC9808099BFBBF0001019C /* lex.yy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = lex.yy.c; path = libdtrace/lex.yy.c; sourceTree = "<group>"; };'
+  '';
+
+  # xcbuild doesn't support install
+  installPhase = ''
+    mkdir -p $out
+
+    cp -r Products/Release/usr/include $out/include
+    cp scripts/dt_cpp.h $out/include/dt_cpp.h
+
+    mkdir $out/lib
+    cp Products/Release/*.dylib $out/lib
+
+    mkdir $out/bin
+    cp Products/Release/dtrace $out/bin
+
+    mkdir -p $out/lib/dtrace
+
+    install_name_tool -change $PWD/Products/Release/libdtrace.dylib $out/lib/libdtrace.dylib $out/bin/dtrace
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
new file mode 100644
index 000000000000..ca3b70cd0926
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
@@ -0,0 +1,16 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/lib $out/include
+    ln -s /usr/lib/dyld $out/lib/dyld
+    cp -r include $out/
+  '';
+
+  meta = with lib; {
+    description = "Impure primitive symlinks to the Mac OS native dyld, along with headers";
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix
new file mode 100644
index 000000000000..f5c47f01d37a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/EAP8021X.framework/Headers
+
+    cp EAP8021X.fproj/EAPClientProperties.h $out/Library/Frameworks/EAP8021X.framework/Headers
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix
new file mode 100644
index 000000000000..8d44cc86194f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix
@@ -0,0 +1,42 @@
+{ lib, appleDerivation, xcbuildHook, zlib, bzip2, xz, ncurses, libutil, Libinfo }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ zlib bzip2 xz ncurses libutil Libinfo ];
+
+  # some commands not working:
+  # mtree: _simple.h not found
+  # ipcs: sys/ipcs.h not found
+  # so remove their targets from the project
+  patchPhase = ''
+    substituteInPlace file_cmds.xcodeproj/project.pbxproj \
+      --replace "FC8A8CAA14B655FD001B97AD /* PBXTargetDependency */," "" \
+      --replace "FC8A8C9C14B655FD001B97AD /* PBXTargetDependency */," "" \
+      --replace "productName = file_cmds;" "" \
+      --replace '/usr/lib/libcurses.dylib' 'libncurses.dylib'
+    sed -i -re "s/name = ([a-zA-Z]+);/name = \1; productName = \1;/" file_cmds.xcodeproj/project.pbxproj
+  '';
+
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_chdname' in: ar_io.o tty_subs.o
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh
new file mode 100755
index 000000000000..418a1d625d6a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq
+
+usage() {
+    cat <<EOF
+usage: $0 macos 11.0.1
+EOF
+}
+
+if [ "$#" != 2 ]; then
+    usage
+    exit 1
+fi
+
+cd $(dirname "$0")
+
+sdkName="$1-$2"
+outfile="$sdkName.nix"
+
+>$outfile echo "# Generated using:  ./$(basename "$0") $1 $2
+
+{ applePackage' }:
+
+{"
+
+parse_line() {
+    readarray -t -d$'-' package < <(printf "%s" $2)
+    local pname=${package[0]} version=${package[1]}
+
+    if [ -d $pname ]; then
+        sha256=$(nix-prefetch-url "https://github.com/apple-oss-distributions/$pname/archive/refs/tags/$pname-$version.tar.gz")
+        >>$outfile echo "$pname = applePackage' \"$pname\" \"$version\" \"$sdkName\" \"$sha256\" {};"
+    fi
+}
+readarray -s1 -c1 -C parse_line < <(curl -sSL "https://github.com/apple-oss-distributions/distribution-${1//-/_}/raw/${sdkName//./}/release.json" | jq -r ".projects[].tag")
+
+>>$outfile echo '}'
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix
new file mode 100644
index 000000000000..093e8525e587
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix
@@ -0,0 +1,47 @@
+{ appleDerivation', stdenv, stdenvNoCC, lib, headersOnly ? true }:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  installPhase = lib.optionalString headersOnly ''
+    mkdir -p $out/include/hfs
+    cp core/*.h $out/include/hfs
+  '';
+
+  appleHeaders = ''
+    hfs/BTreeScanner.h
+    hfs/BTreesInternal.h
+    hfs/BTreesPrivate.h
+    hfs/CatalogPrivate.h
+    hfs/FileMgrInternal.h
+    hfs/HFSUnicodeWrappers.h
+    hfs/UCStringCompareData.h
+    hfs/hfs.h
+    hfs/hfs_alloc_trace.h
+    hfs/hfs_attrlist.h
+    hfs/hfs_btreeio.h
+    hfs/hfs_catalog.h
+    hfs/hfs_cnode.h
+    hfs/hfs_cprotect.h
+    hfs/hfs_dbg.h
+    hfs/hfs_endian.h
+    hfs/hfs_extents.h
+    hfs/hfs_format.h
+    hfs/hfs_fsctl.h
+    hfs/hfs_hotfiles.h
+    hfs/hfs_iokit.h
+    hfs/hfs_journal.h
+    hfs/hfs_kdebug.h
+    hfs/hfs_key_roll.h
+    hfs/hfs_macos_defs.h
+    hfs/hfs_mount.h
+    hfs/hfs_quota.h
+    hfs/hfs_unistr.h
+    hfs/kext-config.h
+    hfs/rangelist.h
+  '';
+
+  meta = {
+    # Seems nobody wants its binary, so we didn't implement building.
+    broken = !headersOnly;
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix
new file mode 100644
index 000000000000..67e051d56853
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix
@@ -0,0 +1,26 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  # No clue why the same file has two different names. Ask Apple!
+  installPhase = ''
+    mkdir -p $out/include/ $out/include/servers
+    cp liblaunch/*.h $out/include
+
+    cp liblaunch/bootstrap.h $out/include/servers
+    cp liblaunch/bootstrap.h $out/include/servers/bootstrap_defs.h
+  '';
+
+  appleHeaders = ''
+    bootstrap.h
+    bootstrap_priv.h
+    launch.h
+    launch_internal.h
+    launch_priv.h
+    reboot2.h
+    servers/bootstrap.h
+    servers/bootstrap_defs.h
+    vproc.h
+    vproc_internal.h
+    vproc_priv.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
new file mode 100644
index 000000000000..bf367a3cabb3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
@@ -0,0 +1,129 @@
+/*
+ * Generated by dtrace(1M).
+ */
+
+#ifndef _AUTO_DTRACE_H
+#define _AUTO_DTRACE_H
+
+#include <unistd.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define GARBAGE_COLLECTION_STABILITY "___dtrace_stability$garbage_collection$v1$1_1_0_1_1_0_1_1_0_1_1_0_1_1_0"
+
+#define GARBAGE_COLLECTION_TYPEDEFS "___dtrace_typedefs$garbage_collection$v2$6175746f5f636f6c6c656374696f6e5f70686173655f74$6175746f5f636f6c6c656374696f6e5f747970655f74$6d616c6c6f635f7a6f6e655f74"
+
+#if !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED
+
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(arg0); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_begin$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3, arg4); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_end$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_end$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+
+
+extern void __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(const void *, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(void);
+extern void __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(uint64_t);
+extern int __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(const malloc_zone_t *, auto_collection_type_t);
+extern int __dtrace_isenabled$garbage_collection$collection_begin$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, uint64_t, uint64_t, uint64_t, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$collection_end$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(const malloc_zone_t *, auto_collection_phase_t);
+extern int __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, auto_collection_phase_t, uint64_t, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$collection_phase_end$v1(void);
+
+#else
+
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() (0)
+
+#endif /* !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED */
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* _AUTO_DTRACE_H */
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
new file mode 100644
index 000000000000..8a551dcc892c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
@@ -0,0 +1,86 @@
+{ lib, stdenv, appleDerivation, libdispatch, Libsystem }:
+
+appleDerivation {
+  # these are included in the pure libc
+  buildInputs = lib.optionals stdenv.cc.nativeLibc [ libdispatch Libsystem ];
+
+  buildPhase = ''
+    cp ${./auto_dtrace.h} ./auto_dtrace.h
+
+    substituteInPlace ThreadLocalCollector.h --replace SubZone.h Subzone.h
+
+    substituteInPlace auto_zone.cpp \
+      --replace "#include <msgtracer_client.h>" ''$'#include <asl.h>\nstatic void msgtracer_log_with_keys(...) { };'
+
+    substituteInPlace Definitions.h \
+      --replace "#include <System/pthread_machdep.h>" "" \
+      --replace 'void * const, void * const' 'void * const, void *'
+
+    # getspecific_direct is more efficient, but this should be equivalent...
+    substituteInPlace Zone.h \
+      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
+      --replace "_pthread_has_direct_tsd()" "0" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+      --replace "__PTK_FRAMEWORK_GC_KEY1" "111" \
+      --replace "__PTK_FRAMEWORK_GC_KEY2" "112" \
+      --replace "__PTK_FRAMEWORK_GC_KEY3" "113" \
+      --replace "__PTK_FRAMEWORK_GC_KEY4" "114" \
+      --replace "__PTK_FRAMEWORK_GC_KEY5" "115" \
+      --replace "__PTK_FRAMEWORK_GC_KEY6" "116" \
+      --replace "__PTK_FRAMEWORK_GC_KEY7" "117" \
+      --replace "__PTK_FRAMEWORK_GC_KEY8" "118" \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119"
+
+    substituteInPlace auto_zone.cpp \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+
+    substituteInPlace Zone.cpp \
+      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+      --replace "__PTK_LIBDISPATCH_KEY0"  "20" \
+      --replace "struct auto_zone_cursor {" ''$'extern "C" int pthread_key_init_np(int, void (*)(void *));\nstruct auto_zone_cursor {'
+
+    substituteInPlace auto_impl_utilities.c \
+      --replace "#   include <CrashReporterClient.h>" "void CRSetCrashLogMessage(void *msg) { };"
+
+    c++ -I. -O3 -c -Wno-c++11-extensions auto_zone.cpp
+    cc  -I. -O3 -Iauto_tester -c auto_impl_utilities.c
+    c++ -I. -O3 -c auto_weak.cpp
+    c++ -I. -O3 -c Admin.cpp
+    c++ -I. -O3 -c Bitmap.cpp
+    c++ -I. -O3 -c Definitions.cpp
+    c++ -I. -O3 -c Environment.cpp
+    c++ -I. -O3 -c Large.cpp
+    c++ -I. -O3 -c Region.cpp
+    c++ -I. -O3 -c Subzone.cpp
+    c++ -I. -O3 -c WriteBarrier.cpp
+    c++ -I. -O3 -c Zone.cpp
+    c++ -I. -O3 -c Thread.cpp
+    c++ -I. -O3 -c InUseEnumerator.cpp
+    c++ -I. -O3 -c auto_gdb_interface.cpp
+    c++ -I. -O3 -c PointerHash.cpp
+    c++ -I. -O3 -c ThreadLocalCollector.cpp
+    c++ -I. -O3 -c ZoneDump.cpp
+    c++ -I. -O3 -c ZoneCollectors.cpp
+    c++ -I. -O3 -c SubzonePartition.cpp
+    c++ -I. -O3 -c ZoneCollectionChecking.cpp
+    c++ -I. -O3 -c ZoneCompaction.cpp
+    c++ -I. -O3 -c BlockRef.cpp
+
+    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -install_name $out/lib/libauto.dylib -o libauto.dylib *.o
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib $out/include
+    cp auto_zone.h auto_weak.h auto_tester/auto_tester.h auto_gdb_interface.h $out/include
+    cp libauto.dylib $out/lib
+  '';
+
+  meta = {
+    # libauto is only used by objc4/pure.nix , but objc4 is now using the impure approach, so we don't bother to fix this.
+    broken = true;
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix
new file mode 100644
index 000000000000..976658b7e5dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix
@@ -0,0 +1,13 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+    cp *.h $out/include/
+  '';
+
+  appleHeaders = ''
+    Block.h
+    Block_private.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
new file mode 100644
index 000000000000..e91ee86cde08
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
@@ -0,0 +1,54 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/dispatch $out/include/os
+
+    # Move these headers so CF can find <os/voucher_private.h>
+    mv private/voucher*.h  $out/include/os
+    cp -r private/*.h  $out/include/dispatch
+
+    cp -r dispatch/*.h $out/include/dispatch
+    cp -r os/object*.h  $out/include/os
+
+    # gcc compatability. Source: https://stackoverflow.com/a/28014302/3714556
+    substituteInPlace $out/include/dispatch/object.h \
+      --replace 'typedef void (^dispatch_block_t)(void);' \
+                '#ifdef __clang__
+                 typedef void (^dispatch_block_t)(void);
+                 #else
+                 typedef void* dispatch_block_t;
+                 #endif'
+  '';
+
+  appleHeaders = ''
+    dispatch/base.h
+    dispatch/benchmark.h
+    dispatch/block.h
+    dispatch/data.h
+    dispatch/data_private.h
+    dispatch/dispatch.h
+    dispatch/group.h
+    dispatch/introspection.h
+    dispatch/introspection_private.h
+    dispatch/io.h
+    dispatch/io_private.h
+    dispatch/layout_private.h
+    dispatch/mach_private.h
+    dispatch/object.h
+    dispatch/once.h
+    dispatch/private.h
+    dispatch/queue.h
+    dispatch/queue_private.h
+    dispatch/semaphore.h
+    dispatch/source.h
+    dispatch/source_private.h
+    dispatch/time.h
+    os/object.h
+    os/object_private.h
+    os/voucher_activity_private.h
+    os/voucher_private.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
new file mode 100644
index 000000000000..72ef086f5990
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, appleDerivation, lib
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableShared ? !stdenv.hostPlatform.isStatic
+}:
+
+appleDerivation {
+  postUnpack = "sourceRoot=$sourceRoot/libiconv";
+
+  preConfigure = lib.optionalString stdenv.hostPlatform.isiOS ''
+    sed -i 's/darwin\*/ios\*/g' configure libcharset/configure
+  '';
+
+  configureFlags = [
+    (lib.enableFeature enableStatic "static")
+    (lib.enableFeature enableShared "shared")
+  ];
+
+  postInstall = lib.optionalString enableShared ''
+    mv $out/lib/libiconv.dylib $out/lib/libiconv-nocharset.dylib
+    ${stdenv.cc.bintools.targetPrefix}install_name_tool -id $out/lib/libiconv-nocharset.dylib $out/lib/libiconv-nocharset.dylib
+
+    # re-export one useless symbol; ld will reject a dylib that only reexports other dylibs
+    echo 'void dont_use_this(){}' | ${stdenv.cc.bintools.targetPrefix}clang -dynamiclib -x c - -current_version 2.4.0 \
+      -compatibility_version 7.0.0 -current_version 7.0.0 -o $out/lib/libiconv.dylib \
+      -Wl,-reexport_library -Wl,$out/lib/libiconv-nocharset.dylib \
+      -Wl,-reexport_library -Wl,$out/lib/libcharset.dylib
+  '';
+
+  setupHooks = [
+    ../../../../build-support/setup-hooks/role.bash
+    ../../../../development/libraries/libiconv/setup-hook.sh
+  ];
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libmalloc/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libmalloc/default.nix
new file mode 100644
index 000000000000..8b362a2edd54
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libmalloc/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation', stdenvNoCC }:
+
+# Unfortunately, buiding libmalloc is not feasible due to its use of non-public headers, but its
+# headers are needed by Libsystem.
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+    cp -R include/malloc $out/include/
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
new file mode 100644
index 000000000000..39c801962692
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
@@ -0,0 +1,32 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir $out
+    cp -r include $out/include
+  '';
+
+  appleHeaders = ''
+    _simple.h
+    libkern/OSAtomic.h
+    libkern/OSAtomicDeprecated.h
+    libkern/OSAtomicQueue.h
+    libkern/OSCacheControl.h
+    libkern/OSSpinLockDeprecated.h
+    os/alloc_once_impl.h
+    os/base.h
+    os/base_private.h
+    os/internal/atomic.h
+    os/internal/crashlog.h
+    os/internal/internal_shared.h
+    os/lock.h
+    os/lock_private.h
+    os/once_private.h
+    os/semaphore_private.h
+    platform/compat.h
+    platform/introspection_private.h
+    platform/string.h
+    setjmp.h
+    ucontext.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix
new file mode 100644
index 000000000000..3d62270d76c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix
@@ -0,0 +1,55 @@
+{ lib, appleDerivation', stdenvNoCC, libdispatch, xnu }:
+
+appleDerivation' stdenvNoCC {
+  propagatedBuildInputs = [ libdispatch xnu ];
+
+  installPhase = ''
+    mkdir -p $out/include/pthread/
+    mkdir -p $out/include/sys/_types
+    cp pthread/*.h $out/include/pthread/
+
+    # This overwrites qos.h, and is probably not necessary, but I'll leave it here for now
+    # cp private/*.h $out/include/pthread/
+
+    cp -r sys $out/include
+    cp -r sys/_pthread/*.h $out/include/sys/_types/
+  '';
+
+  appleHeaders = ''
+    pthread/introspection.h
+    pthread/pthread.h
+    pthread/pthread_impl.h
+    pthread/pthread_spis.h
+    pthread/qos.h
+    pthread/sched.h
+    pthread/spawn.h
+    sys/_pthread/_pthread_attr_t.h
+    sys/_pthread/_pthread_cond_t.h
+    sys/_pthread/_pthread_condattr_t.h
+    sys/_pthread/_pthread_key_t.h
+    sys/_pthread/_pthread_mutex_t.h
+    sys/_pthread/_pthread_mutexattr_t.h
+    sys/_pthread/_pthread_once_t.h
+    sys/_pthread/_pthread_rwlock_t.h
+    sys/_pthread/_pthread_rwlockattr_t.h
+    sys/_pthread/_pthread_t.h
+    sys/_pthread/_pthread_types.h
+    sys/_types/_pthread_attr_t.h
+    sys/_types/_pthread_cond_t.h
+    sys/_types/_pthread_condattr_t.h
+    sys/_types/_pthread_key_t.h
+    sys/_types/_pthread_mutex_t.h
+    sys/_types/_pthread_mutexattr_t.h
+    sys/_types/_pthread_once_t.h
+    sys/_types/_pthread_rwlock_t.h
+    sys/_types/_pthread_rwlockattr_t.h
+    sys/_types/_pthread_t.h
+    sys/_types/_pthread_types.h
+    sys/qos.h
+    sys/qos_private.h
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix
new file mode 100644
index 000000000000..2a8a609472a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix
@@ -0,0 +1,52 @@
+{ lib, appleDerivation', stdenv, stdenvNoCC, Libinfo, configdHeaders, mDNSResponder
+, headersOnly ? false
+}:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  buildInputs = lib.optionals (!headersOnly) [ Libinfo configdHeaders mDNSResponder ];
+
+  buildPhase = lib.optionalString (!headersOnly) ''
+    $CC -I. -c dns_util.c
+    $CC -I. -c dns.c
+    $CC -I. -c dns_async.c
+    $CC -I. -c base64.c
+    $CC -I. -c dst_api.c
+    $CC -I. -c dst_hmac_link.c
+    $CC -I. -c dst_support.c
+    $CC -I. -c ns_date.c
+    $CC -I. -c ns_name.c
+    $CC -I. -c ns_netint.c
+    $CC -I. -c ns_parse.c
+    $CC -I. -c ns_print.c
+    $CC -I. -c ns_samedomain.c
+    $CC -I. -c ns_sign.c
+    $CC -I. -c ns_ttl.c
+    $CC -I. -c ns_verify.c
+    $CC -I. -c res_comp.c
+    $CC -I. -c res_data.c
+    $CC -I. -c res_debug.c
+    $CC -I. -c res_findzonecut.c
+    $CC -I. -c res_init.c
+    $CC -I. -c res_mkquery.c
+    $CC -I. -c res_mkupdate.c
+    $CC -I. -c res_query.c
+    $CC -I. -c res_send.c
+    $CC -I. -c res_sendsigned.c
+    $CC -I. -c res_update.c
+    $CC -dynamiclib -install_name $out/lib/libresolv.9.dylib -current_version 1.0.0 -compatibility_version 1.0.0 -o libresolv.9.dylib *.o
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include $out/include/arpa $out/lib
+
+    cp dns.h           $out/include/
+    cp dns_util.h      $out/include
+    cp nameser.h       $out/include
+    ln -s ../nameser.h $out/include/arpa
+    cp resolv.h        $out/include
+  '' + lib.optionalString (!headersOnly) ''
+
+    cp libresolv.9.dylib $out/lib
+    ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
new file mode 100644
index 000000000000..0d378f6089fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
@@ -0,0 +1,17 @@
+{ lib, appleDerivation }:
+
+appleDerivation {
+  dontBuild = true;
+
+  # install headers only
+  installPhase = ''
+    mkdir -p $out/lib
+    cp -R include $out/include
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin lnl7 ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
new file mode 100644
index 000000000000..e7c8a6b1113b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, stdenvNoCC, appleDerivation', xcbuildHook
+
+# headersOnly is true when building for libSystem
+, headersOnly ? false }:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  nativeBuildInputs = lib.optional (!headersOnly) xcbuildHook;
+
+  prePatch = ''
+    substituteInPlace tzlink.c \
+      --replace '#include <xpc/xpc.h>' ""
+  '';
+
+  xcbuildFlags = [ "-target" "util" ];
+
+  installPhase = ''
+    mkdir -p $out/include
+  '' + lib.optionalString headersOnly ''
+    cp *.h $out/include
+  '' + lib.optionalString (!headersOnly)''
+    mkdir -p $out/lib $out/include
+
+    cp Products/Release/*.dylib $out/lib
+    cp Products/Release/*.h $out/include
+
+    # TODO: figure out how to get this to be right the first time around
+    install_name_tool -id $out/lib/libutil.dylib $out/lib/libutil.dylib
+  '';
+
+  # FIXME: headers are different against headersOnly. And all the headers are NOT in macos, do we really want them?
+  # appleHeaders = ''
+  #   libutil.h
+  #   mntopts.h
+  #   tzlink.h
+  #   wipefs.h
+  # '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix
new file mode 100644
index 000000000000..0ba4caee6289
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix
@@ -0,0 +1,12 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include
+    # TODO: Do this only for 765.50.9 once there is a way to apply version-specific
+    # logic in a source-release derivation.
+    substitute mDNSShared/dns_sd.h $out/include/dns_sd.h \
+      --replace '#define _DNS_SD_LIBDISPATCH 0' '#define _DNS_SD_LIBDISPATCH 1'
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
new file mode 100644
index 000000000000..0a70e648695d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
@@ -0,0 +1,47 @@
+# Generated using:  ./generate-sdk-packages.sh macos 11.0.1
+
+{ applePackage' }:
+
+{
+CommonCrypto = applePackage' "CommonCrypto" "60178.40.2" "macos-11.0.1" "129gsxhhcxqycg0zjrdrz2ay4dv2ih1ckafqh33qrc499z8dam2p" {};
+Csu = applePackage' "Csu" "88" "macos-11.0.1" "1lzp9x8iv60c2h12q2s89nf49b5hvpqq4a9li44zr2fxszn8lqxh" {};
+ICU = applePackage' "ICU" "66108" "macos-11.0.1" "0mclizp99daihghqy2sgzjkid8i93dsn5pi8q9p7b3156chrhw57" {};
+Libc = applePackage' "Libc" "1439.40.11" "macos-11.0.1" "12k5sbz2k1pl839w2lk9iw414zzl50zdjzgq2x6bm20yjbfj69qm" {};
+Libinfo = applePackage' "Libinfo" "542.40.3" "macos-11.0.1" "18jvl7cdg64x6clhsfv5pbzxis2aldddpca5r81xqakrmi9mck80" {};
+Libnotify = applePackage' "Libnotify" "279.40.4" "macos-11.0.1" "1vr11s0c42ssjs29shy1m8rj008np7aswdzjpimsfzyav47jb6y7" {};
+Librpcsvc = applePackage' "Librpcsvc" "26" "macos-11.0.1" "0wf6srbw28664wa0dckldbhrl9ydg70fms06rj6i7mvlrz1ccxk0" {};
+Libsystem = applePackage' "Libsystem" "1292.50.1" "macos-11.0.1" "0d3flh1p4kskic8ypi8wia4kinfbprx9fvyfqc3mcq0710i0gy77" {};
+PowerManagement = applePackage' "PowerManagement" "1132.50.3" "macos-11.0.1" "1sb2nz92vdf6v3h17ry0vgw0z9zsva82lhdrhsf3k60jhfw1fi2v" {};
+Security = applePackage' "Security" "59754.41.1" "macos-11.0.1" "0jq70mnwkvrrhws64ipx0i68pi3n0sk95jlhacxxikdj9f4hpbsw" {};
+adv_cmds = applePackage' "adv_cmds" "176" "macos-11.0.1" "0sskwl3jc7llbrlyd1i7qlb03yhm1xkbxd1k9xhh7f9wqhlzq31j" {};
+architecture = applePackage' "architecture" "279" "macos-11.0.1" "19s93rqr9r98qh0rlndf7kv3v4n1ifh9i539mbpsx6kbixcx8vvp" {};
+basic_cmds = applePackage' "basic_cmds" "55" "macos-11.0.1" "1913pzk376zfap2fwmrb233rkn4h4l2c65nd7s8ixvrz1r7cz0q5" {};
+bootstrap_cmds = applePackage' "bootstrap_cmds" "121" "macos-11.0.1" "0qgbgwijv7xqmm9gn74jibyw2dh516xpj7h1grj2j1i80m3b16bl" {};
+configd = applePackage' "configd" "1109.40.9" "macos-11.0.1" "024ny63lpwzgnm8g28hh8dldvmmislmrl298n721rm0blqjhahz5" {};
+copyfile = applePackage' "copyfile" "173.40.2" "macos-11.0.1" "1j20909inn2iw8n51b8vk551wznfi3bhfziy8nbv08qj5lk50m04" {};
+diskdev_cmds = applePackage' "diskdev_cmds" "667.40.1" "macos-11.0.1" "0wr60vyvgkbc4wyldnsqas0xss2k1fgmbdk3vnhj6v6jqa98l1ny" {};
+dtrace = applePackage' "dtrace" "370.40.1" "macos-11.0.1" "1qj74mix1x3drffr1qpafm57aby42bc61kynba5q0ppbcf0lrbp1" {};
+dyld = applePackage' "dyld" "832.7.1" "macos-11.0.1" "01q7fsibr6xp94l3w22sh8qfjgwzzf1v82mhgq39ivkxwwc4jdy0" {};
+eap8021x = applePackage' "eap8021x" "304.40.1" "macos-11.0.1" "1aihyklri64w380d1mvi830n5cnzs9gd38z8i9ccd37n48gmz88p" {};
+file_cmds = applePackage' "file_cmds" "321.40.3" "macos-11.0.1" "0p077lnbcy8266m03a0fssj4214bjxh88y3qkspnzcvi0g84k43q" {};
+hfs = applePackage' "hfs" "556.41.1" "macos-11.0.1" "0a0s6b12b0q07wslfifna0bj51dml9v098i4crr2m1vivnx4xj75" {};
+libclosure = applePackage' "libclosure" "78" "macos-11.0.1" "0vf9n0k3m8dbprv1bf45zqg0g43bidy2i5z1v9a826bsf8lv7am7" {};
+libdispatch = applePackage' "libdispatch" "1271.40.12" "macos-11.0.1" "1ck5srcjapg18vqb8wl08gacs7ndc6xr067qjn3ngx39q1jdcywz" {};
+libiconv = applePackage' "libiconv" "59" "macos-11.0.1" "0lwa4brdwm4lvrdnxylzsn1yph4m7csgri2zkc4xb4xiisz32pwp" {};
+libmalloc = applePackage' "libmalloc" "317.40.8" "macos-11.0.1" "sha256-Tdhb0mq3w4Hwvp3xHB79Vr22hCOQK6h28HCsd7jvITI=" {};
+libplatform = applePackage' "libplatform" "254.40.4" "macos-11.0.1" "1qf3ri0yd8b1xjln1j1gyx7ks6k3a2jhd63blyvfby75y9s7flky" {};
+libpthread = applePackage' "libpthread" "454.40.3" "macos-11.0.1" "0zljbw8mpb80n1if65hhi9lkgwbgjr8vc9wvf7q1nl3mzyl35f8p" {};
+libresolv = applePackage' "libresolv" "68" "macos-11.0.1" "045ahh8nvaam9whryc2f5g5xagwp7d187r80kcff82snp5p66aq1" {};
+libunwind = applePackage' "libunwind" "200.10" "macos-11.0.1" "0wa4ssr7skn5j0ncm1rigd56qmbs982zvwr3qpjn28krwp8wvigd" {};
+libutil = applePackage' "libutil" "58.40.2" "macos-11.0.1" "11s0vizk7bg0k0yjx21j8vaji4j4vk57131qbp07i9lpksb3bcy4" {};
+mDNSResponder = applePackage' "mDNSResponder" "1310.40.42" "macos-11.0.1" "0xxrqqbqsf0pagfs1yzwfbwf7lhr0sns97k18y7kh4ri0p09h44c" {};
+network_cmds = applePackage' "network_cmds" "606.40.2" "macos-11.0.1" "1jsy13nraarafq6wmgh3wyir8wrwfra148xsjns7cw7q5xn40a1w" {};
+objc4 = applePackage' "objc4" "818.2" "macos-11.0.1" "0m8mk1qd18wqjfn2jsq2lx6fxvllhmadmvz11jzg8vjw8pq91nw2" {};
+ppp = applePackage' "ppp" "877.40.2" "macos-11.0.1" "06xznc77j45zzi12m4cmr3jj853qlc8dbmynbg1z6m9qf5phdbgk" {};
+removefile = applePackage' "removefile" "49.40.3" "macos-11.0.1" "0870ihxpmvj8ggaycwlismbgbw9768lz7w6mc9vxf8l6nlc43z4f" {};
+shell_cmds = applePackage' "shell_cmds" "216.40.4" "macos-11.0.1" "0wbysc9lwf1xgl686r3yn95rndcmqlp17zc1ig9gsl5fxyy5bghh" {};
+system_cmds = applePackage' "system_cmds" "880.40.5" "macos-11.0.1" "064yqf84ny0cjpqmzmnhz05faay6axb2r4i6knnyc8n21yiip5dc" {};
+text_cmds = applePackage' "text_cmds" "106" "macos-11.0.1" "17fn35m6i866zjrf8da6cq6crydp6vp4zq0aaab243rv1fx303yy" {};
+top = applePackage' "top" "129" "macos-11.0.1" "0d9pqmv3mwkfcv7c05hfvnvnn4rbsl92plr5hsazp854pshzqw2k" {};
+xnu = applePackage' "xnu" "7195.50.7.100.1" "macos-11.0.1" "11zjmpw11rcc6a0xlbwramra1rsr65s4ypnxwpajgbr2c657lipl" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix
new file mode 100644
index 000000000000..600571f22256
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix
@@ -0,0 +1,54 @@
+{ lib, appleDerivation, xcbuildHook, stdenv
+, Librpcsvc, xnu, libpcap, developer_cmds }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ xnu Librpcsvc libpcap developer_cmds ];
+
+  # Work around error from <stdio.h> on aarch64-darwin:
+  #     error: 'TARGET_OS_IPHONE' is not defined, evaluates to 0 [-Werror,-Wundef-prefix=TARGET_OS_]
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=undef-prefix -I./unbound -I${xnu}/Library/Frameworks/System.framework/Headers/";
+
+  # "spray" requires some files that aren't compiling correctly in xcbuild.
+  # "rtadvd" seems to fail with some missing constants.
+  # "traceroute6" and "ping6" require ipsec which doesn't build correctly
+  # "unbound" doesn’t build against supported versions of OpenSSL or LibreSSL
+  patchPhase = ''
+    substituteInPlace network_cmds.xcodeproj/project.pbxproj \
+      --replace "7294F0EA0EE8BAC80052EC88 /* PBXTargetDependency */," "" \
+      --replace "7216D34D0EE89FEC00AE70E4 /* PBXTargetDependency */," "" \
+      --replace "72CD1D9C0EE8C47C005F825D /* PBXTargetDependency */," "" \
+      --replace "7216D2C20EE89ADF00AE70E4 /* PBXTargetDependency */," "" \
+      --replace "71D958C51A9455A000C9B286 /* PBXTargetDependency */," ""
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1 5; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+
+    # TODO: patch files to load from $out/ instead of /usr/
+
+    # mkdir -p $out/etc/
+    # install rtadvd.tproj/rtadvd.conf ip6addrctl.tproj/ip6addrctl.conf $out/etc/
+
+    # mkdir -p $out/local/OpenSourceVersions/
+    # install network_cmds.plist $out/local/OpenSourceVersions/
+
+    # mkdir -p $out/System/Library/LaunchDaemons
+    # install kdumpd.tproj/com.apple.kdumpd.plist $out/System/Library/LaunchDaemons
+ '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix
new file mode 100644
index 000000000000..315f0fb06219
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix
@@ -0,0 +1,35 @@
+{ appleDerivation, darwin-stubs }:
+
+appleDerivation {
+  # Not strictly necessary, since libSystem depends on it, but it's nice to be explicit so we
+  # can easily find out what's impure.
+  __propagatedImpureHostDeps = [
+    "/usr/lib/libauto.dylib"
+    "/usr/lib/libc++abi.dylib"
+    "/usr/lib/libc++.1.dylib"
+    "/usr/lib/libSystem.B.dylib"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/include/objc $out/lib
+    cp ${darwin-stubs}/usr/lib/libobjc.A.tbd $out/lib/libobjc.A.tbd
+    ln -s libobjc.A.tbd $out/lib/libobjc.tbd
+    cp runtime/OldClasses.subproj/List.h $out/include/objc/List.h
+    cp runtime/NSObjCRuntime.h $out/include/objc/NSObjCRuntime.h
+    cp runtime/NSObject.h $out/include/objc/NSObject.h
+    cp runtime/Object.h $out/include/objc/Object.h
+    cp runtime/Protocol.h $out/include/objc/Protocol.h
+    cp runtime/hashtable.h $out/include/objc/hashtable.h
+    cp runtime/hashtable2.h $out/include/objc/hashtable2.h
+    cp runtime/message.h $out/include/objc/message.h
+    cp runtime/objc-api.h $out/include/objc/objc-api.h
+    cp runtime/objc-auto.h $out/include/objc/objc-auto.h
+    cp runtime/objc-class.h $out/include/objc/objc-class.h
+    cp runtime/objc-exception.h $out/include/objc/objc-exception.h
+    cp runtime/objc-load.h $out/include/objc/objc-load.h
+    cp runtime/objc-runtime.h $out/include/objc/objc-runtime.h
+    cp runtime/objc-sync.h $out/include/objc/objc-sync.h
+    cp runtime/objc.h $out/include/objc/objc.h
+    cp runtime/runtime.h $out/include/objc/runtime.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h
new file mode 100644
index 000000000000..4ad9ba9ad104
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h
@@ -0,0 +1,65 @@
+/*
+ * Generated by dtrace(1M).
+ */
+
+#ifndef _OBJC_PROBES_H
+#define _OBJC_PROBES_H
+
+#include <unistd.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define OBJC_RUNTIME_STABILITY "___dtrace_stability$objc_runtime$v1$1_1_0_1_1_0_1_1_0_1_1_0_1_1_0"
+
+#define OBJC_RUNTIME_TYPEDEFS "___dtrace_typedefs$objc_runtime$v2"
+
+#if !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED
+
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW() \
+do { \
+  __asm__ volatile(".reference " OBJC_RUNTIME_TYPEDEFS); \
+  __dtrace_probe$objc_runtime$objc_exception_rethrow$v1(); \
+  __asm__ volatile(".reference " OBJC_RUNTIME_STABILITY); \
+} while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW_ENABLED() \
+  ({ int _r = __dtrace_isenabled$objc_runtime$objc_exception_rethrow$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW(arg0) \
+do { \
+  __asm__ volatile(".reference " OBJC_RUNTIME_TYPEDEFS); \
+  __dtrace_probe$objc_runtime$objc_exception_throw$v1$766f6964202a(arg0); \
+  __asm__ volatile(".reference " OBJC_RUNTIME_STABILITY); \
+} while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW_ENABLED() \
+  ({ int _r = __dtrace_isenabled$objc_runtime$objc_exception_throw$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+
+
+extern void __dtrace_probe$objc_runtime$objc_exception_rethrow$v1(void);
+extern int __dtrace_isenabled$objc_runtime$objc_exception_rethrow$v1(void);
+extern void __dtrace_probe$objc_runtime$objc_exception_throw$v1$766f6964202a(const void *);
+extern int __dtrace_isenabled$objc_runtime$objc_exception_throw$v1(void);
+
+#else
+
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW() \
+do { \
+  } while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW_ENABLED() (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW(arg0) \
+do { \
+  } while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW_ENABLED() (0)
+
+#endif /* !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED */
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* _OBJC_PROBES_H */
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
new file mode 100644
index 000000000000..6a0c819a0a31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
@@ -0,0 +1,118 @@
+{ stdenv, fetchapplesource, libauto, launchd, libc_old, libunwind }:
+
+stdenv.mkDerivation rec {
+  version = "551.1";
+  pname = "objc4";
+
+  src = fetchapplesource {
+    inherit version;
+    name   = "objc4";
+    sha256 = "1jrdb6yyb5jwwj27c1r0nr2y2ihqjln8ynj61mpkvp144c1cm5bg";
+  };
+
+  patches = [ ./spinlocks.patch ];
+
+  buildInputs = [ libauto launchd libc_old libunwind ];
+
+  buildPhase = ''
+    cp ${./objc-probes.h} runtime/objc-probes.h
+
+    mkdir -p build/include/objc
+
+    cp runtime/hashtable.h               build/include/objc/hashtable.h
+    cp runtime/OldClasses.subproj/List.h build/include/objc/List.h
+    cp runtime/hashtable2.h              build/include/objc/hashtable2.h
+    cp runtime/message.h                 build/include/objc/message.h
+    cp runtime/objc-api.h                build/include/objc/objc-api.h
+    cp runtime/objc-auto.h               build/include/objc/objc-auto.h
+    cp runtime/objc-class.h              build/include/objc/objc-class.h
+    cp runtime/objc-exception.h          build/include/objc/objc-exception.h
+    cp runtime/objc-load.h               build/include/objc/objc-load.h
+    cp runtime/objc-sync.h               build/include/objc/objc-sync.h
+    cp runtime/objc.h                    build/include/objc/objc.h
+    cp runtime/objc-runtime.h            build/include/objc/objc-runtime.h
+    cp runtime/Object.h                  build/include/objc/Object.h
+    cp runtime/Protocol.h                build/include/objc/Protocol.h
+    cp runtime/runtime.h                 build/include/objc/runtime.h
+    cp runtime/NSObject.h                build/include/objc/NSObject.h
+    cp runtime/NSObjCRuntime.h           build/include/objc/NSObjCRuntime.h
+
+    # These would normally be in local/include but we don't do local, so they're
+    # going in with the others
+    cp runtime/maptable.h                build/include/objc/maptable.h
+    cp runtime/objc-abi.h                build/include/objc/objc-abi.h
+    cp runtime/objc-auto-dump.h          build/include/objc/objc-auto-dump.h
+    cp runtime/objc-gdb.h                build/include/objc/objc-gdb.h
+    cp runtime/objc-internal.h           build/include/objc/objc-internal.h
+
+    cc -o markgc markgc.c
+
+    FLAGS="-Wno-deprecated-register -Wno-unknown-pragmas -Wno-deprecated-objc-isa-usage -Wno-invalid-offsetof -Wno-inline-new-delete  -Wno-cast-of-sel-type -Iruntime -Ibuild/include -Iruntime/Accessors.subproj -D_LIBCPP_VISIBLE= -DOS_OBJECT_USE_OBJC=0 -DNDEBUG=1"
+
+    cc -std=gnu++11 $FLAGS -c runtime/hashtable2.mm
+    cc -std=gnu++11 $FLAGS -c runtime/maptable.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-auto.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-cache.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-class-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-class.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-errors.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-exception.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-file.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-initialize.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-layout.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-load.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-loadmethod.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-lockdebug.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-new.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-set.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sync.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-typeencoding.mm
+    cc -std=gnu++11 $FLAGS -c runtime/Object.mm
+    cc -std=gnu++11 $FLAGS -c runtime/Protocol.mm
+
+    cc -std=gnu++11 $FLAGS -c runtime/objc-references.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-os.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-auto-dump.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-file-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-block-trampolines.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-externalref.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-weak.mm
+    cc -std=gnu++11 $FLAGS -c runtime/NSObject.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-opt.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-cache-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-old.mm
+
+    cc -std=gnu++11 $FLAGS -c runtime/Accessors.subproj/objc-accessors.mm
+
+    cc $FLAGS -c runtime/objc-sel-table.s
+
+    cc $FLAGS -c runtime/OldClasses.subproj/List.m
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-arm.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-i386.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-x86_64.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-simulator-i386.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-i386.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-i386.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-x86_64.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-x86_64.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-arm.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-arm.s
+
+    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -lauto -install_name $out/lib/libobjc.dylib -o libobjc.dylib *.o
+
+    ./markgc -p libobjc.dylib
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include $out/lib
+
+    mv build/include/objc $out/include
+    mv libobjc.dylib $out/lib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch
new file mode 100644
index 000000000000..50c6a983fe4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch
@@ -0,0 +1,107 @@
+--- objc4-551.1/runtime/objc-os.h	2013-06-10 21:16:15.000000000 -0400
++++ ../objc4-551.1/runtime/objc-os.h	2015-01-19 01:01:36.000000000 -0500
+@@ -77,27 +77,72 @@
+ #   include <mach-o/getsect.h>
+ #   include <mach-o/dyld_priv.h>
+ #   include <malloc/malloc.h>
+-#   include <os/lock_private.h>
+ #   include <libkern/OSAtomic.h>
+ #   include <libkern/OSCacheControl.h>
+-#   include <System/pthread_machdep.h>
+ #   include "objc-probes.h"  // generated dtrace probe definitions.
+ 
++#define __PTK_FRAMEWORK_OBJC_KEY5 45
++#define __PTK_FRAMEWORK_OBJC_KEY6 46
++#define __PTK_FRAMEWORK_OBJC_KEY7 47
++#define __PTK_FRAMEWORK_OBJC_KEY8 48
++#define __PTK_FRAMEWORK_OBJC_KEY9 49
++
++extern "C" int pthread_key_init_np(int, void (*)(void *));
++
+ // Some libc functions call objc_msgSend() 
+ // so we can't use them without deadlocks.
+ void syslog(int, const char *, ...) UNAVAILABLE_ATTRIBUTE;
+ void vsyslog(int, const char *, va_list) UNAVAILABLE_ATTRIBUTE;
+ 
++#if defined(__i386__) || defined(__x86_64__)
++
++// Inlined spinlock.
++// Not for arm on iOS because it hurts uniprocessor performance.
++
++#define ARR_SPINLOCK_INIT 0
++// XXX -- Careful: OSSpinLock isn't volatile, but should be
++typedef volatile int ARRSpinLock;
++__attribute__((always_inline))
++static inline void ARRSpinLockLock(ARRSpinLock *l)
++{
++    unsigned y;
++again:
++    if (__builtin_expect(__sync_lock_test_and_set(l, 1), 0) == 0) {
++        return;
++    }
++    for (y = 1000; y; y--) {
++#if defined(__i386__) || defined(__x86_64__)
++        asm("pause");
++#endif
++        if (*l == 0) goto again;
++    }
++    thread_switch(THREAD_NULL, SWITCH_OPTION_DEPRESS, 1);
++    goto again;
++}
++__attribute__((always_inline))
++static inline void ARRSpinLockUnlock(ARRSpinLock *l)
++{
++    __sync_lock_release(l);
++}
++__attribute__((always_inline))
++static inline int ARRSpinLockTry(ARRSpinLock *l)
++{
++    return __sync_bool_compare_and_swap(l, 0, 1);
++}
++
++#define spinlock_t ARRSpinLock
++#define spinlock_trylock(l) ARRSpinLockTry(l)
++#define spinlock_lock(l) ARRSpinLockLock(l)
++#define spinlock_unlock(l) ARRSpinLockUnlock(l)
++#define SPINLOCK_INITIALIZER ARR_SPINLOCK_INIT 
+ 
+-#define spinlock_t os_lock_handoff_s
+-#define spinlock_trylock(l) os_lock_trylock(l)
+-#define spinlock_lock(l) os_lock_lock(l)
+-#define spinlock_unlock(l) os_lock_unlock(l)
+-#define SPINLOCK_INITIALIZER OS_LOCK_HANDOFF_INIT
++#endif
+ 
+ 
+ #if !TARGET_OS_IPHONE
+-#   include <CrashReporterClient.h>
++#define CRSetCrashLogMessage(msg)
++#define CRGetCrashLogMessage() 0
++#define CRSetCrashLogMessage2(msg)
+ #else
+     // CrashReporterClient not yet available on iOS
+     __BEGIN_DECLS
+@@ -594,21 +639,13 @@
+ { 
+     assert(is_valid_direct_key(k));
+ 
+-    if (_pthread_has_direct_tsd()) {
+-        return _pthread_getspecific_direct(k);
+-    } else {
+-        return pthread_getspecific(k);
+-    }
++    return pthread_getspecific(k);
+ }
+ static inline void tls_set_direct(tls_key_t k, void *value) 
+ { 
+     assert(is_valid_direct_key(k));
+ 
+-    if (_pthread_has_direct_tsd()) {
+-        _pthread_setspecific_direct(k, value);
+-    } else {
+-        pthread_setspecific(k, value);
+-    }
++    pthread_setspecific(k, value);
+ }
+ 
+ // not arm
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix
new file mode 100644
index 000000000000..4ced564ffb72
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix
@@ -0,0 +1,15 @@
+{ appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/ppp
+
+    cp Controller/ppp_msg.h                    $out/include/ppp
+    cp Controller/pppcontroller_types.h        $out/include/ppp
+    cp Controller/pppcontroller_types.h        $out/include
+    cp Controller/pppcontroller.defs           $out/include/ppp
+    cp Controller/pppcontroller_mach_defines.h $out/include
+    cp Controller/PPPControllerPriv.h          $out/include/ppp
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix
new file mode 100644
index 000000000000..611f445e1ec9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix
@@ -0,0 +1,13 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include/
+    cp removefile.h checkint.h $out/include/
+  '';
+
+  appleHeaders = ''
+    checkint.h
+    removefile.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix
new file mode 100644
index 000000000000..a8352285c78e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix
@@ -0,0 +1,50 @@
+{ lib, appleDerivation, xcbuildHook, launchd }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook launchd ];
+
+  patchPhase = ''
+    # NOTE: these hashes must be recalculated for each version change
+
+    # disables:
+    # - su ('security/pam_appl.h' file not found)
+    # - find (Undefined symbol '_get_date')
+    # - w (Undefined symbol '_res_9_init')
+    # - expr
+    substituteInPlace shell_cmds.xcodeproj/project.pbxproj \
+      --replace "FCBA168714A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA165914A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA169514A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA165514A146D000AA698B /* PBXTargetDependency */," ""
+
+    # disable w, test install
+    # get rid of permission stuff
+    substituteInPlace xcodescripts/install-files.sh \
+      --replace 'ln -f "$BINDIR/w" "$BINDIR/uptime"' "" \
+      --replace 'ln -f "$DSTROOT/bin/test" "$DSTROOT/bin/["' "" \
+      --replace "-o root -g wheel -m 0755" "" \
+      --replace "-o root -g wheel -m 0644" ""
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/usr/bin/$(basename $f)
+      fi
+    done
+
+    export DSTROOT=$out
+    export SRCROOT=$PWD
+    . xcodescripts/install-files.sh
+
+    mv $out/usr/* $out
+    mv $out/private/etc $out
+    rmdir $out/usr $out/private
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
new file mode 100644
index 000000000000..f708d7740900
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
@@ -0,0 +1,114 @@
+{ stdenv, appleDerivation, lib
+, libutil, Librpcsvc, apple_sdk, pam, CF, openbsm }:
+
+appleDerivation {
+  # xcbuild fails with:
+  # /nix/store/fc0rz62dh8vr648qi7hnqyik6zi5sqx8-xcbuild-wrapper/nix-support/setup-hook: line 1:  9083 Segmentation fault: 11  xcodebuild OTHER_CFLAGS="$NIX_CFLAGS_COMPILE" OTHER_CPLUSPLUSFLAGS="$NIX_CFLAGS_COMPILE" OTHER_LDFLAGS="$NIX_LDFLAGS" build
+  # see issue facebook/xcbuild#188
+  # buildInputs = [ xcbuild ];
+
+  buildInputs = [ libutil Librpcsvc apple_sdk.frameworks.OpenDirectory pam CF
+                  apple_sdk.frameworks.IOKit openbsm ];
+  # env.NIX_CFLAGS_COMPILE = lib.optionalString hostPlatform.isi686 "-D__i386__"
+  #                    + lib.optionalString hostPlatform.isx86_64 "-D__x86_64__"
+  #                    + lib.optionalString hostPlatform.isAarch32 "-D__arm__";
+  env.NIX_CFLAGS_COMPILE = toString ([ "-DDAEMON_UID=1"
+                         "-DDAEMON_GID=1"
+                         "-DDEFAULT_AT_QUEUE='a'"
+                         "-DDEFAULT_BATCH_QUEUE='b'"
+                         "-DPERM_PATH=\"/usr/lib/cron/\""
+                         "-DOPEN_DIRECTORY"
+                         "-DNO_DIRECT_RPC"
+                         "-DAPPLE_GETCONF_UNDERSCORE"
+                         "-DAPPLE_GETCONF_SPEC"
+                         "-DUSE_PAM"
+                         "-DUSE_BSM_AUDIT"
+                         "-D_PW_NAME_LEN=MAXLOGNAME"
+                         "-D_PW_YPTOKEN=\"__YP!\""
+                         "-DAHZV1=64 "
+                         "-DAU_SESSION_FLAG_HAS_TTY=0x4000"
+                         "-DAU_SESSION_FLAG_HAS_AUTHENTICATED=0x4000"
+                       ] ++ lib.optional (!stdenv.isLinux) " -D__FreeBSD__ ");
+
+  patches = [
+    # Fix implicit declarations that cause builds to fail when built with clang 16.
+    ./fix-implicit-declarations.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace login.tproj/login.c \
+      --replace bsm/audit_session.h bsm/audit.h
+    substituteInPlace login.tproj/login_audit.c \
+      --replace bsm/audit_session.h bsm/audit.h
+  '' + lib.optionalString stdenv.isAarch64 ''
+    substituteInPlace sysctl.tproj/sysctl.c \
+      --replace "GPROF_STATE" "0"
+    substituteInPlace login.tproj/login.c \
+      --replace "defined(__arm__)" "defined(__arm__) || defined(__arm64__)"
+  '';
+
+  buildPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
+
+      CFLAGS=""
+      case $name in
+           arch) CFLAGS="-framework CoreFoundation";;
+           atrun) CFLAGS="-Iat.tproj";;
+           chkpasswd)
+             CFLAGS="-framework OpenDirectory -framework CoreFoundation -lpam";;
+           getconf)
+               for f in getconf.tproj/*.gperf; do
+                   cfile=''${f%.gperf}.c
+                   LC_ALL=C awk -f getconf.tproj/fake-gperf.awk $f > $cfile
+               done
+           ;;
+           iostat) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           login) CFLAGS="-lbsm -lpam";;
+           nvram) CFLAGS="-framework CoreFoundation -framework IOKit";;
+           sadc) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           sar) CFLAGS="-Isadc.tproj";;
+      esac
+
+      echo "Building $name"
+
+      case $name in
+
+           # These are all broken currently.
+           arch) continue;;
+           chpass) continue;;
+           dirhelper) continue;;
+           dynamic_pager) continue;;
+           fs_usage) continue;;
+           latency) continue;;
+           pagesize) continue;;
+           passwd) continue;;
+           reboot) continue;;
+           sc_usage) continue;;
+           shutdown) continue;;
+           trace) continue;;
+
+           *) cc $dir/*.c -I''${dir} $CFLAGS -o $name ;;
+      esac
+    done
+  '';
+
+  installPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
+      [ -x $name ] && install -D $name $out/bin/$name
+      for n in 1 2 3 4 5 6 7 8 9; do
+        for f in $dir/*.$n; do
+          install -D $f $out/share/man/man$n/$(basename $f)
+        done
+      done
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ shlevy matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch
new file mode 100644
index 000000000000..b08f54045724
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch
@@ -0,0 +1,48 @@
+diff -ur a/getty.tproj/main.c b/getty.tproj/main.c
+--- a/getty.tproj/main.c	2008-06-10 14:50:19.000000000 -0400
++++ b/getty.tproj/main.c	2023-05-31 18:06:40.121028558 -0400
+@@ -67,6 +67,7 @@
+ #include <syslog.h>
+ #include <termios.h>
+ #include <time.h>
++#include <util.h>
+ #include <unistd.h>
+ 
+ #ifdef __APPLE__
+@@ -152,7 +153,7 @@
+ static void	putpad(const char *);
+ static void	puts(const char *);
+ static void	timeoverrun(int);
+-static char	*getline(int);
++static char	*get_line(int);
+ static void	setttymode(int);
+ static int	opentty(const char *, int);
+ 
+@@ -352,7 +353,7 @@
+ 			if ((fd = open(IF, O_RDONLY)) != -1) {
+ 				char * cp;
+ 
+-				while ((cp = getline(fd)) != NULL) {
++				while ((cp = get_line(fd)) != NULL) {
+ 					  putf(cp);
+ 				}
+ 				close(fd);
+@@ -744,7 +745,7 @@
+ 
+ 
+ static char *
+-getline(int fd)
++get_line(int fd)
+ {
+ 	int i = 0;
+ 	static char linebuf[512];
+--- a/newgrp.tproj/newgrp.c	2021-10-06 01:38:52.000000000 -0400
++++ b/newgrp.tproj/newgrp.c	2023-05-31 22:26:50.656157841 -0400
+@@ -47,6 +47,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #ifdef __APPLE__
++#include <membership.h>
+ #include <paths.h>
+ #endif /* __APPLE__ */
+ static void	 addgroup(const char *grpname);
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix
new file mode 100644
index 000000000000..c6fc00943037
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix
@@ -0,0 +1,34 @@
+{ lib, appleDerivation, xcbuildHook, ncurses, bzip2, zlib, xz }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ ncurses bzip2 zlib xz ];
+
+  # patches to use ncursees
+  # disables md5
+  patchPhase = ''
+    substituteInPlace text_cmds.xcodeproj/project.pbxproj \
+          --replace 'FC6C98FB149A94EB00DDCC47 /* libcurses.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcurses.dylib; path = /usr/lib/libcurses.dylib; sourceTree = "<absolute>"; };' 'FC6C98FB149A94EB00DDCC47 /* libncurses.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libncurses.dylib; path = /usr/lib/libncurses.dylib; sourceTree = "<absolute>"; };' \
+      --replace 'FC7A7EB5149875E00086576A /* PBXTargetDependency */,' ""
+  '';
+
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+  '';
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    # hardeningDisable doesn't cut it
+    "-Wno-error=format-security"
+    # Required to build with clang 16
+    "-Wno-error=deprecated-non-prototype"
+  ];
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix
new file mode 100644
index 000000000000..2a47de021dc6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix
@@ -0,0 +1,19 @@
+{xcbuildHook, appleDerivation, apple_sdk, ncurses, libutil, lib}:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ apple_sdk.frameworks.IOKit ncurses libutil ];
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_tsamp' in: main.o top.o
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+  NIX_LDFLAGS = "-lutil";
+  installPhase = ''
+    install -D Products/Release/libtop.a $out/lib/libtop.a
+    install -D Products/Release/libtop.h $out/include/libtop.h
+    install -D Products/Release/top $out/bin/top
+  '';
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
new file mode 100644
index 000000000000..7650dcdc8c70
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
@@ -0,0 +1,164 @@
+{ appleDerivation', lib, stdenv, stdenvNoCC, buildPackages
+, bootstrap_cmds, bison, flex
+, gnum4, unifdef, perl, python3
+, headersOnly ? true
+}:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) (
+  let arch = if stdenv.isx86_64 then "x86_64" else "arm64";
+  in
+  {
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  nativeBuildInputs = [ bootstrap_cmds bison flex gnum4 unifdef perl python3 ];
+
+  patches = lib.optionals stdenv.isx86_64 [ ./python3.patch ];
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace "/bin/" "" \
+      --replace "MAKEJOBS := " '# MAKEJOBS := '
+
+    substituteInPlace makedefs/MakeInc.cmd \
+      --replace "/usr/bin/" "" \
+      --replace "/bin/" "" \
+      --replace "-Werror " ""
+
+    substituteInPlace makedefs/MakeInc.def \
+      --replace "-c -S -m" "-c -m"
+
+    substituteInPlace makedefs/MakeInc.top \
+      --replace "MEMORY_SIZE := " 'MEMORY_SIZE := 1073741824 # '
+
+    substituteInPlace libkern/kxld/Makefile \
+      --replace "-Werror " ""
+
+    substituteInPlace SETUP/kextsymboltool/Makefile \
+      --replace "-lstdc++" "-lc++ -lc++abi"
+
+    substituteInPlace libsyscall/xcodescripts/mach_install_mig.sh \
+      --replace "/usr/include" "/include" \
+      --replace "/usr/local/include" "/include" \
+      --replace 'MIG=`' "# " \
+      --replace 'MIGCC=`' "# " \
+      --replace " -o 0" "" \
+      --replace '$SRC/$mig' '-I$DSTROOT/include $SRC/$mig' \
+      --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' \
+      --replace '$BUILT_PRODUCTS_DIR/mig_hdr' '$BUILT_PRODUCTS_DIR' \
+      --replace 'MACHINE_ARCH=armv7' 'MACHINE_ARCH=arm64' # this might break the comments saying 32-bit is required
+
+    patchShebangs .
+  '' + lib.optionalString stdenv.isAarch64 ''
+    # iig is closed-sourced, we don't have it
+    # create an empty file to the header instead
+    # this line becomes: echo "" > $@; echo --header ...
+    substituteInPlace iokit/DriverKit/Makefile \
+      --replace '--def $<' '> $@; echo'
+  '';
+
+  PLATFORM = "MacOSX";
+  SDKVERSION = "10.11";
+  CC = "${stdenv.cc.targetPrefix or ""}cc";
+  CXX = "${stdenv.cc.targetPrefix or ""}c++";
+  MIG = "mig";
+  MIGCOM = "migcom";
+  STRIP = "${stdenv.cc.bintools.targetPrefix or ""}strip";
+  RANLIB = "${stdenv.cc.bintools.targetPrefix or ""}ranlib";
+  NM = "${stdenv.cc.bintools.targetPrefix or ""}nm";
+  UNIFDEF = "unifdef";
+  DSYMUTIL = "dsymutil";
+  HOST_OS_VERSION = "10.10";
+  HOST_CC = "${buildPackages.stdenv.cc.targetPrefix or ""}cc";
+  HOST_FLEX = "flex";
+  HOST_BISON = "bison";
+  HOST_GM4 = "m4";
+  MIGCC = "cc";
+  ARCHS = arch;
+  ARCH_CONFIGS = arch;
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  preBuild = let macosVersion =
+    "10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11" +
+    lib.optionalString stdenv.isAarch64 " 10.12 10.13 10.14 10.15 11.0";
+   in ''
+    # This is a bit of a hack...
+    mkdir -p sdk/usr/local/libexec
+
+    cat > sdk/usr/local/libexec/availability.pl <<EOF
+      #!$SHELL
+      if [ "\$1" == "--macosx" ]; then
+        echo ${macosVersion}
+      elif [ "\$1" == "--ios" ]; then
+        echo 2.0 2.1 2.2 3.0 3.1 3.2 4.0 4.1 4.2 4.3 5.0 5.1 6.0 6.1 7.0 8.0 9.0
+      fi
+    EOF
+    chmod +x sdk/usr/local/libexec/availability.pl
+
+    export SDKROOT_RESOLVED=$PWD/sdk
+    export HOST_SDKROOT_RESOLVED=$PWD/sdk
+
+    export BUILT_PRODUCTS_DIR=.
+    export DSTROOT=$out
+  '';
+
+  buildFlags = lib.optional headersOnly "exporthdrs";
+  installTargets = lib.optional headersOnly "installhdrs";
+
+  postInstall = lib.optionalString headersOnly ''
+    mv $out/usr/include $out
+
+    (cd BUILD/obj/EXPORT_HDRS && find -type f -exec install -D \{} $out/include/\{} \;)
+
+    # TODO: figure out why I need to do this
+    cp libsyscall/wrappers/*.h $out/include
+    install -D libsyscall/os/tsd.h $out/include/os/tsd.h
+    cp EXTERNAL_HEADERS/AssertMacros.h $out/include
+    cp EXTERNAL_HEADERS/Availability*.h $out/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/
+    cp -r EXTERNAL_HEADERS/corecrypto $out/include
+
+    # These headers are needed by Libsystem.
+    cp libsyscall/wrappers/{spawn/spawn.h,libproc/libproc.h} $out/include
+
+    # Build the mach headers we crave
+    export SRCROOT=$PWD/libsyscall
+    export DERIVED_SOURCES_DIR=$out/include
+    export SDKROOT=$out
+    export OBJROOT=$PWD
+    export BUILT_PRODUCTS_DIR=$out
+    libsyscall/xcodescripts/mach_install_mig.sh
+
+    # Get rid of the System prefix
+    mv $out/System/* $out/
+    rmdir $out/System
+
+    # TODO: do I need this?
+    mv $out/internal_hdr/include/mach/*.h $out/include/mach
+
+    # Get rid of some junk lying around
+    rm -rf $out/internal_hdr $out/usr $out/local
+
+    # Add some symlinks
+    ln -s $out/Library/Frameworks/System.framework/Versions/B \
+          $out/Library/Frameworks/System.framework/Versions/Current
+    ln -s $out/Library/Frameworks/System.framework/Versions/Current/PrivateHeaders \
+          $out/Library/Frameworks/System.framework/Headers
+
+    # IOKit (and possibly the others) is incomplete,
+    # so let's not make it visible from here...
+    mkdir $out/Library/PrivateFrameworks
+    mv $out/Library/Frameworks/IOKit.framework $out/Library/PrivateFrameworks
+  '';
+
+  appleHeaders = builtins.readFile (./. + "/headers-${arch}.txt");
+} // lib.optionalAttrs headersOnly {
+  HOST_CODESIGN = "echo";
+  HOST_CODESIGN_ALLOCATE = "echo";
+  LIPO = "echo";
+  LIBTOOL = "echo";
+  CTFCONVERT = "echo";
+  CTFMERGE = "echo";
+  CTFINSERT = "echo";
+  NMEDIT = "echo";
+  IIG = "echo";
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt
new file mode 100644
index 000000000000..23ae12a9b057
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt
@@ -0,0 +1,1488 @@
+AssertMacros.h
+_errno.h
+_libkernel_init.h
+arm/_limits.h
+arm/_mcontext.h
+arm/_param.h
+arm/_types.h
+arm/arch.h
+arm/endian.h
+arm/fasttrap_isa.h
+arm/limits.h
+arm/param.h
+arm/profile.h
+arm/signal.h
+arm/types.h
+arm/vmparam.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bsd/arm/_limits.h
+bsd/arm/_mcontext.h
+bsd/arm/_param.h
+bsd/arm/_types.h
+bsd/arm/endian.h
+bsd/arm/limits.h
+bsd/arm/param.h
+bsd/arm/profile.h
+bsd/arm/signal.h
+bsd/arm/types.h
+bsd/arm/vmparam.h
+bsd/bsm/audit.h
+bsd/crypto/entropy/diag_entropy_sysctl.h
+bsd/dev/random/randomdev.h
+bsd/libkern/copyio.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/pthread/bsdthread_private.h
+bsd/pthread/priority_private.h
+bsd/pthread/workqueue_internal.h
+bsd/pthread/workqueue_syscalls.h
+bsd/pthread/workqueue_trace.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_caddr_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_char.h
+bsd/sys/_types/_u_int.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_u_short.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_ntptimeval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user32_timex.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_ntptimeval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user64_timex.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/commpage.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventhandler.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebug_kernel.h
+bsd/sys/kdebug_private.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kern_memorystatus_freeze.h
+bsd/sys/kern_memorystatus_notify.h
+bsd/sys/kern_sysctl.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/monotonic.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/proc_require.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/reboot.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/timex.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unicode.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/ux_exception.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/vsock.h
+bsd/sys/vsock_domain.h
+bsd/sys/vsock_transport.h
+bsd/sys/wait.h
+bsd/sys/work_interval.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_disk_conditioner.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_error.h
+corecrypto/cc_fault_canary.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/cc_runtime_config.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/ccchacha20poly1305.h
+corecrypto/cccmac.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/cckprng.h
+corecrypto/ccmd4.h
+corecrypto/ccmode.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccmode_siv_hmac.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccrng.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corecrypto/fipspost_trace.h
+corpses/task_corpse.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+gethostuuid.h
+gethostuuid_private.h
+iokit/DriverKit/IOBufferMemoryDescriptor.h
+iokit/DriverKit/IODMACommand.h
+iokit/DriverKit/IODataQueueDispatchSource.h
+iokit/DriverKit/IODispatchQueue.h
+iokit/DriverKit/IODispatchSource.h
+iokit/DriverKit/IOInterruptDispatchSource.h
+iokit/DriverKit/IOKitKeys.h
+iokit/DriverKit/IOMemoryDescriptor.h
+iokit/DriverKit/IOMemoryMap.h
+iokit/DriverKit/IORPC.h
+iokit/DriverKit/IOReturn.h
+iokit/DriverKit/IOService.h
+iokit/DriverKit/IOServiceNotificationDispatchSource.h
+iokit/DriverKit/IOTypes.h
+iokit/DriverKit/IOUserClient.h
+iokit/DriverKit/IOUserServer.h
+iokit/DriverKit/OSAction.h
+iokit/DriverKit/OSObject.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPMGR.h
+iokit/IOKit/IOPlatformActions.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORPC.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOUserServer.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/PassthruInterruptController.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/platform/IOPlatformIO.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+kern/exc_guard.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+libkern/OSByteOrder.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/arm/OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/libkern/Block.h
+libkern/libkern/Block_private.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/arm/OSByteOrder.h
+libkern/libkern/c++/OSAllocation.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSBoundedArray.h
+libkern/libkern/c++/OSBoundedArrayRef.h
+libkern/libkern/c++/OSBoundedPtr.h
+libkern/libkern/c++/OSBoundedPtrFwd.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSPtr.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSSharedPtr.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/c++/bounded_array.h
+libkern/libkern/c++/bounded_array_ref.h
+libkern/libkern/c++/bounded_ptr.h
+libkern/libkern/c++/bounded_ptr_fwd.h
+libkern/libkern/c++/intrusive_shared_ptr.h
+libkern/libkern/c++/safe_allocation.h
+libkern/libkern/crc.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/chacha20poly1305.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/img4/interface.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/ptrauth_utils.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/atomic.h
+libkern/os/atomic_private.h
+libkern/os/atomic_private_arch.h
+libkern/os/atomic_private_impl.h
+libkern/os/base.h
+libkern/os/base_private.h
+libkern/os/cpp_util.h
+libkern/os/hash.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/overflow.h
+libkern/os/ptrtools.h
+libkern/os/reason_private.h
+libkern/os/refcnt.h
+libkern/os/refcnt_internal.h
+libkern/os/trace.h
+libproc.h
+mach/arm/_structs.h
+mach/arm/asm.h
+mach/arm/boolean.h
+mach/arm/exception.h
+mach/arm/kern_return.h
+mach/arm/ndr_def.h
+mach/arm/processor_info.h
+mach/arm/rpc.h
+mach/arm/sdt_isa.h
+mach/arm/syscall_sw.h
+mach/arm/thread_state.h
+mach/arm/thread_status.h
+mach/arm/traps.h
+mach/arm/vm_param.h
+mach/arm/vm_types.h
+mach/arm64/asm.h
+mach/audit_triggers.defs
+mach/audit_triggers_types.h
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_eventlink.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_right.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/_structs.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_entry.defs
+mach/memory_entry.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_inspect.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+machine_types.modulemap
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+os/atomic.h
+os/base.h
+os/overflow.h
+os/tsd.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/arm/arch.h
+osfmk/arm/atomic.h
+osfmk/arm/caches_internal.h
+osfmk/arm/cpu_capabilities.h
+osfmk/arm/cpu_number.h
+osfmk/arm/cpu_x86_64_capabilities.h
+osfmk/arm/cpuid.h
+osfmk/arm/cpuid_internal.h
+osfmk/arm/dbgwrap.h
+osfmk/arm/io_map_entries.h
+osfmk/arm/lock.h
+osfmk/arm/locks.h
+osfmk/arm/machine_cpu.h
+osfmk/arm/machine_cpuid.h
+osfmk/arm/machine_kpc.h
+osfmk/arm/machine_routines.h
+osfmk/arm/memory_types.h
+osfmk/arm/monotonic.h
+osfmk/arm/pal_routines.h
+osfmk/arm/pmap_public.h
+osfmk/arm/proc_reg.h
+osfmk/arm/simple_lock.h
+osfmk/arm/smp.h
+osfmk/arm/thread.h
+osfmk/arm/trap.h
+osfmk/arm64/asm.h
+osfmk/arm64/lowglobals.h
+osfmk/arm64/machine_cpuid.h
+osfmk/arm64/machine_kpc.h
+osfmk/arm64/machine_remote_time.h
+osfmk/arm64/monotonic.h
+osfmk/arm64/pal_hibernate.h
+osfmk/arm64/pgtrace.h
+osfmk/arm64/proc_reg.h
+osfmk/arm64/tlb.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/serial_protos.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/arcade.h
+osfmk/kern/arithmetic_128.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/btlog.h
+osfmk/kern/cambria_layout.h
+osfmk/kern/circle_queue.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/cpu_quiesce.h
+osfmk/kern/cs_blobs.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_guard.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/hv_support_kext.h
+osfmk/kern/ipc_kobject.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/lock_group.h
+osfmk/kern/lock_stat.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/monotonic.h
+osfmk/kern/mpqueue.h
+osfmk/kern/mpsc_queue.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/percpu.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/priority_queue.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/remote_time.h
+osfmk/kern/restartable.h
+osfmk/kern/sched_clutch.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/thread_group.h
+osfmk/kern/timer_call.h
+osfmk/kern/trustcache.h
+osfmk/kern/turnstile.h
+osfmk/kern/ux_handler.h
+osfmk/kern/waitq.h
+osfmk/kern/work_interval.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/kptimer.h
+osfmk/kperf/lazy.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/arcade_upcall_server.h
+osfmk/mach/arm/_structs.h
+osfmk/mach/arm/asm.h
+osfmk/mach/arm/boolean.h
+osfmk/mach/arm/exception.h
+osfmk/mach/arm/kern_return.h
+osfmk/mach/arm/ndr_def.h
+osfmk/mach/arm/processor_info.h
+osfmk/mach/arm/rpc.h
+osfmk/mach/arm/sdt_isa.h
+osfmk/mach/arm/syscall_sw.h
+osfmk/mach/arm/thread_state.h
+osfmk/mach/arm/thread_status.h
+osfmk/mach/arm/traps.h
+osfmk/mach/arm/vm_param.h
+osfmk/mach/arm/vm_types.h
+osfmk/mach/arm64/asm.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/audit_triggers_types.h
+osfmk/mach/boolean.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/fairplayd_notification_server.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_eventlink_types.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/_structs.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_entry.defs
+osfmk/mach/memory_entry.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_inspect.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vfs_nspace.h
+osfmk/mach/vfs_nspace_server.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/config.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_remote_time.h
+osfmk/machine/machine_routines.h
+osfmk/machine/memory_types.h
+osfmk/machine/monotonic.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/machine/smp.h
+osfmk/machine/trap.h
+osfmk/prng/entropy.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/tests/ktest.h
+osfmk/tests/xnupost.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/memory_types.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+pexpert/boot.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/arm/AIC.h
+pexpert/pexpert/arm/PL192_VIC.h
+pexpert/pexpert/arm/S3cUART.h
+pexpert/pexpert/arm/T8002.h
+pexpert/pexpert/arm/board_config.h
+pexpert/pexpert/arm/boot.h
+pexpert/pexpert/arm/consistent_debug.h
+pexpert/pexpert/arm/dockchannel.h
+pexpert/pexpert/arm/protos.h
+pexpert/pexpert/arm64/AIC.h
+pexpert/pexpert/arm64/BCM2837.h
+pexpert/pexpert/arm64/H7.h
+pexpert/pexpert/arm64/H8.h
+pexpert/pexpert/arm64/H9.h
+pexpert/pexpert/arm64/S3c2410x.h
+pexpert/pexpert/arm64/apple_arm64_common.h
+pexpert/pexpert/arm64/apple_arm64_regs.h
+pexpert/pexpert/arm64/board_config.h
+pexpert/pexpert/arm64/boot.h
+pexpert/pexpert/arm64/spr_locks.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+san/san/kasan.h
+san/san/ksancov.h
+san/san/memintrinsics.h
+security/audit/audit_ioctl.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+spawn.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_caddr_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_char.h
+sys/_types/_u_int.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_u_short.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/commpage.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/fsgetpath.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/log_data.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/snapshot.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/timex.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vsock.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+sys__types.modulemap
+sys_cdefs.modulemap
+sys_types.modulemap
+system-version-compat-support.h
+uuid/uuid.h
+vfs/vfs_support.h
+voucher/ipc_pthread_priority_types.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt
new file mode 100644
index 000000000000..8d7d9be7f218
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt
@@ -0,0 +1,1320 @@
+AssertMacros.h
+_errno.h
+_libkernel_init.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bsd/bsm/audit.h
+bsd/dev/random/randomdev.h
+bsd/i386/_limits.h
+bsd/i386/_mcontext.h
+bsd/i386/_param.h
+bsd/i386/_types.h
+bsd/i386/endian.h
+bsd/i386/limits.h
+bsd/i386/param.h
+bsd/i386/profile.h
+bsd/i386/signal.h
+bsd/i386/types.h
+bsd/i386/vmparam.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/spl.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebugevents.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/wait.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_debug.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/cccmac.h
+corecrypto/ccder.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/ccmd5.h
+corecrypto/ccmode.h
+corecrypto/ccmode_factory.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccpbkdf2.h
+corecrypto/ccrc4.h
+corecrypto/ccrng.h
+corecrypto/ccrng_system.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corpses/task_corpse.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+gethostuuid.h
+gethostuuid_private.h
+i386/_limits.h
+i386/_mcontext.h
+i386/_param.h
+i386/_types.h
+i386/eflags.h
+i386/endian.h
+i386/fasttrap_isa.h
+i386/limits.h
+i386/param.h
+i386/profile.h
+i386/signal.h
+i386/types.h
+i386/user_ldt.h
+i386/vmparam.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+libkern/OSByteOrder.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/i386/OSByteOrder.h
+libkern/i386/_OSByteOrder.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/i386/OSByteOrder.h
+libkern/libkern/i386/_OSByteOrder.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/base.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/object_private.h
+libkern/os/overflow.h
+libkern/os/trace.h
+libproc.h
+mach/audit_triggers.defs
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/i386/_structs.h
+mach/i386/asm.h
+mach/i386/boolean.h
+mach/i386/exception.h
+mach/i386/fp_reg.h
+mach/i386/kern_return.h
+mach/i386/ndr_def.h
+mach/i386/processor_info.h
+mach/i386/rpc.h
+mach/i386/sdt_isa.h
+mach/i386/thread_state.h
+mach/i386/thread_status.h
+mach/i386/vm_param.h
+mach/i386/vm_types.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+os/overflow.h
+os/tsd.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/i386/apic.h
+osfmk/i386/asm.h
+osfmk/i386/atomic.h
+osfmk/i386/bit_routines.h
+osfmk/i386/cpu_capabilities.h
+osfmk/i386/cpu_data.h
+osfmk/i386/cpu_number.h
+osfmk/i386/cpu_topology.h
+osfmk/i386/cpuid.h
+osfmk/i386/eflags.h
+osfmk/i386/io_map_entries.h
+osfmk/i386/lapic.h
+osfmk/i386/lock.h
+osfmk/i386/locks.h
+osfmk/i386/machine_cpu.h
+osfmk/i386/machine_routines.h
+osfmk/i386/mp.h
+osfmk/i386/mp_desc.h
+osfmk/i386/mp_events.h
+osfmk/i386/mtrr.h
+osfmk/i386/pal_hibernate.h
+osfmk/i386/pal_native.h
+osfmk/i386/pal_routines.h
+osfmk/i386/panic_hooks.h
+osfmk/i386/pmCPU.h
+osfmk/i386/pmap.h
+osfmk/i386/proc_reg.h
+osfmk/i386/rtclock_protos.h
+osfmk/i386/seg.h
+osfmk/i386/simple_lock.h
+osfmk/i386/smp.h
+osfmk/i386/tsc.h
+osfmk/i386/tss.h
+osfmk/i386/ucode.h
+osfmk/i386/vmx.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/call_entry.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/timer_call.h
+osfmk/kern/waitq.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperf_timer.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/boolean.h
+osfmk/mach/branch_predicates.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/i386/_structs.h
+osfmk/mach/i386/asm.h
+osfmk/mach/i386/boolean.h
+osfmk/mach/i386/exception.h
+osfmk/mach/i386/fp_reg.h
+osfmk/mach/i386/kern_return.h
+osfmk/mach/i386/ndr_def.h
+osfmk/mach/i386/processor_info.h
+osfmk/mach/i386/rpc.h
+osfmk/mach/i386/sdt_isa.h
+osfmk/mach/i386/syscall_sw.h
+osfmk/mach/i386/thread_state.h
+osfmk/mach/i386/thread_status.h
+osfmk/mach/i386/vm_param.h
+osfmk/mach/i386/vm_types.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_routines.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+osfmk/x86_64/machine_kpc.h
+pexpert/boot.h
+pexpert/i386/boot.h
+pexpert/i386/efi.h
+pexpert/i386/protos.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/i386/boot.h
+pexpert/pexpert/i386/efi.h
+pexpert/pexpert/i386/protos.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+security/audit/audit_ioctl.h
+security/mac.h
+security/mac_policy.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_alloc.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+spawn.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+uuid/uuid.h
+vfs/vfs_support.h
+voucher/ipc_pthread_priority_types.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch
new file mode 100644
index 000000000000..9f29376187f4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch
@@ -0,0 +1,41 @@
+diff --git a/bsd/kern/makekdebugevents.py b/bsd/kern/makekdebugevents.py
+index 73b2db4..d354ba0 100755
+--- a/bsd/kern/makekdebugevents.py
++++ b/bsd/kern/makekdebugevents.py
+@@ -5,7 +5,7 @@
+ # named kd_events[] or these mappings.
+ # Required to generate a header file used by DEVELOPMENT and DEBUG kernels.
+ #
+- 
++
+ import sys
+ import re
+ 
+@@ -21,18 +21,18 @@ code_table = []
+ # scan file to generate internal table
+ with open(trace_code_file, 'rt') as codes:
+     for line in codes:
+-	m = id_name_pattern.match(line)
+-	if m:
++        m = id_name_pattern.match(line)
++        if m:
+             code_table += [(int(m.group(1),base=16), m.group(2))]
+ 
+ # emit typedef:
+-print "typedef struct {"
+-print "        uint32_t   id;"
+-print "        const char *name;"
+-print "} kd_event_t;"
++print("typedef struct {")
++print("        uint32_t   id;")
++print("        const char *name;")
++print("} kd_event_t;")
+ # emit structure declaration and sorted initialization:
+-print "kd_event_t kd_events[] = {"
++print("kd_event_t kd_events[] = {")
+ for mapping in sorted(code_table, key=lambda x: x[0]):
+-        print "        {0x%x, \"%s\"}," % mapping
+-print "};"
++        print("        {0x%x, \"%s\"}," % mapping)
++print("};")
+ 
diff --git a/nixpkgs/pkgs/os-specific/darwin/asitop/default.nix b/nixpkgs/pkgs/os-specific/darwin/asitop/default.nix
new file mode 100644
index 000000000000..071b6324df3e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/asitop/default.nix
@@ -0,0 +1,33 @@
+{ lib
+, python3
+, fetchPypi
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "asitop";
+  version = "0.0.23";
+  format = "setuptools";
+
+  disabled = python3.pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-BNncgQRNAd6Pgur5D1xVQi3LSsijSAYIYvhsuiVyi9Q=";
+  };
+
+  # has no tests
+  doCheck = false;
+
+  propagatedBuildInputs = with python3.pkgs; [
+    dashing
+    psutil
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/tlkh/asitop";
+    description = "Perf monitoring CLI tool for Apple Silicon";
+    platforms = platforms.darwin;
+    license = licenses.mit;
+    maintainers = with maintainers; [ juliusrickert ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/bartender/default.nix b/nixpkgs/pkgs/os-specific/darwin/bartender/default.nix
new file mode 100644
index 000000000000..4aca240cba16
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/bartender/default.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, undmg
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "bartender";
+  version = "4.2.21";
+
+  src = fetchurl {
+    name = "Bartender 4.dmg";
+    url = "https://www.macbartender.com/B2/updates/${builtins.replaceStrings [ "." ] [ "-" ] finalAttrs.version}/Bartender%204.dmg";
+    hash = "sha256-KL4Wy8adGiYmxaDkhGJjwobU5szpW2j7ObgHyp02Dow=";
+  };
+
+  dontPatch = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  nativeBuildInputs = [ undmg ];
+
+  sourceRoot = "Bartender 4.app";
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/Bartender\ 4.app
+    cp -R . $out/Applications/Bartender\ 4.app
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Take control of your menu bar";
+    longDescription = ''
+      Bartender is an award-winning app for macOS that superpowers your menu bar, giving you total control over your menu bar items, what's displayed, and when, with menu bar items only showing when you need them.
+      Bartender improves your workflow with quick reveal, search, custom hotkeys and triggers, and lots more.
+    '';
+    homepage = "https://www.macbartender.com";
+    changelog = "https://www.macbartender.com/Bartender4/release_notes";
+    license = with licenses; [ unfree ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ stepbrobd ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix b/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix
new file mode 100644
index 000000000000..d7bdac6ceea3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix
@@ -0,0 +1,99 @@
+{ lib, stdenv, makeWrapper, binutils-unwrapped, cctools, llvm, clang-unwrapped, dualAs ? false }:
+
+# Make sure both underlying packages claim to have prepended their binaries
+# with the same targetPrefix.
+assert binutils-unwrapped.targetPrefix == cctools.targetPrefix;
+
+let
+  inherit (binutils-unwrapped) targetPrefix;
+  cmds = [
+    "ar" "ranlib" "as" "install_name_tool"
+    "ld" "strip" "otool" "lipo" "nm" "strings" "size"
+    "codesign_allocate"
+  ];
+in
+
+# TODO: loop over targetPrefixed binaries too
+stdenv.mkDerivation {
+  pname = "${targetPrefix}cctools-binutils-darwin" + lib.optionalString dualAs "-dualas";
+  inherit (cctools) version;
+  outputs = [ "out" "man" ];
+  buildCommand = ''
+    mkdir -p $out/bin $out/include
+
+    ln -s ${binutils-unwrapped.out}/bin/${targetPrefix}c++filt $out/bin/${targetPrefix}c++filt
+
+    # We specifically need:
+    # - ld: binutils doesn't provide it on darwin
+    # - as: as above
+    # - ar: the binutils one produces .a files that the cctools ld doesn't like
+    # - ranlib: for compatibility with ar
+    # - otool: we use it for some of our name mangling
+    # - install_name_tool: we use it to rewrite stuff in our bootstrap tools
+    # - strip: the binutils one seems to break mach-o files
+    # - lipo: gcc build assumes it exists
+    # - nm: the gnu one doesn't understand many new load commands
+    for i in ${lib.concatStringsSep " " (builtins.map (e: targetPrefix + e) cmds)}; do
+      ln -sf "${cctools}/bin/$i" "$out/bin/$i"
+    done
+
+    ln -s ${llvm}/bin/dsymutil $out/bin/dsymutil
+
+    ln -s ${binutils-unwrapped.out}/share $out/share
+
+    ln -s ${cctools}/libexec $out/libexec
+
+    mkdir -p "$man"/share/man/man{1,5}
+    for i in ${builtins.concatStringsSep " " cmds}; do
+      for path in "${cctools.man}"/share/man/man?/$i.*; do
+        dest_path="$man''${path#${cctools.man}}"
+        ln -sv "$path" "$dest_path"
+      done
+    done
+  ''
+  # On aarch64-darwin we must use clang, because "as" from cctools just doesn't
+  # handle the arch. Proxying calls to clang produces quite a bit of warnings,
+  # and using clang directly here is a better option than relying on cctools.
+  # On x86_64-darwin the Clang version is too old to support this mode.
+  + lib.optionalString stdenv.isAarch64 ''
+    rm $out/bin/${targetPrefix}as
+    makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+      --add-flags "-x assembler -integrated-as -c"
+  ''
+  # x86-64 Darwin gnat-bootstrap emits assembly
+  # with MOVQ as the mnemonic for quadword interunit moves
+  # such as `movq %rbp, %xmm0`.
+  # The clang integrated assembler recognises this as valid,
+  # but unfortunately the cctools-port GNU assembler does not;
+  # it instead uses MOVD as the mnemonic.
+  # The assembly that a GCC build emits is determined at build time
+  # and cannot be changed afterwards.
+  #
+  # To build GNAT on x86-64 Darwin, therefore,
+  # we need both the clang _and_ the cctools-port assemblers to be available:
+  # the former to build at least the stage1 compiler,
+  # and the latter at least to be detectable
+  # as the target for the final compiler.
+  #
+  # We choose to match the Aarch64 case above,
+  # wrapping the clang integrated assembler as `as`.
+  # It then seems sensible to wrap the cctools GNU assembler as `gas`.
+  #
+  + lib.optionalString (stdenv.isx86_64 && dualAs) ''
+    mv $out/bin/${targetPrefix}as $out/bin/${targetPrefix}gas
+    makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+      --add-flags "-x assembler -integrated-as -c"
+  '';
+
+  nativeBuildInputs = lib.optionals (stdenv.isAarch64 || dualAs) [ makeWrapper ];
+
+  passthru = {
+    inherit targetPrefix;
+    isCCTools = true;
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ matthewbauer ];
+    priority = 10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/apple.nix b/nixpkgs/pkgs/os-specific/darwin/cctools/apple.nix
new file mode 100644
index 000000000000..7adcfa9539a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/apple.nix
@@ -0,0 +1,122 @@
+{ lib, stdenv, fetchFromGitHub, symlinkJoin, xcbuildHook, tcsh, libobjc, libtapi, libunwind, llvm, memstreamHook, xar }:
+
+let
+
+cctools = stdenv.mkDerivation rec {
+  pname = "cctools";
+  version = "973.0.1";
+
+  src = fetchFromGitHub {
+    owner = "apple-oss-distributions";
+    repo = "cctools";
+    rev = "${pname}-${version}";
+    hash = "sha256-0NlDqy3zeg4D0MbDipx0sMYDfzYa63Jxfsckzz/928o=";
+  };
+
+  patches = [
+    ./cctools-add-missing-vtool-libstuff-dep.patch
+  ];
+
+  postPatch = ''
+    for file in libstuff/writeout.c misc/libtool.c misc/lipo.c; do
+      substituteInPlace "$file" \
+        --replace '__builtin_available(macOS 10.12, *)' '0'
+    done
+    substituteInPlace libmacho/swap.c \
+      --replace '#ifndef RLD' '#if 1'
+  '';
+
+  nativeBuildInputs = [ xcbuildHook memstreamHook ];
+  buildInputs = [ libobjc llvm ];
+
+  xcbuildFlags = [
+    "MACOSX_DEPLOYMENT_TARGET=10.12"
+  ];
+
+  doCheck = true;
+  checkPhase = ''
+    runHook preCheck
+
+    Products/Release/libstuff_test
+    rm Products/Release/libstuff_test
+
+    runHook postCheck
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    rm -rf "$out/usr"
+    mkdir -p "$out/bin"
+    find Products/Release -maxdepth 1 -type f -perm 755 -exec cp {} "$out/bin/" \;
+    cp -r include "$out/"
+
+    ln -s ./nm-classic "$out"/bin/nm
+    ln -s ./otool-classic "$out"/bin/otool
+
+    runHook postInstall
+  '';
+};
+
+ld64 = stdenv.mkDerivation rec {
+  pname = "ld64";
+  version = "609";
+
+  src = fetchFromGitHub {
+    owner = "apple-oss-distributions";
+    repo = "ld64";
+    rev = "${pname}-${version}";
+    hash = "sha256-WAaphem6NS4eCHL/pISlDXnO1CDYTgSrVGzcothh4/Q=";
+  };
+
+  postPatch = ''
+    substituteInPlace ld64.xcodeproj/project.pbxproj \
+      --replace "/bin/csh" "${tcsh}/bin/tcsh" \
+      --replace 'F9E8D4BE07FCAF2A00FD5801 /* PBXBuildRule */,' "" \
+      --replace 'F9E8D4BD07FCAF2000FD5801 /* PBXBuildRule */,' ""
+
+    sed -i src/ld/Options.cpp -e '1iconst char ldVersionString[] = "${version}";'
+  '';
+
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [
+    libtapi
+    libunwind
+    llvm
+    xar
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    find Products/Release-assert -maxdepth 1 -type f -perm 755 -exec cp {} "$out/bin/" \;
+
+    runHook postInstall
+  '';
+};
+
+in
+
+symlinkJoin rec {
+  name = "cctools-${version}";
+  version = "${cctools.version}-${ld64.version}";
+
+  paths = [
+    cctools
+    ld64
+  ];
+
+  # workaround for the fetch-tarballs script
+  passthru = {
+    inherit (cctools) src;
+    ld64_src = ld64.src;
+  };
+
+  meta = with lib; {
+    description = "MacOS Compiler Tools";
+    homepage = "http://www.opensource.apple.com/source/cctools/";
+    license = licenses.apsl20;
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/cctools-add-missing-vtool-libstuff-dep.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/cctools-add-missing-vtool-libstuff-dep.patch
new file mode 100644
index 000000000000..1cd65ec6bcf1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/cctools-add-missing-vtool-libstuff-dep.patch
@@ -0,0 +1,11 @@
+diff -ru a/cctools.xcodeproj/project.pbxproj b/cctools.xcodeproj/project.pbxproj
+--- a/cctools.xcodeproj/project.pbxproj	2021-02-24 20:30:55.000000000 -0500
++++ b/cctools.xcodeproj/project.pbxproj	2022-01-31 20:01:09.000000000 -0500
+@@ -2558,6 +2558,7 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
++				DE97E92421F3B86100C7947D /* libstuff.a in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/darwin-memstream.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/darwin-memstream.patch
new file mode 100644
index 000000000000..3e0d0a43ba8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/darwin-memstream.patch
@@ -0,0 +1,17 @@
+--- a/cctools/include/stuff/diagnostics.h
++++ b/cctools/include/stuff/diagnostics.h
+@@ -60,13 +60,6 @@ void diagnostics_log_msg(enum diagnostic_level level, const char* message);
+  */
+ void diagnostics_write(void);
+ 
+-#if defined(__APPLE__ ) && defined(__has_builtin)
+-#  if __has_builtin(__builtin_available)
+-#    define HAVE_OPENMEMSTREAM_RUNTIME __builtin_available(macOS 10.13, *)
+-#  endif
+-#endif
+-#ifndef HAVE_OPENMEMSTREAM_RUNTIME
+-#  define HAVE_OPENMEMSTREAM_RUNTIME 1
+-#endif
++#define HAVE_OPENMEMSTREAM_RUNTIME 1
+ 
+ #endif /* diagnostics_h */
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch
new file mode 100644
index 000000000000..fc87f69ac32d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch
@@ -0,0 +1,16 @@
+diff --git a/cctools/ld64/src/ld/Options.cpp b/cctools/ld64/src/ld/Options.cpp
+index 2565518..9250016 100644
+--- a/cctools/ld64/src/ld/Options.cpp
++++ b/cctools/ld64/src/ld/Options.cpp
+@@ -2522,6 +2522,11 @@ void Options::parse(int argc, const char* argv[])
+ 					throw "missing argument to -rpath";
+ 				fRPaths.push_back(path);
+ 			}
++			else if ( strcmp(arg, "-rpath-link") == 0 ) {
++				const char* path = argv[++i];
++				if ( path == NULL )
++					throw "missing argument to -rpath-link";
++			}
+ 			else if ( strcmp(arg, "-read_only_stubs") == 0 ) {
+ 				fReadOnlyx86Stubs = true;
+ 			}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch
new file mode 100644
index 000000000000..17ad9053f3bd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch
@@ -0,0 +1,29 @@
+diff --git a/cctools/ld64/src/ld/Options.cpp b/cctools/ld64/src/ld/Options.cpp
+index e4b37ec..4189ebc 100644
+--- a/cctools/ld64/src/ld/Options.cpp
++++ b/cctools/ld64/src/ld/Options.cpp
+@@ -5800,24 +5800,6 @@ void Options::checkIllegalOptionCombinations()
+ 	if ( fDeadStrip && (fOutputKind == Options::kObjectFile) )
+ 		throw "-r and -dead_strip cannot be used together";
+ 
+-	// can't use -rpath unless targeting 10.5 or later
+-	if ( fRPaths.size() > 0 ) {
+-		if ( !platforms().minOS(ld::version2008) )
+-			throw "-rpath can only be used when targeting Mac OS X 10.5 or later";
+-		switch ( fOutputKind ) {
+-			case Options::kDynamicExecutable:
+-			case Options::kDynamicLibrary:
+-			case Options::kDynamicBundle:
+-				break;
+-			case Options::kStaticExecutable:
+-			case Options::kObjectFile:
+-			case Options::kDyld:
+-			case Options::kPreload:
+-			case Options::kKextBundle:
+-				throw "-rpath can only be used when creating a dynamic final linked image";
+-		}
+-	}
+-	
+ 	if ( fPositionIndependentExecutable ) {
+ 		switch ( fOutputKind ) {
+ 			case Options::kDynamicExecutable:
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/llvm.nix b/nixpkgs/pkgs/os-specific/darwin/cctools/llvm.nix
new file mode 100644
index 000000000000..f2986bf872f7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/llvm.nix
@@ -0,0 +1,113 @@
+# Create a cctools-compatible bintools that uses equivalent tools from LLVM in place of the ones
+# from cctools when possible.
+
+{ lib, stdenv, makeWrapper, cctools-port, llvmPackages, enableManpages ? stdenv.targetPlatform == stdenv.hostPlatform }:
+
+let
+  inherit (stdenv) targetPlatform hostPlatform;
+
+  cctoolsVersion = lib.getVersion cctools-port;
+  llvmVersion = llvmPackages.release_version;
+
+  # `bitcode_strip` is not available until LLVM 12.
+  useLLVMBitcodeStrip = lib.versionAtLeast llvmVersion "12";
+
+  # A compatible implementation of `otool` was not added until LLVM 13.
+  useLLVMOtool = lib.versionAtLeast llvmVersion "13";
+
+  # Older versions of `strip` cause problems for the version of `codesign_allocate` available in
+  # the version of cctools in nixpkgs. The version of `codesign_allocate` in cctools-1005.2 does
+  # not appear to have issues, but the source is not available yet (as of June 2023).
+  useLLVMStrip = lib.versionAtLeast llvmVersion "15" || lib.versionAtLeast cctoolsVersion "1005.2";
+
+  # Clang 11 performs an optimization on x86_64 that is sensitive to the presence of debug info.
+  # This causes GCC to fail to bootstrap due to object file differences between stages 2 and 3.
+  useClangAssembler = lib.versionAtLeast llvmVersion "12" || !stdenv.isx86_64;
+
+  llvm_bins = [
+    "dwarfdump"
+    "nm"
+    "objdump"
+    "size"
+    "strings"
+  ]
+  ++ lib.optional useLLVMBitcodeStrip "bitcode-strip"
+  ++ lib.optional useLLVMOtool "otool"
+  ++ lib.optional useLLVMStrip "strip";
+
+  # Only include the tools that LLVM doesn’t provide and that are present normally on Darwin.
+  # The only exceptions are the following tools, which should be reevaluated when LLVM is bumped.
+  # - install_name_tool (llvm-objcopy): unrecognized linker commands when building open source CF;
+  # - libtool (llvm-libtool-darwin): not fully compatible when used with xcbuild; and
+  # - lipo (llvm-lipo): crashes when running the LLVM test suite.
+  cctools_bins = [
+    "cmpdylib"
+    "codesign_allocate"
+    "ctf_insert"
+    "install_name_tool"
+    "ld"
+    "libtool"
+    "lipo"
+    "nmedit"
+    "pagestuff"
+    "ranlib"
+    "segedit"
+    "vtool"
+  ]
+  ++ lib.optional (!useLLVMBitcodeStrip) "bitcode_strip"
+  ++ lib.optional (!useLLVMOtool) "otool"
+  ++ lib.optional (!useLLVMStrip) "strip"
+  ++ lib.optional (!useClangAssembler) "as";
+
+  targetPrefix = lib.optionalString (targetPlatform != hostPlatform) "${targetPlatform.config}-";
+
+  linkManPages = pkg: source: target: lib.optionalString enableManpages ''
+    sourcePath=${pkg}/share/man/man1/${source}.1.gz
+    targetPath=$man/share/man/man1/${target}.1.gz
+
+    if [ -f "$sourcePath" ]; then
+      mkdir -p "$(dirname "$targetPath")"
+      ln -s "$sourcePath" "$targetPath"
+    fi
+  '';
+in
+stdenv.mkDerivation {
+  pname = "cctools-llvm";
+  version = "${llvmVersion}-${cctoolsVersion}";
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  # The `man` output has to be included unconditionally because darwin.binutils expects it.
+  outputs = [ "out" "dev" "man" ];
+
+  buildCommand = ''
+    mkdir -p "$out/bin" "$man"
+    ln -s ${lib.getDev cctools-port} "$dev"
+
+  '' + lib.optionalString useClangAssembler ''
+    # Use the clang-integrated assembler instead of using `as` from cctools.
+    makeWrapper "${lib.getBin llvmPackages.clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+      --add-flags "-x assembler -integrated-as -c"
+
+  '' + ''
+    ln -s "${lib.getBin llvmPackages.bintools-unwrapped}/bin/${targetPrefix}llvm-ar" "$out/bin/${targetPrefix}ar"
+    ${linkManPages llvmPackages.llvm-manpages "llvm-ar" "ar"}
+
+    for tool in ${toString llvm_bins}; do
+      cctoolsTool=''${tool/-/_}
+      ln -s "${lib.getBin llvmPackages.llvm}/bin/llvm-$tool" "$out/bin/${targetPrefix}$cctoolsTool"
+      ${linkManPages llvmPackages.llvm-manpages "llvm-$tool" "$cctoolsTool"}
+    done
+
+    for tool in ${toString cctools_bins}; do
+      ln -s "${lib.getBin cctools-port}/bin/${targetPrefix}$tool" "$out/bin/${targetPrefix}$tool"
+      ${linkManPages (lib.getMan cctools-port) "$tool" "$tool"}
+    done
+
+    ${linkManPages (lib.getMan cctools-port) "ld64" "ld64"}
+    ${lib.optionalString (!useLLVMOtool)  # The actual man page for otool in cctools is llvm-otool
+      (linkManPages (lib.getMan cctools-port) "llvm-otool" "llvm-otool")}
+  '';
+
+  passthru = { inherit targetPrefix; };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix b/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix
new file mode 100644
index 000000000000..c9b11ee20155
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix
@@ -0,0 +1,192 @@
+{ lib, stdenv, fetchFromGitHub, autoconf, automake, libtool, autoreconfHook, memstreamHook
+, installShellFiles
+, libuuid
+, libobjc ? null, maloader ? null
+, enableTapiSupport ? true, libtapi
+, fetchpatch
+}:
+
+let
+
+  # The targetPrefix prepended to binary names to allow multiple binuntils on the
+  # PATH to both be usable.
+  targetPrefix = lib.optionalString
+    (stdenv.targetPlatform != stdenv.hostPlatform)
+    "${stdenv.targetPlatform.config}-";
+in
+
+# Non-Darwin alternatives
+assert (!stdenv.hostPlatform.isDarwin) -> maloader != null;
+
+stdenv.mkDerivation {
+  pname = "${targetPrefix}cctools-port";
+  version = "973.0.1";
+
+  src = fetchFromGitHub {
+    owner  = "tpoechtrager";
+    repo   = "cctools-port";
+    # This is the commit before: https://github.com/tpoechtrager/cctools-port/pull/114
+    # That specific change causes trouble for us (see the PR discussion), but
+    # is also currently the last commit on master at the time of writing, so we
+    # can just go back one step.
+    rev    = "457dc6ddf5244ebf94f28e924e3a971f1566bd66";
+    sha256 = "0ns12q7vg9yand4dmdsps1917cavfbw67yl5q7bm6kb4ia5kkx13";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  nativeBuildInputs = [ autoconf automake libtool autoreconfHook installShellFiles ]
+    ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ memstreamHook ];
+  buildInputs = [ libuuid ]
+    ++ lib.optionals stdenv.isDarwin [ libobjc ]
+    ++ lib.optional enableTapiSupport libtapi;
+
+  patches = [
+    ./ld-ignore-rpath-link.patch
+    ./ld-rpath-nonfinal.patch
+    (fetchpatch {
+      url = "https://github.com/tpoechtrager/cctools-port/commit/4a734070cd2838e49658464003de5b92271d8b9e.patch";
+      hash = "sha256-72KaJyu7CHXxJJ1GNq/fz+kW1RslO3UaKI91LhBtiXA=";
+    })
+    (fetchpatch {
+      url = "https://github.com/MercuryTechnologies/cctools-port/commit/025899b7b3593dedb0c681e689e57c0e7bbd9b80.patch";
+      hash = "sha256-SWVUzFaJHH2fu9y8RcU3Nx/QKx60hPE5zFx0odYDeQs=";
+    })
+    # Always use `open_memstream`. This is provided by memstream via hook on x86_64-darwin.
+    ./darwin-memstream.patch
+  ];
+
+  __propagatedImpureHostDeps = [
+    # As far as I can tell, otool from cctools is the only thing that depends on these two, and we should fix them
+    "/usr/lib/libobjc.A.dylib"
+    "/usr/lib/libobjc.dylib"
+  ];
+
+  enableParallelBuilding = true;
+
+  # TODO(@Ericson2314): Always pass "--target" and always targetPrefix.
+  configurePlatforms = [ "build" "host" ]
+    ++ lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target";
+  configureFlags = [ "--disable-clang-as" ]
+    ++ lib.optionals enableTapiSupport [
+      "--enable-tapi-support"
+      "--with-libtapi=${libtapi}"
+    ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    substituteInPlace cctools/Makefile.am --replace libobjc2 ""
+  '' + ''
+    sed -i -e 's/addStandardLibraryDirectories = true/addStandardLibraryDirectories = false/' cctools/ld64/src/ld/Options.cpp
+
+    # FIXME: there are far more absolute path references that I don't want to fix right now
+    substituteInPlace cctools/configure.ac \
+      --replace "-isystem /usr/local/include -isystem /usr/pkg/include" "" \
+      --replace "-L/usr/local/lib" "" \
+
+    # Appears to use new libdispatch API not available in macOS SDK 10.12.
+    substituteInPlace cctools/ld64/src/ld/libcodedirectory.c \
+      --replace "#define LIBCD_PARALLEL 1" ""
+
+    patchShebangs tools
+    sed -i -e 's/which/type -P/' tools/*.sh
+
+    cd cctools
+  '';
+
+  preInstall = ''
+    installManPage ar/ar.{1,5}
+
+    # The makefile rules for installing headers are missing in 973.0.1.
+    # The below is derived from 949.0.1.
+    mkdir -p $dev/include/mach-o/i386
+    mkdir -p $dev/include/mach-o/ppc
+    mkdir -p $dev/include/mach-o/x86_64
+    mkdir -p $dev/include/mach-o/arm
+    mkdir -p $dev/include/mach-o/arm64
+    mkdir -p $dev/include/mach-o/m68k
+    mkdir -p $dev/include/mach-o/sparc
+    mkdir -p $dev/include/mach-o/hppa
+    mkdir -p $dev/include/mach-o/i860
+    mkdir -p $dev/include/mach-o/m88k
+    mkdir -p $dev/include/dyld
+    mkdir -p $dev/include/cbt
+
+    pushd include/mach-o
+    install -c -m 444  arch.h ldsyms.h reloc.h \
+      stab.h loader.h fat.h swap.h getsect.h nlist.h \
+      ranlib.h $dev/include/mach-o
+    popd
+
+    pushd include/mach-o/i386
+    install -c -m 444  swap.h \
+      $dev/include/mach-o/i386
+    popd
+
+    pushd include/mach-o/ppc
+    install -c -m 444  reloc.h swap.h \
+      $dev/include/mach-o/ppc
+    popd
+
+    pushd include/mach-o/x86_64
+    install -c -m 444  reloc.h \
+      $dev/include/mach-o/x86_64
+    popd
+
+    pushd include/mach-o/arm
+    install -c -m 444  reloc.h \
+      $dev/include/mach-o/arm
+    popd
+
+    pushd include/mach-o/arm64
+    install -c -m 444  reloc.h \
+      $dev/include/mach-o/arm64
+    popd
+
+    pushd include/mach-o/m68k
+    install -c -m 444  swap.h \
+      $dev/include/mach-o/m68k
+    popd
+
+    pushd include/mach-o/sparc
+    install -c -m 444  reloc.h swap.h \
+      $dev/include/mach-o/sparc
+    popd
+
+    pushd include/mach-o/hppa
+    install -c -m 444  reloc.h swap.h \
+      $dev/include/mach-o/hppa
+    popd
+
+    pushd include/mach-o/i860
+    install -c -m 444  reloc.h swap.h \
+      $dev/include/mach-o/i860
+    popd
+
+    pushd include/mach-o/m88k
+    install -c -m 444  reloc.h swap.h \
+      $dev/include/mach-o/m88k
+    popd
+
+    pushd include/stuff
+    install -c -m 444  bool.h \
+      $dev/include/dyld
+    popd
+
+    pushd include/cbt
+    install -c -m 444  libsyminfo.h \
+      $dev/include/cbt
+    popd
+  '';
+
+  passthru = {
+    inherit targetPrefix;
+  };
+
+  meta = {
+    broken = !stdenv.targetPlatform.isDarwin; # Only supports darwin targets
+    homepage = "http://www.opensource.apple.com/source/cctools/";
+    description = "MacOS Compiler Tools (cross-platform port)";
+    license = lib.licenses.apsl20;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/coconutbattery/default.nix b/nixpkgs/pkgs/os-specific/darwin/coconutbattery/default.nix
new file mode 100644
index 000000000000..4850b2b4c04e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/coconutbattery/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenvNoCC
+, fetchzip
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "coconutbattery";
+  version = "3.9.14";
+
+  src = fetchzip {
+    url = "https://coconut-flavour.com/downloads/coconutBattery_${builtins.replaceStrings [ "." ] [ "" ] finalAttrs.version}.zip";
+    hash = "sha256-zKSPKwDBwxlyNJFurCLLGtba9gpizJCjOOAd81vdD5Q=";
+  };
+
+  dontPatch = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/coconutBattery.app
+    cp -R . $out/Applications/coconutBattery.app
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "The standard for battery reading since 2005";
+    longDescription = ''
+      With coconutBattery you are always aware of your current battery health.
+      It shows you live information about the battery quality in your Mac, iPhone and iPad.
+    '';
+    homepage = "https://www.coconut-flavour.com/coconutbattery";
+    license = with licenses; [ unfree ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ stepbrobd ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix b/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix
new file mode 100644
index 000000000000..6e3439455cce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix
@@ -0,0 +1,18 @@
+{ stdenvNoCC, fetchurl }:
+
+stdenvNoCC.mkDerivation {
+  pname = "darwin-stubs";
+  version = "10.12";
+
+  src = fetchurl {
+    url = "https://github.com/NixOS/darwin-stubs/releases/download/v20201216/10.12.tar.gz";
+    sha256 = "1fyd3xig7brkzlzp0ql7vyfj5sp8iy56kgp548mvicqdyw92adgm";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir $out
+    mv * $out
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/defaultbrowser/default.nix b/nixpkgs/pkgs/os-specific/darwin/defaultbrowser/default.nix
new file mode 100644
index 000000000000..be3dcd417731
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/defaultbrowser/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, Foundation }:
+
+stdenv.mkDerivation rec {
+  pname = "defaultbrowser";
+  version = "unstable-2020-07-23";
+
+  src = fetchFromGitHub {
+    owner = "kerma";
+    repo = pname;
+    rev = "d2860c00dd7fbb5d615232cc819d7d492a6a6ddb";
+    sha256 = "sha256-SelUQXoKtShcDjq8uKg3wM0kG2opREa2DGQCDd6IsOQ=";
+  };
+
+  makeFlags = [ "CC=cc" "PREFIX=$(out)" ];
+
+  buildInputs = [ Foundation ];
+
+  meta = with lib; {
+    mainProgram = "defaultbrowser";
+    description = "Command line tool for getting and setting a default browser (HTTP handler) in Mac OS X";
+    homepage = "https://github.com/kerma/defaultbrowser";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ Enzime ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix b/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix
new file mode 100644
index 000000000000..f38bf8d81322
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, lib, fetchFromGitHub, Cocoa }:
+
+## after launching for the first time, grant access for parent application (e.g. Terminal.app)
+## from 'system preferences >> security & privacy >> accessibility'
+## and then launch again
+
+stdenv.mkDerivation rec {
+  pname = "discrete-scroll";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "emreyolcu";
+    repo = "discrete-scroll";
+    rev = "v${version}";
+    sha256 = "0aqkp4kkwjlkll91xbqwf8asjww8ylsdgqvdk8d06bwdvg2cgvhg";
+  };
+
+  buildInputs = [ Cocoa ];
+
+  buildPhase = ''
+    cc -std=c99 -O3 -Wall -framework Cocoa -o dc DiscreteScroll/main.m
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ./dc $out/bin/discretescroll
+  '';
+
+  meta = with lib; {
+    description = "Fix for OS X's scroll wheel problem";
+    homepage = "https://github.com/emreyolcu/discrete-scroll";
+    platforms = platforms.darwin;
+    license = licenses.mit;
+    maintainers = with lib.maintainers; [ bb2020 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix b/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix
new file mode 100644
index 000000000000..5e4187f07280
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, libarchive, p7zip }:
+stdenv.mkDerivation rec {
+  pname = "dockutil";
+  version = "3.0.2";
+
+  src = fetchurl {
+    url =
+      "https://github.com/kcrawford/dockutil/releases/download/${version}/dockutil-${version}.pkg";
+    sha256 = "175137ea747e83ed221d60b18b712b256ed31531534cde84f679487d337668fd";
+  };
+
+  dontBuild = true;
+
+  nativeBuildInputs = [ libarchive p7zip ];
+
+  unpackPhase = ''
+    7z x $src
+    bsdtar -xf Payload~
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    mkdir -p $out/usr/local/bin
+    install -Dm755 usr/local/bin/dockutil -t $out/usr/local/bin
+    ln -rs $out/usr/local/bin/dockutil $out/bin/dockutil
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tool for managing dock items";
+    homepage = "https://github.com/kcrawford/dockutil";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ tboerger ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/duti/default.nix b/nixpkgs/pkgs/os-specific/darwin/duti/default.nix
new file mode 100644
index 000000000000..db0b1e1dcbae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/duti/default.nix
@@ -0,0 +1,37 @@
+{stdenv, lib, fetchFromGitHub, autoreconfHook, ApplicationServices}:
+
+stdenv.mkDerivation rec {
+  pname = "duti";
+  version = "1.5.5pre";
+  src = fetchFromGitHub {
+    owner = "moretension";
+    repo = pname;
+    rev = "fe3d3dc411bcea6af7a8cbe53c0e08ed5ecacdb2";
+    sha256 = "1pg4i6ghpib2gy1sqpml7dbnhr1vbr43fs2pqkd09i4w3nmgpic9";
+  };
+
+  nativeBuildInputs = [autoreconfHook];
+  buildInputs = [ApplicationServices];
+  configureFlags = [
+    "--with-macosx-sdk=/homeless-shelter"
+
+    # needed to prevent duti from trying to guess our sdk
+    # NOTE: this is different than stdenv.hostPlatform.config!
+    "--host=x86_64-apple-darwin18"
+  ];
+
+  meta = with lib; {
+    description = "A command-line tool to select default applications for document types and URL schemes on Mac OS X";
+    longDescription = ''
+      duti is a command-line utility capable of setting default applications for
+      various document types on Mac OS X, using Apple's Uniform Type Identifiers. A
+      UTI is a unique string describing the format of a file's content. For instance,
+      a Microsoft Word document has a UTI of com.microsoft.word.doc. Using duti, the
+      user can change which application acts as the default handler for a given UTI.
+    '';
+    maintainers = with maintainers; [matthewbauer];
+    platforms = platforms.darwin;
+    license = licenses.publicDomain;
+    homepage = "https://github.com/moretension/duti/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/gen-frameworks.py b/nixpkgs/pkgs/os-specific/darwin/gen-frameworks.py
new file mode 100755
index 000000000000..ec2a6c7c16ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/gen-frameworks.py
@@ -0,0 +1,147 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python -p python3 swiftPackages.swift-unwrapped
+
+"""
+Generate a frameworks.nix for a macOS SDK.
+
+You may point this tool at an Xcode bundled SDK, but more ideal is using the
+SDK from Nixpkgs. For example:
+
+SDK_PATH="$(nix-build --no-link -A darwin.apple_sdk_11_0.MacOSX-SDK)"
+./gen-frameworks.py "$SDK_PATH" > ./new-frameworks.nix
+"""
+
+import json
+import os
+import subprocess
+import sys
+
+ALLOWED_LIBS = ["simd"]
+
+HEADER = """\
+# This file is generated by gen-frameworks.nix.
+# Do not edit, put overrides in apple_sdk.nix instead.
+{ libs, frameworks }: with libs; with frameworks;
+{
+"""
+
+FOOTER = """\
+}
+"""
+
+
+def eprint(*args):
+    print(*args, file=sys.stderr)
+
+
+def name_from_ident(ident):
+    return ident.get("swift", ident.get("clang"))
+
+
+def scan_sdk(sdk):
+    # Find frameworks by scanning the SDK frameworks directory.
+    frameworks = [
+        framework.removesuffix(".framework")
+        for framework in os.listdir(f"{sdk}/System/Library/Frameworks")
+        if not framework.startswith("_")
+    ]
+    frameworks.sort()
+
+    # Determine the longest name for padding output.
+    width = len(max(frameworks, key=len))
+
+    output = HEADER
+
+    for framework in frameworks:
+        deps = []
+
+        # Use Swift to scan dependencies, because a module may have both Clang
+        # and Swift parts. Using Clang only imports the Clang module, whereas
+        # using Swift will usually import both Clang + Swift overlay.
+        #
+        # TODO: The above is an assumption. Not sure if it's possible a Swift
+        # module completely shadows a Clang module. (Seems unlikely)
+        #
+        # TODO: Handle "module 'Foobar' is incompatible with feature 'swift'"
+        #
+        # If there were a similar Clang invocation for scanning, we could fix
+        # the above todos, but that doesn't appear to exist.
+        eprint(f"# scanning {framework}")
+        result = subprocess.run(
+            [
+                "swiftc",
+                "-scan-dependencies",
+                # We provide a source snippet via stdin.
+                "-",
+                # Use the provided SDK.
+                "-sdk",
+                sdk,
+                # This search path is normally added automatically by the
+                # compiler based on the SDK, but we have a patch in place that
+                # removes that for SDKs in /nix/store, because our xcbuild stub
+                # SDK doesn't have the directory.
+                # (swift-prevent-sdk-dirs-warning.patch)
+                "-I",
+                f"{sdk}/usr/lib/swift",
+                # For some reason, 'lib/swift/shims' from both the SDK and
+                # Swift compiler are picked up, causing redefinition errors.
+                # This eliminates the latter.
+                "-resource-dir",
+                f"{sdk}/usr/lib/swift",
+            ],
+            input=f"import {framework}".encode(),
+            stdout=subprocess.PIPE,
+        )
+        if result.returncode != 0:
+            eprint(f"# Scanning {framework} failed (exit code {result.returncode})")
+            result.stdout = b""
+
+        # Parse JSON output.
+        if len(result.stdout) != 0:
+            data = json.loads(result.stdout)
+
+            # Entries in the modules list come in pairs. The first is an
+            # identifier (`{ swift: "foobar" }` or `{ clang: "foobar" }`), and
+            # the second metadata for that module. Here we look for the pair
+            # that matches the framework we're scanning (and ignore the rest).
+            modules = data["modules"]
+            for i in range(0, len(modules), 2):
+                ident, meta = modules[i : i + 2]
+
+                # NOTE: We may match twice, for a Swift module _and_ for a
+                # Clang module. So matching here doesn't break from the loop,
+                # and deps is appended to.
+                if name_from_ident(ident) == framework:
+                    dep_idents = meta["directDependencies"]
+                    deps += [name_from_ident(ident) for ident in dep_idents]
+                    # List unfiltered deps in progress output.
+                    eprint(ident, "->", dep_idents)
+
+        # Filter out modules that are not separate derivations.
+        # Also filter out duplicates (when a Swift overlay imports the Clang module)
+        allowed = frameworks + ALLOWED_LIBS
+        deps = set([dep for dep in deps if dep in allowed])
+
+        # Filter out self-references. (Swift overlay importing Clang module.)
+        if framework in deps:
+            deps.remove(framework)
+
+        # Generate a Nix attribute line.
+        if len(deps) != 0:
+            deps = list(deps)
+            deps.sort()
+            deps = " ".join(deps)
+            output += f"  {framework.ljust(width)} = {{ inherit {deps}; }};\n"
+        else:
+            output += f"  {framework.ljust(width)} = {{}};\n"
+
+    output += FOOTER
+    sys.stdout.write(output)
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        eprint(f"Usage: {sys.argv[0]} <path to MacOSX.sdk>")
+        sys.exit(64)
+
+    scan_sdk(sys.argv[1])
diff --git a/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix b/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix
new file mode 100644
index 000000000000..46ba68281868
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix
@@ -0,0 +1,13 @@
+{ runCommand, cctools }:
+{ haskellPackages, src, deps ? p : [], name }: let
+  inherit (haskellPackages) ghc ghcWithPackages;
+  with-env = ghcWithPackages deps;
+  ghcName = "${ghc.targetPrefix}ghc";
+in runCommand name { buildInputs = [ with-env cctools ]; } ''
+  mkdir -p $out/lib
+  mkdir -p $out/include
+  ${ghcName} ${src} -staticlib -outputdir . -o $out/lib/${name}.a -stubdir $out/include
+  for file in ${ghc}/lib/${ghcName}-${ghc.version}/include/*; do
+    ln -sv $file $out/include
+  done
+''
diff --git a/nixpkgs/pkgs/os-specific/darwin/goku/default.nix b/nixpkgs/pkgs/os-specific/darwin/goku/default.nix
new file mode 100644
index 000000000000..13aadfce2404
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/goku/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchurl
+, unzip
+, joker
+}:
+
+stdenv.mkDerivation rec {
+  pname = "goku";
+  version = "0.6.0";
+
+  src = if stdenv.isAarch64 then
+    fetchurl {
+      url = "https://github.com/yqrashawn/GokuRakuJoudo/releases/download/v${version}/goku-arm.zip";
+      hash = "sha256-TIoda2kDckK1FBLAmKudsDs3LXO4J0KWiAD2JlFb4rk=";
+    }
+    else fetchurl {
+      url = "https://github.com/yqrashawn/GokuRakuJoudo/releases/download/v${version}/goku.zip";
+      hash = "sha256-8HdIwtpzR6O2WCbMYIJ6PHcM27Xmb+4Tc5Fmjl0dABQ=";
+    };
+
+  nativeBuildInputs = [
+    unzip
+  ];
+
+  buildInputs = [
+    joker
+  ];
+
+  sourceRoot = if stdenv.isAarch64 then "goku" else ".";
+
+  installPhase = ''
+    chmod +x goku
+    chmod +x gokuw
+    mkdir -p $out/bin
+    cp goku $out/bin
+    cp gokuw $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Karabiner configurator";
+    homepage = "https://github.com/yqrashawn/GokuRakuJoudo";
+    license = licenses.gpl3;
+    maintainers = [ maintainers.nikitavoloboev ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/grandperspective/default.nix b/nixpkgs/pkgs/os-specific/darwin/grandperspective/default.nix
new file mode 100644
index 000000000000..0d57d4f27714
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/grandperspective/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, lib, fetchurl, undmg }:
+
+stdenv.mkDerivation (finalAttrs: {
+  version = "3.4.1";
+  pname = "grandperspective";
+
+  src = fetchurl {
+    inherit (finalAttrs) version;
+    url = "mirror://sourceforge/grandperspectiv/GrandPerspective-${lib.replaceStrings [ "." ] [ "_" ] finalAttrs.version}.dmg";
+    hash = "sha256-iTtvP6iONcfDWJ3qMh+TUJMN+3spwCQ/5S+A307BJCM=";
+  };
+
+  sourceRoot = "GrandPerspective.app";
+  buildInputs = [ undmg ];
+  installPhase = ''
+    mkdir -p "$out/Applications/GrandPerspective.app";
+    cp -R . "$out/Applications/GrandPerspective.app";
+  '';
+
+  meta = with lib; {
+    description = "Open-source macOS application to analyze disk usage";
+    longDescription = ''
+      GrandPerspective is a small utility application for macOS that graphically shows the disk usage within a file
+      system. It can help you to manage your disk, as you can easily spot which files and folders take up the most
+      space. It uses a so called tree map for visualisation. Each file is shown as a rectangle with an area proportional to
+      the file's size. Files in the same folder appear together, but their placement is otherwise arbitrary.
+    '';
+    homepage = "https://grandperspectiv.sourceforge.net";
+    license = licenses.gpl2Only;
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ eliandoran ];
+    platforms = platforms.darwin;
+  };
+
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/hexfiend/default.nix b/nixpkgs/pkgs/os-specific/darwin/hexfiend/default.nix
new file mode 100644
index 000000000000..29767a1154d5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/hexfiend/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchurl, undmg }:
+
+stdenv.mkDerivation rec {
+  pname = "hexfiend";
+  version = "2.16.0";
+
+  src = fetchurl {
+    url = "https://github.com/HexFiend/HexFiend/releases/download/v${version}/Hex_Fiend_${lib.versions.majorMinor version}.dmg";
+    sha256 = "sha256-jO57bW5TyuQ0mjKKsSwDoGLp2TZ1d+m159flVGaVrLc=";
+  };
+
+  sourceRoot = "Hex Fiend.app";
+  nativeBuildInputs = [ undmg ];
+  installPhase = ''
+    mkdir -p "$out/Applications/Hex Fiend.app"
+    cp -R . "$out/Applications/Hex Fiend.app"
+  '';
+
+  meta = with lib; {
+    description = "Open-source macOS hex editor";
+    homepage = "http://hexfiend.com/";
+    changelog = "https://hexfiend.github.io/HexFiend/ReleaseNotes.html";
+    license = licenses.bsd2;
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ eliandoran ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix
new file mode 100644
index 000000000000..51e345f048bd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix
@@ -0,0 +1,34 @@
+{ lib, runCommandLocal }:
+
+# On darwin, there are some commands neither opensource nor able to build in nixpkgs.
+# We have no choice but to use those system-shipped impure ones.
+
+let
+  commands = {
+    ditto = "/usr/bin/ditto"; # ditto is not opensource
+    sudo  = "/usr/bin/sudo";  # sudo must be owned by uid 0 and have the setuid bit set
+  };
+
+  mkImpureDrv = name: path:
+    runCommandLocal "${name}-impure-darwin" {
+      __impureHostDeps = [ path ];
+
+      meta = {
+        platforms = lib.platforms.darwin;
+      };
+    } ''
+      if ! [ -x ${path} ]; then
+        echo Cannot find command ${path}
+        exit 1
+      fi
+
+      mkdir -p $out/bin
+      ln -s ${path} $out/bin
+
+      manpage="/usr/share/man/man1/${name}.1"
+      if [ -f $manpage ]; then
+        mkdir -p $out/share/man/man1
+        ln -s $manpage $out/share/man/man1
+      fi
+    '';
+in lib.mapAttrs mkImpureDrv commands
diff --git a/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix b/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix
new file mode 100644
index 000000000000..7ab9692f0d42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchFromGitHub, xcbuildHook }:
+
+stdenv.mkDerivation {
+  pname = "insert_dylib";
+  version = "unstable-2016-08-28";
+
+  src = fetchFromGitHub {
+    owner = "Tyilo";
+    repo = "insert_dylib";
+    rev = "c8beef66a08688c2feeee2c9b6eaf1061c2e67a9";
+    sha256 = "0az38y06pvvy9jf2wnzdwp9mp98lj6nr0ldv0cs1df5p9x2qvbya";
+  };
+
+  nativeBuildInputs = [ xcbuildHook ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    install -m755 Products/Release/insert_dylib $out/bin
+  '';
+
+  meta.platforms = lib.platforms.darwin;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix b/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix
new file mode 100644
index 000000000000..c405ac8e1c8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, darwin
+, testers
+}:
+
+let
+  privateFrameworks = "/Library/Apple/System/Library/PrivateFrameworks";
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "ios-deploy";
+  version = "1.12.2";
+
+  src = fetchFromGitHub {
+    owner = "ios-control";
+    repo = "ios-deploy";
+    rev = finalAttrs.version;
+    hash = "sha256-TVGC+f+1ow3b93CK3PhIL70le5SZxxb2ug5OkIg8XCA=";
+  };
+
+  buildInputs = [
+    darwin.apple_sdk.frameworks.Foundation
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    awk '{ print "\""$0"\\n\""}' src/scripts/lldb.py >> src/ios-deploy/lldb.py.h
+    clang src/ios-deploy/ios-deploy.m \
+      -framework Foundation \
+      -F${privateFrameworks} -framework MobileDevice \
+      -o ios-deploy
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 ios-deploy $out/bin/ios-deploy
+
+    runHook postInstall
+  '';
+
+  __impureHostDeps = [
+    privateFrameworks
+  ];
+
+  passthru.tests.version = testers.testVersion {
+    package = finalAttrs.finalPackage;
+  };
+
+  meta = {
+    description = "Install and debug iPhone apps from the command line, without using Xcode";
+    homepage = "https://github.com/ios-control/ios-deploy";
+    license = lib.licenses.gpl3Plus;
+    mainProgram = "ios-deploy";
+    maintainers = with lib.maintainers; [ wegank ];
+    platforms = lib.platforms.darwin;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix b/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix
new file mode 100644
index 000000000000..a7f1f0b773d8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, darwin, python3 }:
+
+stdenv.mkDerivation rec {
+  version = "1.4.1";
+  pname = "iproute2mac";
+
+  src = fetchFromGitHub {
+    owner = "brona";
+    repo = "iproute2mac";
+    rev = "v${version}";
+    sha256 = "sha256-MaL8eb9UOZ71BL4Jvc6Od+EJ+F6j96n9a+vRnHeveIU=";
+  };
+
+  buildInputs = [ python3 ];
+
+  postPatch = ''
+    substituteInPlace src/ip.py \
+      --replace /sbin/ifconfig ${darwin.network_cmds}/bin/ifconfig \
+      --replace /sbin/route ${darwin.network_cmds}/bin/route \
+      --replace /usr/sbin/netstat ${darwin.network_cmds}/bin/netstat \
+      --replace /usr/sbin/ndp ${darwin.network_cmds}/bin/ndp \
+      --replace /usr/sbin/arp ${darwin.network_cmds}/bin/arp \
+      --replace /usr/sbin/networksetup ${darwin.network_cmds}/bin/networksetup
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+    install -D -m 755 src/ip.py $out/bin/ip
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/brona/iproute2mac";
+    description = "CLI wrapper for basic network utilites on Mac OS X inspired with iproute2 on Linux systems - ip command.";
+    license = licenses.mit;
+    maintainers = with maintainers; [ jiegec ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/default.nix b/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/default.nix
new file mode 100644
index 000000000000..03a9938bb205
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchurl, cpio, xar, undmg }:
+
+stdenv.mkDerivation rec {
+  pname = "karabiner-elements";
+  version = "14.11.0";
+
+  src = fetchurl {
+    url = "https://github.com/pqrs-org/Karabiner-Elements/releases/download/v${version}/Karabiner-Elements-${version}.dmg";
+    sha256 = "sha256-InuSfXbaSYsncq8jVO15LbQmDTguRHlOiE/Pj5EfX5c=";
+  };
+
+  outputs = [ "out" "driver" ];
+
+  nativeBuildInputs = [ cpio xar undmg ];
+
+  unpackPhase = ''
+    undmg $src
+    xar -xf Karabiner-Elements.pkg
+    cd Installer.pkg
+    zcat Payload | cpio -i
+    cd ../Karabiner-DriverKit-VirtualHIDDevice.pkg
+    zcat Payload | cpio -i
+    cd ..
+  '';
+
+  sourceRoot = ".";
+
+  postPatch = ''
+    for f in *.pkg/Library/Launch{Agents,Daemons}/*.plist; do
+      substituteInPlace $f \
+        --replace "/Library/" "$out/Library/"
+    done
+  '';
+
+  installPhase = ''
+    mkdir -p $out $driver
+    cp -R Installer.pkg/Applications Installer.pkg/Library $out
+    cp -R Karabiner-DriverKit-VirtualHIDDevice.pkg/Applications Karabiner-DriverKit-VirtualHIDDevice.pkg/Library $driver
+
+    cp "$out/Library/Application Support/org.pqrs/Karabiner-Elements/package-version" "$out/Library/Application Support/org.pqrs/Karabiner-Elements/version"
+  '';
+
+  passthru.updateScript = ./updater.sh;
+
+  meta = with lib; {
+    description = "Karabiner-Elements is a powerful utility for keyboard customization on macOS Sierra (10.12) or later.";
+    homepage = "https://karabiner-elements.pqrs.org/";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ Enzime ];
+    license = licenses.unlicense;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/updater.sh b/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/updater.sh
new file mode 100755
index 000000000000..eb0dd7b9ce5c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/karabiner-elements/updater.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -I nixpkgs=./. -i bash -p curl jq common-updater-scripts
+set -eo pipefail
+
+new_version="$(curl -s  "https://api.github.com/repos/pqrs-org/Karabiner-Elements/releases/latest" | jq -r '.tag_name | ltrimstr("v")')"
+old_version="$(sed -nE 's/\s*version = "(.*)".*/\1/p' ./default.nix)"
+
+if [[ "$new_version" == "$old_version" ]]; then
+  echo "Already up to date!"
+  exit 0
+fi
+
+update-source-version karabiner-elements "${new_version}"
diff --git a/nixpkgs/pkgs/os-specific/darwin/khd/default.nix b/nixpkgs/pkgs/os-specific/darwin/khd/default.nix
new file mode 100644
index 000000000000..87e1a8bf6ae6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/khd/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, Carbon, Cocoa }:
+
+stdenv.mkDerivation rec {
+  pname = "khd";
+  version = "3.0.0";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = "khd";
+    rev = "v${version}";
+    sha256 = "0nzfhknv1s71870w2dk9dy56a3g5zsbjphmfrz0vsvi438g099r4";
+  };
+
+  patches = [
+    # Fixes build issues, remove with >3.0.0
+    (fetchpatch {
+      url = "https://github.com/koekeishiya/khd/commit/4765ae0b4c7d4ca56319dc92ff54393cd9e03fbc.patch";
+      sha256 = "0kvf5hxi5bf6pf125qib7wn7hys0ag66zzpp4srj1qa87lxyf7np";
+    })
+  ];
+
+  buildInputs = [ Carbon Cocoa ];
+
+  buildPhase = ''
+    make install
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp bin/khd $out/bin/khd
+
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.khd.plist} $out/Library/LaunchDaemons/org.nixos.khd.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.khd.plist --subst-var out
+  '';
+
+  meta = with lib; {
+    description = "A simple modal hotkey daemon for OSX";
+    homepage = "https://github.com/koekeishiya/khd";
+    downloadPage = "https://github.com/koekeishiya/khd/releases";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist b/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist
new file mode 100644
index 000000000000..3c0aaa81eb61
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.khd</string>
+  <key>ProgramArguments</key>
+  <array>
+  <string>@out@/bin/khd</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>ProcessType</key>
+  <string>Interactive</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>@out@/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+  </dict>
+  <key>Sockets</key>
+  <dict>
+    <key>Listeners</key>
+    <dict>
+      <key>SockServiceName</key>
+      <string>3021</string>
+      <key>SockType</key>
+      <string>dgram</string>
+      <key>SockFamily</key>
+      <string>IPv4</string>
+    </dict>
+  </dict>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix b/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix
new file mode 100644
index 000000000000..c210f9e8c65d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchzip }:
+
+stdenv.mkDerivation rec {
+  pname = "kwm";
+  version = "4.0.5";
+
+  src = fetchzip {
+    stripRoot = false;
+    url = "https://github.com/koekeishiya/kwm/releases/download/v${version}/Kwm-${version}.zip";
+    sha256 = "1ld1vblg3hmc6lpb8p2ljvisbkijjkijf4y87z5y1ia4k8pk7mxb";
+  };
+
+  # TODO: Build this properly once we have swiftc.
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp kwmc $out/bin/kwmc
+    cp kwm overlaylib.dylib $out
+
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.kwm.plist} $out/Library/LaunchDaemons/org.nixos.kwm.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.kwm.plist --subst-var out
+  '';
+
+  meta = with lib; {
+    description = "Tiling window manager with focus follows mouse for OSX";
+    homepage = "https://github.com/koekeishiya/kwm";
+    downloadPage = "https://github.com/koekeishiya/kwm/releases";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    mainProgram = "kwmc";
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist b/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist
new file mode 100644
index 000000000000..eafce2ab4a46
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.kwm</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>@out@/kwm</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>Sockets</key>
+  <dict>
+    <key>Listeners</key>
+    <dict>
+      <key>SockServiceName</key>
+      <string>3020</string>
+      <key>SockType</key>
+      <string>dgram</string>
+      <key>SockFamily</key>
+      <string>IPv4</string>
+  </dict>
+</dict>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix b/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix
new file mode 100644
index 000000000000..5a72225eec30
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix
@@ -0,0 +1,77 @@
+{ lib, stdenv, fetchFromGitHub, pkgsBuildBuild, cmake, python3, ncurses }:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "libtapi";
+  version = "1100.0.11"; # determined by looking at VERSION.txt
+
+  src = fetchFromGitHub {
+    owner = "tpoechtrager";
+    repo = "apple-libtapi";
+    rev = "664b8414f89612f2dfd35a9b679c345aa5389026";
+    sha256 = "1y1yl46msabfy14z0rln333a06087bk14f5h7q1cdawn8nmvbdbr";
+  };
+
+  sourceRoot = "${finalAttrs.src.name}/src/llvm";
+
+  # Backported from newer llvm, fixes configure error when cross compiling.
+  # Also means we don't have to manually fix the result with install_name_tool.
+  patches = [
+    ./disable-rpath.patch
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # TODO: make unconditional and rebuild the world
+    # TODO: send upstream
+    ./native-clang-tblgen.patch
+  ];
+
+  nativeBuildInputs = [ cmake python3 ];
+
+  # ncurses is required here to avoid a reference to bootstrap-tools, which is
+  # not allowed for the stdenv.
+  buildInputs = [ ncurses ];
+
+  cmakeFlags = [ "-DLLVM_INCLUDE_TESTS=OFF" ]
+    ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+      "-DCMAKE_CROSSCOMPILING=True"
+      # This package could probably have a llvm_6 llvm-tblgen and clang-tblgen
+      # provided to reduce some building. This package seems intended to
+      # include all of its dependencies, including enough of LLVM to build the
+      # required tablegens.
+      (
+        let
+          nativeCC = pkgsBuildBuild.stdenv.cc;
+          nativeBintools = nativeCC.bintools.bintools;
+          nativeLibcxxabi = lib.getLib pkgsBuildBuild.libcxxabi;
+          nativeToolchainFlags = [
+            "-DCMAKE_C_COMPILER=${nativeCC}/bin/${nativeCC.targetPrefix}cc"
+            "-DCMAKE_CXX_COMPILER=${nativeCC}/bin/${nativeCC.targetPrefix}c++"
+            "-DCMAKE_AR=${nativeBintools}/bin/${nativeBintools.targetPrefix}ar"
+            "-DCMAKE_STRIP=${nativeBintools}/bin/${nativeBintools.targetPrefix}strip"
+            "-DCMAKE_RANLIB=${nativeBintools}/bin/${nativeBintools.targetPrefix}ranlib"
+            "-DCMAKE_EXE_LINKER_FLAGS=-L${nativeLibcxxabi}/lib"
+            "-DCMAKE_SHARED_LINKER_FLAGS=-L${nativeLibcxxabi}/lib"
+          ];
+        in "-DCROSS_TOOLCHAIN_FLAGS_NATIVE:list=${lib.concatStringsSep ";" nativeToolchainFlags}"
+      )
+    ];
+
+  # fixes: fatal error: 'clang/Basic/Diagnostic.h' file not found
+  # adapted from upstream
+  # https://github.com/tpoechtrager/apple-libtapi/blob/3cb307764cc5f1856c8a23bbdf3eb49dfc6bea48/build.sh#L58-L60
+  preConfigure = ''
+    INCLUDE_FIX="-I $PWD/projects/clang/include"
+    INCLUDE_FIX+=" -I $PWD/build/projects/clang/include"
+
+    cmakeFlagsArray+=(-DCMAKE_CXX_FLAGS="$INCLUDE_FIX")
+  '';
+
+  buildFlags = [ "clangBasic" "libtapi" "tapi" ];
+
+  installTargets = [ "install-libtapi" "install-tapi-headers" "install-tapi" ];
+
+  meta = with lib; {
+    description = "Replaces the Mach-O Dynamic Library Stub files in Apple's SDKs to reduce the size";
+    homepage = "https://github.com/tpoechtrager/apple-libtapi";
+    license = licenses.ncsa;
+    maintainers = with maintainers; [ matthewbauer ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch b/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch
new file mode 100644
index 000000000000..87c0cf3330de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch
@@ -0,0 +1,14 @@
+diff --git a/src/llvm/cmake/modules/AddLLVM.cmake b/src/llvm/cmake/modules/AddLLVM.cmake
+index a53016eb0..b65e608a4 100644
+--- a/cmake/modules/AddLLVM.cmake
++++ b/cmake/modules/AddLLVM.cmake
+@@ -1683,8 +1683,7 @@ function(llvm_setup_rpath name)
+   endif()
+ 
+   if (APPLE)
+-    set(_install_name_dir INSTALL_NAME_DIR "@rpath")
+-    set(_install_rpath "@loader_path/../lib" ${extra_libdir})
++    set(_install_name_dir)
+   elseif(UNIX)
+     set(_install_rpath "\$ORIGIN/../lib${LLVM_LIBDIR_SUFFIX}" ${extra_libdir})
+     if(${CMAKE_SYSTEM_NAME} MATCHES "(FreeBSD|DragonFly)")
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch b/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch
new file mode 100644
index 000000000000..9b715766a122
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch
@@ -0,0 +1,21 @@
+diffprojects/libtapi/CMakeLists.txt b/src/llvm/projects/libtapi/CMakeLists.txt
+index 8ee6d8138..8277be147 100644
+--- a/projects/libtapi/CMakeLists.txt
++++ b/projects/libtapi/CMakeLists.txt
+@@ -193,7 +193,15 @@ if (NOT DEFINED CLANG_VERSION)
+   set(CLANG_VERSION "${LLVM_VERSION_MAJOR}.${LLVM_VERSION_MINOR}.${LLVM_VERSION_PATCH}")
+ endif ()
+ if (NOT DEFINED CLANG_TABLEGEN_EXE)
+-  set(CLANG_TABLEGEN_EXE "${LLVM_TOOLS_BINARY_DIR}/clang-tblgen")
++  if(LLVM_USE_HOST_TOOLS)
++    if (NOT CMAKE_CONFIGURATION_TYPES)
++      set(CLANG_TABLEGEN_EXE "${LLVM_NATIVE_BUILD}/bin/clang-tblgen")
++    else()
++      set(CLANG_TABLEGEN_EXE "${LLVM_NATIVE_BUILD}/Release/bin/clang-tblgen")
++    endif()
++  else()
++    set(CLANG_TABLEGEN_EXE "${LLVM_TOOLS_BINARY_DIR}/clang-tblgen")
++  endif ()
+ endif ()
+ 
+ # Include must go first.
diff --git a/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix b/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix
new file mode 100644
index 000000000000..712e32f16fe4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  version = "1.0";
+  pname = "lsusb";
+
+  src = fetchFromGitHub {
+    owner = "jlhonora";
+    repo = "lsusb";
+    rev = "8a6bd7084a55a58ade6584af5075c1db16afadd1";
+    sha256 = "0p8pkcgvsx44dd56wgipa8pzi3298qk9h4rl9pwsw1939hjx6h0g";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man8
+    install -m 0755 lsusb $out/bin
+    install -m 0444 man/lsusb.8 $out/share/man/man8
+  '';
+
+  meta = {
+    homepage = "https://github.com/jlhonora/lsusb";
+    description = "lsusb command for Mac OS X";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.varunpatro ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix b/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix
new file mode 100644
index 000000000000..9134fad6012c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "m-cli";
+  version = "0.3.0";
+
+  src = fetchFromGitHub {
+    owner = "rgcr";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-KzlE1DdVMLnGmcOS1a2HK4pASofD1EHpdqbzVVIxeb4=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    local MPATH="$out/share/m"
+
+    gawk -i inplace '{
+      gsub(/^\[ -L.*|^\s+\|\| pushd.*|^popd.*/, "");
+      gsub(/MPATH=.*/, "MPATH='$MPATH'");
+      gsub(/(update|uninstall)_mcli \&\&.*/, "echo NOOP \\&\\& exit 0");
+      print
+    }' m
+
+    install -Dt "$MPATH/plugins" -m755 plugins/*
+
+    install -Dm755 m $out/bin/m
+
+    install -Dt "$out/share/bash-completion/completions/" -m444 completion/bash/m
+    install -Dt "$out/share/fish/vendor_completions.d/" -m444 completion/fish/m.fish
+    install -Dt "$out/share/zsh/site-functions/" -m444 completion/zsh/_m
+  '';
+
+  meta = with lib; {
+    description = "Swiss Army Knife for macOS";
+    inherit (src.meta) homepage;
+
+    license = licenses.mit;
+
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [];
+    mainProgram = "m";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix b/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix
new file mode 100644
index 000000000000..c63b536f248b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv, fetchurl, cpio, xar, undmg, libtapi, DiskArbitration }:
+
+stdenv.mkDerivation rec {
+  pname = "macfuse-stubs";
+  version = "4.4.1";
+
+  src = fetchurl {
+    url = "https://github.com/osxfuse/osxfuse/releases/download/macfuse-${version}/macfuse-${version}.dmg";
+    sha256 = "2a2d0f37ec5fcff547c5efa7d08539103a0b46bc16080c2b41a7e749f6e65c61";
+  };
+
+  nativeBuildInputs = [ cpio xar undmg libtapi ];
+  propagatedBuildInputs = [ DiskArbitration ];
+
+  postUnpack = ''
+    xar -xf 'Install macFUSE.pkg'
+    cd Core.pkg
+    gunzip -dc Payload | cpio -i
+  '';
+
+  sourceRoot = ".";
+
+  buildPhase = ''
+    pushd usr/local/lib
+    for f in *.dylib; do
+      tapi stubify --filetype=tbd-v2  "$f" -o "''${f%%.dylib}.tbd"
+    done
+    sed -i "s|^prefix=.*|prefix=$out|" pkgconfig/fuse.pc
+    popd
+  '';
+
+  # NOTE: Keep in mind that different parts of macFUSE are distributed under a
+  # different license
+  installPhase = ''
+    mkdir -p $out/include $out/lib/pkgconfig
+    cp usr/local/lib/*.tbd $out/lib
+    cp usr/local/lib/pkgconfig/*.pc $out/lib/pkgconfig
+    cp -R usr/local/include/* $out/include
+  '';
+
+  meta = with lib; {
+    homepage = "https://osxfuse.github.io";
+    description = "Build time stubs for FUSE on macOS";
+    longDescription = ''
+      macFUSE is required for this package to work on macOS. To install macFUSE,
+      use the installer from the <link xlink:href="https://osxfuse.github.io/">
+      project website</link>.
+    '';
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ midchildan ];
+
+    # macFUSE as a whole includes code with restrictions on commercial
+    # redistribution. However, the build artifacts that we actually touch for
+    # this derivation are distributed under a free license.
+    license = with licenses; [
+      lgpl2Plus # libfuse
+    ];
+  };
+
+  passthru.warning = ''
+    macFUSE is required for this package to work on macOS. To install macFUSE,
+    use the installer from the <link xlink:href="https://osxfuse.github.io/">
+    project website</link>.
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix b/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix
new file mode 100644
index 000000000000..c59f854b8475
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, opencflite, clang, libcxx }:
+
+stdenv.mkDerivation {
+  pname = "maloader";
+  version = "unstable-2014-02-25";
+
+  src = fetchFromGitHub {
+    owner = "shinh";
+    repo = "maloader";
+    rev = "5f220393e0b7b9ad0cf1aba0e89df2b42a1f0442";
+    sha256 = "0dd1pn07x1y8pyn5wz8qcl1c1xwghyya4d060m3y9vx5dhv9xmzw";
+  };
+
+  postPatch = ''
+    sed -i \
+      -e '/if.*loadLibMac.*mypath/s|mypath|"'"$out/lib/"'"|' \
+      -e 's|libCoreFoundation\.so|${opencflite}/lib/&|' \
+      ld-mac.cc
+  '';
+
+  env.NIX_CFLAGS_COMPILE = "-I${lib.getDev libcxx}/include/c++/v1";
+  buildInputs = [ clang libcxx ];
+  buildFlags = [ "USE_LIBCXX=1" "release" ];
+
+  installPhase = ''
+    install -vD libmac.so "$out/lib/libmac.so"
+
+    for bin in extract macho2elf ld-mac; do
+      install -vD "$bin" "$out/bin/$bin"
+    done
+  '';
+
+  meta = {
+    description = "Mach-O loader for Linux";
+    homepage = "https://github.com/shinh/maloader";
+    license = lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    broken = true; # 2018-09-08, no succesful build since 2017-08-21
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/mas/default.nix b/nixpkgs/pkgs/os-specific/darwin/mas/default.nix
new file mode 100644
index 000000000000..968cb10cd5a3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/mas/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, installShellFiles
+, testers
+, mas
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "mas";
+  version = "1.8.6";
+
+  src = fetchurl {
+    # Use the tarball until https://github.com/mas-cli/mas/issues/452 is fixed.
+    # Even though it looks like an OS/arch specific build it is actually a universal binary.
+    url = "https://github.com/mas-cli/mas/releases/download/v${version}/mas-${version}.monterey.bottle.tar.gz";
+    sha256 = "0q4skdhymgn5xrwafyisfshx327faia682yv83mf68r61m2jl10d";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  installPhase = ''
+    install -D './${version}/bin/mas' "$out/bin/mas"
+    installShellCompletion --cmd mas --bash './${version}/etc/bash_completion.d/mas'
+  '';
+
+  passthru.tests = {
+    version = testers.testVersion {
+      package = mas;
+      command = "mas version";
+    };
+  };
+
+  meta = with lib; {
+    description = "Mac App Store command line interface";
+    homepage = "https://github.com/mas-cli/mas";
+    license = licenses.mit;
+    maintainers = with maintainers; [ steinybot zachcoyle ];
+    platforms = [ "x86_64-darwin" "aarch64-darwin" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch
new file mode 100644
index 000000000000..e4b03dfe0cc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch
@@ -0,0 +1,88 @@
+diff --git a/MoltenVK/MoltenVK.xcodeproj/project.pbxproj b/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
+index c23afce4..12ac12f4 100644
+--- a/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
++++ b/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
+@@ -365,13 +365,6 @@
+ /* End PBXBuildFile section */
+ 
+ /* Begin PBXContainerItemProxy section */
+-		2F21D82E24983488009BEA5F /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = 2FEA0CFF2490381A00EEF3AD;
+-			remoteInfo = "MoltenVKSPIRVToMSLConverter-tvOS";
+-		};
+ 		2FEA0D1B249040CA00EEF3AD /* PBXContainerItemProxy */ = {
+ 			isa = PBXContainerItemProxy;
+ 			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+@@ -400,20 +393,6 @@
+ 			remoteGlobalIDString = A93903C71C57E9ED00FE90DC;
+ 			remoteInfo = "MVKSPIRVToMSLConverter-macOS";
+ 		};
+-		A981499A1FB6B9CF005F00B4 /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = A93903B81C57E9D700FE90DC;
+-			remoteInfo = "MVKSPIRVToMSLConverter-iOS";
+-		};
+-		A9B1C7F4251AA5AF001D12CC /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = A9092A8C1A81717B00051823;
+-			remoteInfo = MoltenVKShaderConverter;
+-		};
+ /* End PBXContainerItemProxy section */
+ 
+ /* Begin PBXFileReference section */
+@@ -1019,7 +998,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				2F21D82F24983488009BEA5F /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-tvOS";
+ 			productName = MoltenVK;
+@@ -1039,7 +1017,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				A981499B1FB6B9CF005F00B4 /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-iOS";
+ 			productName = MoltenVK;
+@@ -1059,7 +1036,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				A9B1C7F5251AA5AF001D12CC /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-macOS";
+ 			productName = MoltenVK;
+@@ -1476,24 +1452,6 @@
+ 		};
+ /* End PBXSourcesBuildPhase section */
+ 
+-/* Begin PBXTargetDependency section */
+-		2F21D82F24983488009BEA5F /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = "MoltenVKSPIRVToMSLConverter-tvOS";
+-			targetProxy = 2F21D82E24983488009BEA5F /* PBXContainerItemProxy */;
+-		};
+-		A981499B1FB6B9CF005F00B4 /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = "MVKSPIRVToMSLConverter-iOS";
+-			targetProxy = A981499A1FB6B9CF005F00B4 /* PBXContainerItemProxy */;
+-		};
+-		A9B1C7F5251AA5AF001D12CC /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = MoltenVKShaderConverter;
+-			targetProxy = A9B1C7F4251AA5AF001D12CC /* PBXContainerItemProxy */;
+-		};
+-/* End PBXTargetDependency section */
+-
+ /* Begin XCBuildConfiguration section */
+ 		2FEA0AB824902F9F00EEF3AD /* Debug */ = {
+ 			isa = XCBuildConfiguration;
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch
new file mode 100644
index 000000000000..ecc5242684d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch
@@ -0,0 +1,84 @@
+diff --git a/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj b/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
+index c7842b63..d55f73ed 100644
+--- a/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
++++ b/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
+@@ -3,7 +3,7 @@
+ 	archiveVersion = 1;
+ 	classes = {
+ 	};
+-	objectVersion = 52;
++	objectVersion = 48;
+ 	objects = {
+
+ /* Begin PBXBuildFile section */
+@@ -33,9 +33,6 @@
+ 		A920A8AC251B75B70076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+ 		A920A8AD251B75B80076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+ 		A920A8AE251B75B80076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+-		A920A8AF251B77900076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+-		A920A8B0251B77910076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+-		A920A8B1251B77920076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+ 		A925B71B1C78DEB2006E7ECD /* libMoltenVKShaderConverter.a in Frameworks */ = {isa = PBXBuildFile; fileRef = A93903C71C57E9ED00FE90DC /* libMoltenVKShaderConverter.a */; };
+ 		A928C9191D0488DC00071B88 /* SPIRVConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = A928C9171D0488DC00071B88 /* SPIRVConversion.h */; };
+ 		A928C91A1D0488DC00071B88 /* SPIRVConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = A928C9171D0488DC00071B88 /* SPIRVConversion.h */; };
+@@ -55,12 +52,6 @@
+ 		A97CC7411C7527F3004A5C7E /* MoltenVKShaderConverterTool.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A97CC73E1C7527F3004A5C7E /* MoltenVKShaderConverterTool.cpp */; };
+ 		A98149681FB6A98A005F00B4 /* MVKStrings.h in Headers */ = {isa = PBXBuildFile; fileRef = A98149651FB6A98A005F00B4 /* MVKStrings.h */; };
+ 		A98149691FB6A98A005F00B4 /* MVKStrings.h in Headers */ = {isa = PBXBuildFile; fileRef = A98149651FB6A98A005F00B4 /* MVKStrings.h */; };
+-		A98386FA24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A98386FB24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A98386FC24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A983870724EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+-		A983870824EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+-		A983870924EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+ 		A9A14E332244388700C080F3 /* Metal.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A9A14E322244388700C080F3 /* Metal.framework */; };
+ 		A9B51BDD225E98BB00AC74D2 /* MVKOSExtensions.mm in Sources */ = {isa = PBXBuildFile; fileRef = A9B51BDB225E98BB00AC74D2 /* MVKOSExtensions.mm */; };
+ 		A9F042B21FB4D060009FCCB8 /* MVKCommonEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = A9F042AA1FB4D060009FCCB8 /* MVKCommonEnvironment.h */; };
+@@ -115,9 +106,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870824EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FB24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8B0251B77910076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -134,9 +122,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870724EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FA24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8AF251B77900076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -144,9 +129,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870924EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FC24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8B1251B77920076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -313,7 +295,7 @@
+ 				A925B71D1C78DEBF006E7ECD /* PBXTargetDependency */,
+ 			);
+ 			name = MoltenVKShaderConverter;
+-			productName = MetalGLShaderConverterTool;
++			productName = MoltenVKShaderConverter;
+ 			productReference = A964BD5F1C57EFBD00D930D8 /* MoltenVKShaderConverter */;
+ 			productType = "com.apple.product-type.tool";
+ 		};
+@@ -349,7 +331,7 @@
+ 			dependencies = (
+ 			);
+ 			name = "MoltenVKShaderConverter-macOS";
+-			productName = "MetalGLShaderConverter-macOS";
++			productName = MoltenVKShaderConverter;
+ 			productReference = A93903C71C57E9ED00FE90DC /* libMoltenVKShaderConverter.a */;
+ 			productType = "com.apple.product-type.library.static";
+ 		};
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix b/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix
new file mode 100644
index 000000000000..41f929fe90ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix
@@ -0,0 +1,163 @@
+{ lib
+, overrideCC
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, gitUpdater
+, cctools
+, sigtool
+, cereal
+, libcxx
+, glslang
+, spirv-cross
+, spirv-headers
+, spirv-tools
+, vulkan-headers
+, xcbuild
+, AppKit
+, Foundation
+, Libsystem
+, MacOSX-SDK
+, Metal
+, QuartzCore
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "MoltenVK";
+  version = "1.2.4";
+
+  buildInputs = [
+    AppKit
+    Foundation
+    Metal
+    QuartzCore
+    cereal
+    glslang
+    spirv-cross
+    spirv-headers
+    spirv-tools
+    vulkan-headers
+  ];
+
+  nativeBuildInputs = [ cctools sigtool xcbuild ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  src = fetchFromGitHub {
+    owner = "KhronosGroup";
+    repo = "MoltenVK";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-BL46BgZHUpk0dpzmeZ/2W0msHxFwieeGDjmVB8Nb1J4=";
+  };
+
+  patches = [
+    # Fix the Xcode projects to play nicely with `xcbuild`.
+    ./MoltenVKShaderConverter.xcodeproj.patch
+    ./MoltenVK.xcodeproj.patch
+  ];
+
+  postPatch = ''
+    # Move `mvkGitRevDerived.h` to a stable location
+    substituteInPlace Scripts/gen_moltenvk_rev_hdr.sh \
+      --replace '$'''{BUILT_PRODUCTS_DIR}' "$NIX_BUILD_TOP/$sourceRoot/build/include" \
+      --replace '$(git rev-parse HEAD)' ${finalAttrs.src.rev}
+    # Use the SPIRV-Cross packaged in nixpkgs instead of one built specifically for MoltenVK.
+    substituteInPlace MoltenVK/MoltenVK.xcodeproj/project.pbxproj \
+      --replace SPIRV_CROSS_NAMESPACE_OVERRIDE=MVK_spirv_cross SPIRV_CROSS_NAMESPACE_OVERRIDE=spirv_cross
+    substituteInPlace MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj \
+      --replace SPIRV_CROSS_NAMESPACE_OVERRIDE=MVK_spirv_cross SPIRV_CROSS_NAMESPACE_OVERRIDE=spirv_cross
+    # Adding all of `usr/include` from the SDK results in header conflicts with `libcxx.dev`.
+    # Work around it by symlinking just the SIMD stuff needed by MoltenVK.
+    mkdir -p build/include
+    ln -s "${MacOSX-SDK}/usr/include/simd" "build/include"
+  '';
+
+  dontConfigure = true;
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-isystem ${lib.getDev libcxx}/include/c++/v1"
+    "-I${lib.getDev spirv-cross}/include/spirv_cross"
+    "-I${lib.getDev spirv-headers}/include/spirv/unified1/"
+  ];
+
+  buildPhase = ''
+    NIX_CFLAGS_COMPILE+=" \
+      -I$NIX_BUILD_TOP/$sourceRoot/build/include \
+      -I$NIX_BUILD_TOP/$sourceRoot/Common"
+    NIX_LDFLAGS+=" -L$NIX_BUILD_TOP/$sourceRoot/build/lib"
+
+    # Build each project on its own because `xcbuild` fails to build `MoltenVKPackaging.xcodeproj`.
+    build=$NIX_BUILD_TOP/$sourceRoot/build
+    mkdir -p "$build/bin" "$build/lib"
+
+    NIX_LDFLAGS+=" \
+      -lMachineIndependent \
+      -lGenericCodeGen \
+      -lOGLCompiler \
+      -lglslang \
+      -lOSDependent \
+      -lSPIRV \
+      -lSPIRV-Tools \
+      -lSPIRV-Tools-opt \
+      -lspirv-cross-msl \
+      -lspirv-cross-core \
+      -lspirv-cross-glsl"
+
+    pushd MoltenVKShaderConverter
+    xcodebuild build \
+      -jobs $NIX_BUILD_CORES \
+      -configuration Release \
+      -project MoltenVKShaderConverter.xcodeproj \
+      -scheme MoltenVKShaderConverter \
+      -arch ${stdenv.targetPlatform.darwinArch}
+    declare -A products=( [MoltenVKShaderConverter]=bin [libMoltenVKShaderConverter.a]=lib )
+    for product in "''${!products[@]}"; do
+      cp MoltenVKShaderConverter-*/Build/Products/Release/$product "$build/''${products[$product]}/$product"
+    done
+    popd
+
+    NIX_LDFLAGS+=" \
+      -lobjc \
+      -lMoltenVKShaderConverter \
+      -lspirv-cross-reflect"
+
+    pushd MoltenVK
+    xcodebuild build \
+      -jobs $NIX_BUILD_CORES \
+      -configuration Release \
+      -project MoltenVK.xcodeproj \
+      -scheme MoltenVK-macOS \
+      -arch ${stdenv.targetPlatform.darwinArch}
+    cp MoltenVK-*/Build/Products/Release/dynamic/libMoltenVK.dylib "$build/lib/libMoltenVK.dylib"
+    popd
+  '';
+
+  installPhase = ''
+    mkdir -p "$out/lib" "$out/share/vulkan/icd.d" "$bin/bin" "$dev/include/MoltenVK"
+    cp build/bin/MoltenVKShaderConverter "$bin/bin/"
+    cp build/lib/libMoltenVK.dylib "$out/lib/"
+    cp MoltenVK/MoltenVK/API/* "$dev/include/MoltenVK"
+    install -m644 MoltenVK/icd/MoltenVK_icd.json "$out/share/vulkan/icd.d/MoltenVK_icd.json"
+    substituteInPlace $out/share/vulkan/icd.d/MoltenVK_icd.json \
+      --replace ./libMoltenVK.dylib "$out/lib/libMoltenVK.dylib"
+  '';
+
+  postFixup = ''
+    install_name_tool -id "$out/lib/libMoltenVK.dylib" "$out/lib/libMoltenVK.dylib"
+    codesign -s - -f "$out/lib/libMoltenVK.dylib"
+    codesign -s - -f "$bin/bin/MoltenVKShaderConverter"
+  '';
+
+  passthru.updateScript = gitUpdater {
+    rev-prefix = "v";
+  };
+
+  meta = {
+    description = "A Vulkan Portability implementation built on top of Apple’s Metal API";
+    homepage = "https://github.com/KhronosGroup/MoltenVK";
+    changelog = "https://github.com/KhronosGroup/MoltenVK/releases";
+    maintainers = [ lib.maintainers.reckenrode ];
+    license = lib.licenses.asl20;
+    platforms = lib.platforms.darwin;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix b/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix
new file mode 100644
index 000000000000..cdbfee5046a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, libarchive, p7zip }:
+
+stdenv.mkDerivation rec {
+  pname = "mysides";
+  version = "1.0.1";
+
+  src = fetchurl {
+    url = "https://github.com/mosen/mysides/releases/download/v${version}/mysides-${version}.pkg";
+    sha256 = "sha256-dpRrj3xb9xQSXXXxragUDgNPBaniiMc6evRF12wqVRQ=";
+  };
+
+  dontBuild = true;
+  nativeBuildInputs = [ libarchive p7zip ];
+
+  unpackPhase = ''
+    7z x $src
+    bsdtar -xf Payload~
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    install -Dm755 usr/local/bin/mysides -t $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Manage macOS Finder sidebar favorites";
+    homepage = "https://github.com/mosen/mysides";
+    license = licenses.mit;
+    maintainers = with maintainers; [ tboerger ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix b/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix
new file mode 100644
index 000000000000..fa3d4284e597
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix
@@ -0,0 +1,14 @@
+{ stdenv, writeScript }:
+
+stdenv.mkDerivation rec {
+  name = "darwin-native-x11-and-opengl";
+
+  builder = writeScript "${name}-builder.sh" ''
+    /bin/mkdir -p $out
+    /bin/mkdir $out/lib
+    /bin/ln -sv /usr/X11/lib/{*.dylib,X11,xorg} $out/lib
+    /bin/mkdir $out/lib/pkgconfig
+    /bin/ln -sv /usr/X11/lib/pkgconfig/{x*.pc,gl*.pc} $out/lib/pkgconfig
+    /bin/ln -sv /usr/X11/{bin,include,share} $out/
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/noah/default.nix b/nixpkgs/pkgs/os-specific/darwin/noah/default.nix
new file mode 100644
index 000000000000..b8cb1424cdda
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/noah/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, cmake, Hypervisor }:
+
+stdenv.mkDerivation rec {
+  pname = "noah";
+  version = "0.5.1";
+
+  src = fetchFromGitHub {
+    owner = "linux-noah";
+    repo = pname;
+    rev = version;
+    sha256 = "0bivfsgb56kndz61lzjgdcnqlhjikqw89ma0h6f6radyvfzy0vis";
+  };
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ Hypervisor ];
+
+  meta = with lib; {
+    description = "Bash on Ubuntu on macOS";
+    homepage = "https://github.com/linux-noah/noah";
+    license = [ licenses.mit licenses.gpl2 ];
+    maintainers = [ maintainers.marsam ];
+    platforms = platforms.darwin;
+    # never built on aarch64-darwin since first introduction in nixpkgs
+    broken = stdenv.isDarwin && stdenv.isAarch64;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix b/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix
new file mode 100644
index 000000000000..937d0763feff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl, icu, libuuid, tzdata }:
+
+stdenv.mkDerivation rec {
+  pname = "opencflite";
+  version = "476.19.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/opencflite/${pname}-${version}.tar.gz";
+    sha256 = "0jgmzs0ycl930hmzcvx0ykryik56704yw62w394q1q3xw5kkjn9v";
+  };
+
+  configureFlags = [ "--with-uuid=${libuuid.dev}" ];
+  buildInputs = [ icu tzdata.dev ];
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Cross platform port of the macOS CoreFoundation";
+    homepage = "https://sourceforge.net/projects/opencflite/";
+    license = lib.licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/openwith/default.nix b/nixpkgs/pkgs/os-specific/darwin/openwith/default.nix
new file mode 100644
index 000000000000..eb78f7a1344c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/openwith/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, swift, AppKit, Foundation, UniformTypeIdentifiers }:
+
+let
+  arch = if stdenv.isAarch64 then "arm64" else "x86_64";
+in
+stdenv.mkDerivation rec {
+  pname = "openwith";
+  version = "unstable-2022-10-28";
+
+  src = fetchFromGitHub {
+    owner = "jdek";
+    repo = "openwith";
+    rev = "a8a99ba0d1cabee7cb470994a1e2507385c30b6e";
+    hash = "sha256-lysleg3qM2MndXeKjNk+Y9Tkk40urXA2ZdxY5KZNANo=";
+  };
+
+  nativeBuildInputs = [ swift ];
+
+  buildInputs = [ AppKit Foundation UniformTypeIdentifiers ];
+
+  makeFlags = [ "openwith_${arch}" ];
+
+  installPhase = ''
+    runHook preInstall
+    install openwith_${arch} -D $out/bin/openwith
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Utility to specify which application bundle should open specific file extensions";
+    homepage = "https://github.com/jdek/openwith";
+    license = licenses.unlicense;
+    maintainers = with maintainers; [ zowoq ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+    broken = stdenv.isx86_64; # https://hydra.nixos.org/build/219354133/nixlog/3
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix b/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix
new file mode 100644
index 000000000000..ea9d8399667a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub
+, IOKit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "osx-cpu-temp";
+  version = "unstable-2020-12-04";
+
+  src = fetchFromGitHub rec {
+    name = "osx-cpu-temp-source";
+    owner = "lavoiesl";
+    repo = pname;
+    rev = "6ec951be449badcb7fb84676bbc2c521e600e844";
+    sha256 = "1nlibgr55bpln6jbdf8vqcp0fj9zv9343vflb7s9w0yh33fsbg9d";
+  };
+
+  buildInputs = [ IOKit ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp osx-cpu-temp $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Outputs current CPU temperature for OSX.";
+    homepage = "https://github.com/lavoiesl/osx-cpu-temp";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ virusdave ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix b/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix
new file mode 100644
index 000000000000..e31271ed2b97
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchFromGitHub, plan9port, darwin, ... }:
+
+stdenv.mkDerivation rec {
+  pname = "osxsnarf";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "eraserhd";
+    repo = "osxsnarf";
+    rev = "v${version}";
+    sha256 = "1vpg39mpc5avnv1j0yfx0x2ncvv38slmm83zv6nmm7alfwfjr2ss";
+  };
+
+  buildInputs = [ plan9port darwin.apple_sdk.frameworks.Carbon ];
+  makeFlags = [ "prefix=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "A Plan 9-inspired way to share your OS X clipboard";
+    homepage = "https://github.com/eraserhd/osxsnarf";
+    license = licenses.unlicense;
+    platforms = platforms.darwin;
+    maintainers = [ maintainers.eraserhd ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/pam-reattach/default.nix b/nixpkgs/pkgs/os-specific/darwin/pam-reattach/default.nix
new file mode 100644
index 000000000000..4350865080f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/pam-reattach/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, cmake, openpam, darwin }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_reattach";
+  version = "1.3";
+
+  src = fetchFromGitHub {
+    owner = "fabianishere";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1k77kxqszdwgrb50w7algj22pb4fy5b9649cjb08zq9fqrzxcbz7";
+  };
+
+  cmakeFlags = [
+    "-DCMAKE_OSX_ARCHITECTURES=${
+      if stdenv.hostPlatform.system == "x86_64-darwin" then
+        "x86_64"
+      else
+        "arm64"
+    }"
+    "-DENABLE_CLI=ON"
+  ] ++ lib.optional (!stdenv.isAarch64) "-DCMAKE_LIBRARY_PATH=${darwin.apple_sdk.sdk}/usr/lib";
+
+  buildInputs = [ openpam ]
+    ++ lib.optional (!stdenv.isAarch64) darwin.apple_sdk.sdk;
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    homepage = "https://github.com/fabianishere/pam_reattach";
+    description = "Reattach to the user's GUI session on macOS during authentication (for Touch ID support in tmux)";
+    license = licenses.mit;
+    maintainers = with maintainers; [ lockejan ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/plistwatch/default.nix b/nixpkgs/pkgs/os-specific/darwin/plistwatch/default.nix
new file mode 100644
index 000000000000..0c99363510c8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/plistwatch/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "plistwatch";
+  version = "unstable-2023-06-22";
+
+  src = fetchFromGitHub {
+    owner = "catilac";
+    repo = "plistwatch";
+    rev = "34d808c1509eea22fe88a2dbb6f0a1669a2a5b23";
+    hash = "sha256-kMHi5xKbiwO+/6Eb8oJz7ECoUybFE+IUDz7VfJueB3g=";
+  };
+
+  vendorHash = "sha256-Layg1axFN86OFgxEyNFtIlm6Jtx317jZb/KH6IjJ8e4=";
+
+  #add missing dependencies and hashes
+  patches = [ ./go-modules.patch ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Monitors and prints changes to MacOS plists in real time";
+    homepage = "https://github.com/catilac/plistwatch";
+    maintainers = with maintainers; [ gdinh ];
+    license = licenses.mit;
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/plistwatch/go-modules.patch b/nixpkgs/pkgs/os-specific/darwin/plistwatch/go-modules.patch
new file mode 100644
index 000000000000..94d7cc01e24e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/plistwatch/go-modules.patch
@@ -0,0 +1,19 @@
+--- a/go.mod
++++ b/go.mod
+@@ -3,1 +3,6 @@
+  go 1.14
++ require(
++   github.com/jessevdk/go-flags v1.5.0
++   howett.net/plist v0.0.0-20200419221736-3b63eb3a43b5
++   gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
++ )
+--- a/go.sum
++++ b/go.sum
+@@ -9,1 +9,7 @@
+  howett.net/plist v0.0.0-20200419221736-3b63eb3a43b5/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
++ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
++ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
++ github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
++ github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
++ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc=
++ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix b/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix
new file mode 100644
index 000000000000..99ae8048f7fd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, AppKit, Cocoa }:
+
+let
+  pname = "pngpaste";
+  version = "0.2.3";
+in stdenv.mkDerivation {
+  inherit pname version;
+  src = fetchFromGitHub {
+    owner = "jcsalterego";
+    repo = pname;
+    rev = version;
+    sha256 = "uvajxSelk1Wfd5is5kmT2fzDShlufBgC0PDCeabEOSE=";
+  };
+
+  buildInputs = [ AppKit Cocoa ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp pngpaste $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Paste image files from clipboard to file on MacOS";
+    longDescription = ''
+      Paste PNG into files on MacOS, much like pbpaste does for text.
+      Supported input formats are PNG, PDF, GIF, TIF, JPEG.
+      Supported output formats are PNG, GIF, JPEG, TIFF.  Output
+      formats are determined by the provided filename extension,
+      falling back to PNG.
+    '';
+    homepage = "https://github.com/jcsalterego/pngpaste";
+    changelog = "https://github.com/jcsalterego/pngpaste/raw/${version}/CHANGELOG.md";
+    platforms = platforms.darwin;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ samw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix b/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix
new file mode 100644
index 000000000000..740bcb48ef59
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix
@@ -0,0 +1,17 @@
+{ lib, stdenv, libyaml }:
+
+stdenv.mkDerivation {
+  name = "print-reexports";
+  src = lib.sourceFilesBySuffices ./. [".c"];
+
+  buildInputs = [ libyaml ];
+
+  buildPhase = ''
+    $CC -lyaml -o print-reexports main.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mv print-reexports $out/bin
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c b/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c
new file mode 100644
index 000000000000..e6ff527da966
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c
@@ -0,0 +1,213 @@
+/**
+ * Display the list of re-exported libraries from a TAPI v2 .tbd file, one per
+ * line on stdout.
+ *
+ * TAPI files are the equivalent of library files for the purposes of linking.
+ * Like dylib files, they may re-export other libraries. In upstream usage
+ * these refer to the absolute paths of dylibs, and are resolved to .tbd files
+ * in combination with the syslibroot option. In nixpkgs, the .tbd files refer
+ * directly to other .tbd files without a syslibroot. Note that each .tbd file
+ * contains an install name, so the re-exported path does not affect the final
+ * result.
+ *
+ * In nixpkgs each framework is a distinct store path and some frameworks
+ * re-export other frameworks. The re-exported names are rewritten to refer to
+ * the store paths of dependencies via textual substitution. This utility is
+ * used to emit every file that is listed as a re-exported library, which
+ * allows the framework builder to verify their existence.
+ */
+
+#include <stdio.h>
+#include <sys/errno.h>
+#include <yaml.h>
+
+#define LOG(str, ...) fprintf(stderr, "%s", str)
+
+#define LOGF(...) fprintf(stderr, __VA_ARGS__)
+
+static yaml_node_t *get_mapping_entry(yaml_document_t *document, yaml_node_t *mapping, const char *name) {
+  if (!mapping) {
+    fprintf(stderr, "get_mapping_entry: mapping is null\n");
+    return NULL;
+  }
+
+  for (
+      yaml_node_pair_t *pair = mapping->data.mapping.pairs.start;
+      pair < mapping->data.mapping.pairs.top;
+      ++pair
+  ) {
+    yaml_node_t *key = yaml_document_get_node(document, pair->key);
+
+    if (!key) {
+      LOGF("key (%d) is null\n", pair->key);
+      return NULL;
+    }
+
+    if (key->type != YAML_SCALAR_NODE) {
+      LOG("get_mapping_entry: key is not a scalar\n");
+      return NULL;
+    }
+
+    if (strncmp((const char *)key->data.scalar.value, name, key->data.scalar.length) != 0) {
+      continue;
+    }
+
+    return yaml_document_get_node(document, pair->value);
+  }
+
+  return NULL;
+}
+
+static int emit_reexports_v2(yaml_document_t *document) {
+  yaml_node_t *root = yaml_document_get_root_node(document);
+
+  yaml_node_t *exports = get_mapping_entry(document, root, "exports");
+
+  if (!exports) {
+    return 1;
+  }
+
+  if (exports->type != YAML_SEQUENCE_NODE) {
+    LOG("value is not a sequence\n");
+    return 0;
+  }
+
+  for (
+      yaml_node_item_t *export = exports->data.sequence.items.start;
+      export < exports->data.sequence.items.top;
+      ++export
+  ) {
+    yaml_node_t *export_node = yaml_document_get_node(document, *export);
+
+    yaml_node_t *reexports = get_mapping_entry(document, export_node, "re-exports");
+
+    if (!reexports) {
+      continue;
+    }
+
+    if (reexports->type != YAML_SEQUENCE_NODE) {
+      LOG("re-exports is not a sequence\n");
+      return 0;
+    }
+
+    for (
+        yaml_node_item_t *reexport = reexports->data.sequence.items.start;
+        reexport < reexports->data.sequence.items.top;
+        ++reexport
+    ) {
+      yaml_node_t *val = yaml_document_get_node(document, *reexport);
+
+      if (val->type != YAML_SCALAR_NODE) {
+        LOG("item is not a scalar\n");
+        return 0;
+      }
+
+      fwrite(val->data.scalar.value, val->data.scalar.length, 1, stdout);
+      putchar('\n');
+    }
+  }
+
+  return 1;
+}
+
+static int emit_reexports_v4(yaml_document_t *document) {
+  yaml_node_t *root = yaml_document_get_root_node(document);
+  yaml_node_t *reexports = get_mapping_entry(document, root, "reexported-libraries");
+
+  if (!reexports) {
+    return 1;
+  }
+
+  if (reexports->type != YAML_SEQUENCE_NODE) {
+    LOG("value is not a sequence\n");
+    return 0;
+  }
+
+  for (
+      yaml_node_item_t *entry = reexports->data.sequence.items.start;
+      entry < reexports->data.sequence.items.top;
+      ++entry
+  ) {
+    yaml_node_t *entry_node = yaml_document_get_node(document, *entry);
+
+    yaml_node_t *libs = get_mapping_entry(document, entry_node, "libraries");
+
+    if (!libs) {
+      continue;
+    }
+
+    if (libs->type != YAML_SEQUENCE_NODE) {
+      LOG("libraries is not a sequence\n");
+      return 0;
+    }
+
+    for (
+        yaml_node_item_t *lib = libs->data.sequence.items.start;
+        lib < libs->data.sequence.items.top;
+        ++lib
+    ) {
+      yaml_node_t *val = yaml_document_get_node(document, *lib);
+
+      if (val->type != YAML_SCALAR_NODE) {
+        LOG("item is not a scalar\n");
+        return 0;
+      }
+
+      fwrite(val->data.scalar.value, val->data.scalar.length, 1, stdout);
+      putchar('\n');
+    }
+  }
+
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  int result = 0;
+
+  if (argc != 2) {
+    fprintf(stderr, "Invalid usage\n");
+    result = 2;
+    goto done;
+  }
+
+  FILE *f = fopen(argv[1], "r");
+  if (!f) {
+    perror("opening input file");
+    result = errno;
+    goto done;
+  }
+
+  yaml_parser_t yaml_parser;
+  if (!yaml_parser_initialize(&yaml_parser)) {
+    fprintf(stderr, "Failed to initialize yaml parser\n");
+    result = 1;
+    goto err_file;
+  }
+
+  yaml_parser_set_input_file(&yaml_parser, f);
+
+  yaml_document_t yaml_document;
+
+  if(!yaml_parser_load(&yaml_parser, &yaml_document)) {
+    fprintf(stderr, "Failed to load yaml file\n");
+    result = 1;
+    goto err_yaml;
+  }
+
+  // Try both, only fail if one reports an error.  A lack of re-exports is not
+  // considered an error.
+  int ok = 1;
+  ok = ok && emit_reexports_v2(&yaml_document);
+  ok = ok && emit_reexports_v4(&yaml_document);
+
+  result = !ok;
+
+err_yaml:
+  yaml_parser_delete(&yaml_parser);
+
+err_file:
+  fclose(f);
+
+done:
+  return result;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh
new file mode 100644
index 000000000000..9efb00aeb4dc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh
@@ -0,0 +1,19 @@
+fixupOutputHooks+=('checkTbdReexports')
+
+checkTbdReexports() {
+  local dir="$1"
+
+  while IFS= read -r -d $'\0' tbd; do
+    echo "checkTbdRexports: checking re-exports in $tbd"
+    while read -r target; do
+      local expected="${target%.dylib}.tbd"
+      if ! [ -e "$expected" ]; then
+        echo -e "Re-export missing:\n\t'$target'\n\t(expected '$expected')"
+        echo -e "While processing\n\t'$tbd'"
+        exit 1
+      else
+        echo "Re-exported target '$target' ok"
+      fi
+    done < <(print-reexports "$tbd")
+  done < <(find $prefix -type f -name '*.tbd' -print0)
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/qes/default.nix b/nixpkgs/pkgs/os-specific/darwin/qes/default.nix
new file mode 100644
index 000000000000..dce6e5266260
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/qes/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, Carbon }:
+
+stdenv.mkDerivation {
+  pname = "qes";
+  version = "0.0.2";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = "qes";
+    rev = "ddedf008f0c38b134501ad9f328447b671423d34";  # no tag
+    sha256 = "1w9ppid7jg6f4q7pq40lhm0whg7xmnxcmf3pb9xqfkq2zj2f7dxv";
+  };
+
+  buildInputs = [ Carbon ];
+
+  makeFlags = [ "BUILD_PATH=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Quartz Event Synthesizer";
+    homepage = "https://github.com/koekeishiya/qes";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    license = licenses.mit;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/raycast/default.nix b/nixpkgs/pkgs/os-specific/darwin/raycast/default.nix
new file mode 100644
index 000000000000..94476ef303ea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/raycast/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, undmg
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "raycast";
+  version = "1.61.2";
+
+  src = fetchurl {
+    name = "Raycast.dmg";
+    url = "https://releases.raycast.com/releases/${finalAttrs.version}/download?build=universal";
+    hash = "sha256-MHJbVIVVDcuXig3E52wCnegt1mmRh9+kYbEL6MWjdqQ=";
+  };
+
+  dontPatch = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  nativeBuildInputs = [ undmg ];
+
+  sourceRoot = "Raycast.app";
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications/Raycast.app
+    cp -R . $out/Applications/Raycast.app
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Control your tools with a few keystrokes";
+    homepage = "https://raycast.app/";
+    license = with licenses; [ unfree ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ lovesegfault stepbrobd ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/raycast/update.sh b/nixpkgs/pkgs/os-specific/darwin/raycast/update.sh
new file mode 100755
index 000000000000..e33f8421597d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/raycast/update.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -I nixpkgs=../../../../. -i bash -p common-updater-scripts jq
+
+set -eo pipefail
+
+new_version=$(curl --silent https://releases.raycast.com/releases/latest?build=universal | jq -r '.version')
+old_version=$(sed -nE 's/\s*version = "(.*)".*/\1/p' ./default.nix)
+
+if [[ $new_version == $old_version ]]; then
+    echo "Already up to date."
+    exit 0
+else
+    echo "raycast: $old_version -> $new_version"
+    sed -Ei.bak '/ *version = "/s/".+"/"'"$new_version"'"/' ./default.nix
+    rm ./default.nix.bak
+fi
+
+hash=$(nix --extra-experimental-features nix-command store prefetch-file --json --hash-type sha256 "https://releases.raycast.com/releases/$new_version/download?build=universal" | jq -r '.hash')
+sed -Ei.bak '/ *hash = /{N;N; s@("sha256-)[^;"]+@"'"$hash"'@}' ./default.nix
+rm ./default.nix.bak
diff --git a/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix b/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
new file mode 100644
index 000000000000..b4d26327bdcd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "reattach-to-user-namespace";
+  version = "2.9";
+
+  src = fetchFromGitHub {
+    owner = "ChrisJohnsen";
+    repo = "tmux-MacOSX-pasteboard";
+    rev = "v${version}";
+    sha256 = "1qgimh58hcx5f646gj2kpd36ayvrdkw616ad8cb3lcm11kg0ag79";
+  };
+
+  buildFlags =
+    if stdenv.hostPlatform.system == "x86_64-darwin" then [ "ARCHES=x86_64" ]
+    else if stdenv.hostPlatform.system == "aarch64-darwin" then [ "ARCHES=arm64" ]
+    else throw "reattach-to-user-namespace isn't being built for ${stdenv.hostPlatform.system} yet.";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp reattach-to-user-namespace $out/bin/
+  '';
+
+  meta = with lib; {
+    description = "A wrapper that provides access to the Mac OS X pasteboard service";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ lnl7 ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/rectangle/default.nix b/nixpkgs/pkgs/os-specific/darwin/rectangle/default.nix
new file mode 100644
index 000000000000..590e6427d19b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/rectangle/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, undmg
+, gitUpdater
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "rectangle";
+  version = "0.74";
+
+  src = fetchurl {
+    url = "https://github.com/rxhanson/Rectangle/releases/download/v${version}/Rectangle${version}.dmg";
+    hash = "sha256-ERfzgw8R39dOc9F/dgcgCKbEVFNChC5LqDFBDzbS+Wg=";
+  };
+
+  sourceRoot = ".";
+
+  nativeBuildInputs = [ undmg ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications
+    mv Rectangle.app $out/Applications
+
+    runHook postInstall
+  '';
+
+  passthru.updateScript = gitUpdater {
+    url = "https://github.com/rxhanson/Rectangle";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "Move and resize windows in macOS using keyboard shortcuts or snap areas";
+    homepage = "https://rectangleapp.com/";
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ Enzime Intuinewin wegank ];
+    license = licenses.mit;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix b/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix
new file mode 100644
index 000000000000..7a5467dc92a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchFromGitHub, libyaml }:
+
+stdenv.mkDerivation {
+  pname = "rewrite-tbd";
+  version = "unstable-2023-03-27";
+
+  src = fetchFromGitHub {
+    owner = "thefloweringash";
+    repo = "rewrite-tbd";
+    rev = "d7852691762635028d237b7d00c3dc6a6613de79";
+    hash = "sha256-syxioFiGvEv4Ypk5hlIjLQth5YmdFdr+NC+aXSXzG4k=";
+  };
+
+  # Nix takes care of these paths. Avoiding the use of `pkg-config` prevents an infinite recursion.
+  postPatch = ''
+    substituteInPlace Makefile.boot \
+      --replace '$(shell pkg-config --cflags yaml-0.1)' "" \
+      --replace '$(shell pkg-config --libs yaml-0.1)' "-lyaml"
+  '';
+
+  buildInputs = [ libyaml ];
+
+  makeFlags = [ "-f" "Makefile.boot" "PREFIX=${placeholder "out"}"];
+
+  meta = with lib; {
+    homepage = "https://github.com/thefloweringash/rewrite-tbd/";
+    description = "Rewrite filepath in .tbd to Nix applicable format";
+    platforms = platforms.unix;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/shortcat/default.nix b/nixpkgs/pkgs/os-specific/darwin/shortcat/default.nix
new file mode 100644
index 000000000000..dcf32a4fd9e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/shortcat/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl, unzip, ... }:
+
+stdenv.mkDerivation rec {
+  pname = "shortcat";
+  version = "0.11.0";
+
+  src = fetchurl {
+    url = "https://files.shortcat.app/releases/v${version}/Shortcat.zip";
+    sha256 = "sha256-P8NQy9odWOD8wRHBTmaNH7OCXXvgQsMiI169KfsAABU=";
+  };
+
+  sourceRoot = "Shortcat.app";
+
+  nativeBuildInputs = [ unzip ];
+
+  installPhase = ''
+    mkdir -p $out/Applications/Shortcat.app
+    cp -R . $out/Applications/Shortcat.app
+  '';
+
+  meta = with lib; {
+    description = "Manipulate macOS masterfully, minus the mouse";
+    homepage = "https://shortcat.app/";
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ Enzime ];
+    license = licenses.unfreeRedistributable;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh b/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
new file mode 100644
index 000000000000..6a254cd82123
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
@@ -0,0 +1,31 @@
+postFixupHooks+=(signDarwinBinariesInAllOutputs)
+
+# Uses signingUtils, see definition of autoSignDarwinBinariesHook in
+# darwin-packages.nix
+
+signDarwinBinariesIn() {
+  local dir="$1"
+
+  if [ ! -d "$dir" ]; then
+    return 0
+  fi
+
+  if [ "${darwinDontCodeSign:-}" ]; then
+    return 0
+  fi
+
+  echo "signing $dir"
+
+  while IFS= read -r -d $'\0' f; do
+    signIfRequired "$f"
+  done < <(find "$dir" -type f -print0)
+}
+
+# Apply fixup to each output.
+signDarwinBinariesInAllOutputs() {
+  local output
+
+  for output in $(getAllOutputNames); do
+     signDarwinBinariesIn "${!output}"
+  done
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix b/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix
new file mode 100644
index 000000000000..035ac59b725a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix
@@ -0,0 +1,24 @@
+{ stdenvNoCC
+, sigtool
+, cctools
+}:
+
+let
+  stdenv = stdenvNoCC;
+in
+
+stdenv.mkDerivation {
+  name = "signing-utils";
+
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    substituteAll ${./utils.sh} $out
+  '';
+
+  # Substituted variables
+  inherit sigtool;
+  codesignAllocate = "${cctools}/bin/${cctools.targetPrefix}codesign_allocate";
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/post-link-sign-hook.nix b/nixpkgs/pkgs/os-specific/darwin/signing-utils/post-link-sign-hook.nix
new file mode 100644
index 000000000000..13595e3771a7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/post-link-sign-hook.nix
@@ -0,0 +1,13 @@
+{ writeTextFile, cctools, sigtool }:
+
+writeTextFile {
+  name = "post-link-sign-hook";
+  executable = true;
+
+  text = ''
+    if [ "$linkerOutput" != "/dev/null" ]; then
+      CODESIGN_ALLOCATE=${cctools}/bin/${cctools.targetPrefix}codesign_allocate \
+        ${sigtool}/bin/codesign -f -s - "$linkerOutput"
+    fi
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh b/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh
new file mode 100644
index 000000000000..6d23a461fc99
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh
@@ -0,0 +1,43 @@
+# Work around for some odd behaviour where we can't codesign a file
+# in-place if it has been called before. This happens for example if
+# you try to fix-up a binary using strip/install_name_tool, after it
+# had been used previous.  The solution is to copy the binary (with
+# the corrupted signature from strip/install_name_tool) to some
+# location, sign it there and move it back into place.
+#
+# This does not appear to happen with the codesign tool that ships
+# with recent macOS BigSur installs on M1 arm64 machines.  However it
+# had also been happening with the tools that shipped with the DTKs.
+sign() {
+    local tmpdir
+    tmpdir=$(mktemp -d)
+
+    # $1 is the file
+
+    cp "$1" "$tmpdir"
+    CODESIGN_ALLOCATE=@codesignAllocate@ \
+        @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
+    mv "$tmpdir/$(basename "$1")" "$1"
+    rmdir "$tmpdir"
+}
+
+checkRequiresSignature() {
+    local file=$1
+    local rc=0
+
+    @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
+
+    if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
+        return "$rc"
+    fi
+
+    echo "Unexpected exit status from sigtool: $rc"
+    exit 1
+}
+
+signIfRequired() {
+    local file=$1
+    if checkRequiresSignature "$file"; then
+        sign "$file"
+    fi
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix b/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix
new file mode 100644
index 000000000000..eb323a899d19
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, openssl }:
+
+stdenv.mkDerivation rec {
+  pname = "sigtool";
+  version = "0.1.3";
+
+  src = fetchFromGitHub {
+    owner = "thefloweringash";
+    repo = "sigtool";
+    rev = "v${version}";
+    sha256 = "sha256-K3VSFaqcZEomF7kROJz+AwxdW1MmxxEFDaRnWnzcw54=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ openssl ];
+
+  installFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "A tool for working with embedded signatures in Mach-O files";
+    homepage = "https://github.com/thefloweringash/sigtool";
+    license = licenses.mit;
+    platforms = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix b/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix
new file mode 100644
index 000000000000..ab1c0b58185f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix
@@ -0,0 +1,72 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, AppKit
+, Carbon
+, CoreAudio
+, CoreWLAN
+, CoreVideo
+, DisplayServices
+, IOKit
+, MediaRemote
+, SkyLight
+, testers
+}:
+
+let
+  inherit (stdenv.hostPlatform) system;
+  target = {
+    "aarch64-darwin" = "arm64";
+    "x86_64-darwin" = "x86";
+  }.${system} or (throw "Unsupported system: ${system}");
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "sketchybar";
+  version = "2.19.3";
+
+  src = fetchFromGitHub {
+    owner = "FelixKratz";
+    repo = "SketchyBar";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-QT926AnV9jLc1KvYks6ukIAcMbVHOupTJWQ6vBHpcxc=";
+  };
+
+  buildInputs = [
+    AppKit
+    Carbon
+    CoreAudio
+    CoreWLAN
+    CoreVideo
+    DisplayServices
+    IOKit
+    MediaRemote
+    SkyLight
+  ];
+
+  makeFlags = [
+    target
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp ./bin/sketchybar $out/bin/sketchybar
+
+    runHook postInstall
+  '';
+
+  passthru.tests.version = testers.testVersion {
+    package = finalAttrs.finalPackage;
+    version = "sketchybar-v${finalAttrs.version}";
+  };
+
+  meta = {
+    description = "A highly customizable macOS status bar replacement";
+    homepage = "https://github.com/FelixKratz/SketchyBar";
+    license = lib.licenses.gpl3;
+    mainProgram = "sketchybar";
+    maintainers = with lib.maintainers; [ azuwis khaneliman ];
+    platforms = lib.platforms.darwin;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix b/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix
new file mode 100644
index 000000000000..fa6e1aa01e9f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, Carbon
+, Cocoa
+, testers
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "skhd";
+  version = "0.3.9";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = "skhd";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-fnkWws/g4BdHKDRhqoCpdPFUavOHdk8R7h7H1dAdAYI=";
+  };
+
+  buildInputs = [
+    Carbon
+    Cocoa
+  ];
+
+  makeFlags = [
+    "BUILD_PATH=$(out)/bin"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.skhd.plist} $out/Library/LaunchDaemons/org.nixos.skhd.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.skhd.plist --subst-var out
+  '';
+
+  passthru.tests.version = testers.testVersion {
+    package = finalAttrs.finalPackage;
+    version = "skhd-v${finalAttrs.version}";
+  };
+
+  meta = {
+    description = "Simple hotkey daemon for macOS";
+    homepage = "https://github.com/koekeishiya/skhd";
+    license = lib.licenses.mit;
+    mainProgram = "skhd";
+    maintainers = with lib.maintainers; [ cmacrae lnl7 periklis khaneliman ];
+    platforms = lib.platforms.darwin;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist b/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
new file mode 100644
index 000000000000..e6624487740b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.skhd</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>@out@/bin/skhd</string>
+  </array>
+  <key>ProcessType</key>
+  <string>Interactive</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>@out@/bin:/nix/var/nix/profiles/default/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+  </dict>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix b/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix
new file mode 100644
index 000000000000..48164d387fa9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix
@@ -0,0 +1,28 @@
+{ buildGoModule, fetchFromGitHub, lib }:
+
+buildGoModule rec {
+  pname = "smimesign";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "github";
+    repo = "smimesign";
+    rev = "v${version}";
+    hash = "sha256-W9Hj/+snx+X6l95Gt9d8DiLnBPV9npKydc/zMN9G0vQ=";
+  };
+
+  vendorHash = "sha256-wLqYUICL+gdvRCLNrA0ZNcFI4oV3Oik762q7xF115Lw=";
+
+  ldflags = [ "-s" "-w" "-X main.versionString=v${version}" ];
+
+  # Fails in sandbox
+  doCheck = false;
+
+  meta = with lib; {
+    description = "An S/MIME signing utility for macOS and Windows that is compatible with Git";
+    homepage = "https://github.com/github/smimesign";
+    license = licenses.mit;
+    platforms = platforms.darwin ++ platforms.windows;
+    maintainers = [ maintainers.enorris ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix b/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix
new file mode 100644
index 000000000000..2656c10f6dc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, Carbon, Cocoa, ScriptingBridge, SkyLight }:
+
+stdenv.mkDerivation rec {
+  pname = "spacebar";
+  version = "1.4.0";
+
+  src = fetchFromGitHub {
+    owner = "cmacrae";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-4LiG43kPZtsm7SQ/28RaGMpYsDshCaGvc1mouPG3jFM=";
+  };
+
+  buildInputs = [ Carbon Cocoa ScriptingBridge SkyLight ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1/
+    cp ./bin/spacebar $out/bin/spacebar
+    cp ./doc/spacebar.1 $out/share/man/man1/spacebar.1
+  '';
+
+  meta = with lib; {
+    description = "A minimal status bar for macOS";
+    homepage = "https://github.com/cmacrae/spacebar";
+    platforms = platforms.darwin;
+    maintainers = [ maintainers.cmacrae ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix b/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix
new file mode 100644
index 000000000000..862305a069d6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix
@@ -0,0 +1,15 @@
+{ lib, writeScriptBin, runtimeShell }:
+
+let fake = name: lib.overrideDerivation (writeScriptBin name ''
+  #!${runtimeShell}
+  echo >&2 "Faking call to ${name} with arguments:"
+  echo >&2 "$@"
+'') (drv: {
+  name = "${name}-stub";
+}); in
+
+{
+  setfile = fake "SetFile";
+  rez = fake "Rez";
+  derez = fake "DeRez";
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch
new file mode 100644
index 000000000000..db17c517c720
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch
@@ -0,0 +1,30 @@
+From 549160574ee44656d50997b27ef83736e0848201 Mon Sep 17 00:00:00 2001
+From: toonn <toonn@toonn.io>
+Date: Mon, 26 Apr 2021 20:51:05 +0200
+Subject: [PATCH] Add missing TARGET_OS_* defines
+
+---
+ .../Base.subproj/SwiftRuntime/TargetConditionals.h         | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h b/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
+index 6d42b873..abf746c9 100644
+--- a/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
++++ b/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
+@@ -118,6 +118,13 @@
+ 
+ #define TARGET_OS_WIN32        TARGET_OS_WINDOWS
+ #define TARGET_OS_MAC          TARGET_OS_DARWIN
++#define TARGET_OS_OSX          TARGET_OS_DARWIN
++
++#define TARGET_OS_IPHONE       0
++#define TARGET_OS_WATCH        0
++#define TARGET_OS_TV           0
++#define TARGET_OS_EMBEDDED     0
++
+ 
+ #if __x86_64__
+ #define TARGET_CPU_PPC          0
+-- 
+2.17.2 (Apple Git-113)
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0002-Add-missing-launchd-header.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0002-Add-missing-launchd-header.patch
new file mode 100644
index 000000000000..b1187c56587e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0002-Add-missing-launchd-header.patch
@@ -0,0 +1,11 @@
+--- a/CoreFoundation/RunLoop.subproj/CFMessagePort.c	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/RunLoop.subproj/CFMessagePort.c	2023-06-09 20:25:28.599209755 -0400
+@@ -28,6 +28,8 @@
+ #endif
+ #endif
+ 
++#include <bootstrap.h>
++
+ extern pid_t getpid(void);
+ 
+ #define __kCFMessagePortMaxNameLengthMax 255
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0003-Fix-incompatible-pointer-conversion.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0003-Fix-incompatible-pointer-conversion.patch
new file mode 100644
index 000000000000..910b622ed3ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0003-Fix-incompatible-pointer-conversion.patch
@@ -0,0 +1,25 @@
+diff -u a/CoreFoundation/URL.subproj/CFURLComponents.c b/CoreFoundation/URL.subproj/CFURLComponents.c
+--- a/CoreFoundation/URL.subproj/CFURLComponents.c	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/URL.subproj/CFURLComponents.c	2023-06-09 20:36:52.995514573 -0400
+@@ -66,7 +66,8 @@
+     return CFRetain(CFSTR("A really nice CFURLComponents object"));
+ }
+ 
+-CF_CROSS_PLATFORM_EXPORT void __CFURLComponentsDeallocate(CFURLComponentsRef instance) {
++CF_CROSS_PLATFORM_EXPORT void __CFURLComponentsDeallocate(CFTypeRef cf) {
++    CFURLComponentsRef instance = (CFURLComponentsRef)cf;
+     __CFGenericValidateType(instance, _CFURLComponentsGetTypeID());
+     
+     if (instance->_urlString) CFRelease(instance->_urlString);
+diff -u a/CoreFoundation/URL.subproj/CFURLComponents.h b/CoreFoundation/URL.subproj/CFURLComponents.h
+--- a/CoreFoundation/URL.subproj/CFURLComponents.h	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/URL.subproj/CFURLComponents.h	2023-06-09 20:39:36.967857713 -0400
+@@ -38,7 +38,7 @@
+ 
+ CF_EXPORT CFTypeID _CFURLComponentsGetTypeID(void);
+ 
+-CF_CROSS_PLATFORM_EXPORT void __CFURLComponentsDeallocate(CFURLComponentsRef);
++CF_CROSS_PLATFORM_EXPORT void __CFURLComponentsDeallocate(CFTypeRef);
+ 
+ // URLComponents are always mutable.
+ CF_EXPORT _Nullable CFURLComponentsRef _CFURLComponentsCreate(CFAllocatorRef alloc);
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0004-Fix-Darwin-cmake-build.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0004-Fix-Darwin-cmake-build.patch
new file mode 100644
index 000000000000..afffa1abc8e0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0004-Fix-Darwin-cmake-build.patch
@@ -0,0 +1,66 @@
+--- a/CoreFoundation/CMakeLists.txt	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/CMakeLists.txt	2023-06-29 18:52:49.096019700 -0400
+@@ -129,7 +129,7 @@
+                 Base.subproj/CFByteOrder.h
+                 Base.subproj/CFUUID.h
+                 Base.subproj/CFUtilities.h
+-                Base.subproj/SwiftRuntime/CoreFoundation.h
++                Base.subproj/CoreFoundation.h  # The SwiftRuntime version of this file causes linker errors and is not correct for standalone CF.
+                 Base.subproj/SwiftRuntime/TargetConditionals.h
+                 # Collections
+                 Collections.subproj/CFArray.h
+@@ -245,6 +245,8 @@
+                 # RunLoop
+                 RunLoop.subproj/CFRunLoop.c
+                 RunLoop.subproj/CFSocket.c
++                RunLoop.subproj/CFMachPort.c   # These files are missing from the upstream `CMakeLists.txt` but required to build on Darwin.
++                RunLoop.subproj/CFMessagePort.c
+                 # Stream
+                 Stream.subproj/CFConcreteStreams.c
+                 Stream.subproj/CFSocketStream.c
+@@ -336,6 +338,11 @@
+   target_include_directories(CoreFoundation
+                              PRIVATE
+                                ${CURL_INCLUDE_DIRS})
++elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
++  find_package(CURL REQUIRED)
++  target_include_directories(CoreFoundation PRIVATE ${CURL_INCLUDE_DIRS})
++  find_package(LibXml2 REQUIRED)
++  target_include_directories(CoreFoundation PRIVATE ${LIBXML2_INCLUDE_DIR})
+ else()
+   target_include_directories(CoreFoundation
+                              PRIVATE
+@@ -365,6 +372,10 @@
+                         PRIVATE
+                           ${CURL_LIBRARIES}
+                           ${LIBXML2_LIBRARIES})
++elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
++  target_link_libraries(CoreFoundation PRIVATE
++    ${CURL_LIBRARIES}
++    ${LIBXML2_LIBRARIES})
+ else()
+   target_link_libraries(CoreFoundation
+                         PRIVATE
+@@ -398,9 +400,19 @@
+   target_link_libraries(CoreFoundation
+                         PRIVATE
+                           icucore)
+-  set_target_properties(CoreFoundation
+-                        PROPERTIES LINK_FLAGS
+-                          -Xlinker;-alias_list;-Xlinker;Base.subproj/DarwinSymbolAliases;-twolevel_namespace;-sectcreate;__UNICODE;__csbitmaps;CharacterSets/CFCharacterSetBitmaps.bitmap;-sectcreate;__UNICODE;__properties;CharacterSets/CFUniCharPropertyDatabase.data;-sectcreate;__UNICODE;__data;CharacterSets/CFUnicodeData-L.mapping;-segprot;__UNICODE;r;r)
++  target_link_options(CoreFoundation
++                      PUBLIC
++                      "LINKER:-alias_list,../Base.subproj/DarwinSymbolAliases"
++                      "LINKER:-twolevel_namespace"
++                      "LINKER:-sectcreate,__UNICODE,__csbitmaps,../CharacterSets/CFCharacterSetBitmaps.bitmap"
++                      "LINKER:-sectcreate,__UNICODE,__properties,../CharacterSets/CFUniCharPropertyDatabase.data"
++                      "LINKER:-sectcreate,__UNICODE,__data,../CharacterSets/CFUnicodeData-L.mapping"
++                      "LINKER:-segprot,__UNICODE,r,r"
++                      "LINKER:-current_version,1454.90.0"
++                      "LINKER:-compatibility_version,150.0.0"
++                      "LINKER:-init,___CFInitialize")
++  set(CMAKE_SHARED_LIBRARY_PREFIX "")
++  set(CMAKE_SHARED_LIBRARY_SUFFIX "")
+ endif()
+ 
+ install(TARGETS
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0005-Fix-framework-installation-path.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0005-Fix-framework-installation-path.patch
new file mode 100644
index 000000000000..e771ab3c66f2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0005-Fix-framework-installation-path.patch
@@ -0,0 +1,23 @@
+diff -u aa/CoreFoundation/CMakeLists.txt b/CoreFoundation/CMakeLists.txt
+--- a/CoreFoundation/CMakeLists.txt	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/CMakeLists.txt	2023-06-29 18:59:19.492601179 -0400
+
+@@ -424,16 +424,11 @@
+   set(CMAKE_SHARED_LIBRARY_SUFFIX "")
+ endif()
+ 
+-install(TARGETS
+-          CoreFoundation
+-        DESTINATION
+-          "${CMAKE_INSTALL_FULL_LIBDIR}")
+ install(DIRECTORY
+           ${CoreFoundation_FRAMEWORK_DIRECTORY}
+         DESTINATION
+-          ${CMAKE_INSTALL_PREFIX}/System/Library/Frameworks
+-        USE_SOURCE_PERMISSIONS
+-        PATTERN PrivateHeaders EXCLUDE)
++          ${CMAKE_INSTALL_PREFIX}/Library/Frameworks
++        USE_SOURCE_PERMISSIONS)
+ 
+ 
+ # TODO(compnerd) formalize this
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0006-System-CF-framework-compatibility.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0006-System-CF-framework-compatibility.patch
new file mode 100644
index 000000000000..248cb5f60037
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0006-System-CF-framework-compatibility.patch
@@ -0,0 +1,84 @@
+diff -u a/CoreFoundation/CMakeLists.txt b/CoreFoundation/CMakeLists.txt
+--- a/CoreFoundation/CMakeLists.txt	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/CMakeLists.txt	2023-06-29 18:59:08.659632504 -0400
+@@ -1,5 +1,5 @@
+ 
+-cmake_minimum_required(VERSION 3.4.3)
++cmake_minimum_required(VERSION 3.14)
+ list(APPEND CMAKE_MODULE_PATH
+      "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
+ 
+@@ -45,6 +45,8 @@
+                 ${FRAMEWORK_LIBRARY_TYPE}
+               FRAMEWORK_DIRECTORY
+                 CoreFoundation_FRAMEWORK_DIRECTORY
++              VERSION
++                A
+               MODULE_MAP
+                 Base.subproj/module.modulemap
+               PRIVATE_HEADERS
+diff -u a/CoreFoundation/cmake/modules/CoreFoundationAddFramework.cmake b/CoreFoundation/cmake/modules/CoreFoundationAddFramework.cmake
+--- a/CoreFoundation/cmake/modules/CoreFoundationAddFramework.cmake	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/cmake/modules/CoreFoundationAddFramework.cmake	2023-06-29 18:57:55.792860996 -0400
+@@ -3,7 +3,7 @@
+ 
+ function(add_framework NAME)
+   set(options STATIC SHARED)
+-  set(single_value_args MODULE_MAP FRAMEWORK_DIRECTORY)
++  set(single_value_args MODULE_MAP FRAMEWORK_DIRECTORY VERSION)
+   set(multiple_value_args PRIVATE_HEADERS PUBLIC_HEADERS SOURCES)
+   cmake_parse_arguments(AF "${options}" "${single_value_args}" "${multiple_value_args}" ${ARGN})
+ 
+@@ -14,26 +14,32 @@
+     set(AF_TYPE SHARED)
+   endif()
+ 
++  file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/${AF_VERSION})
++  file(CREATE_LINK ${AF_VERSION} ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/Current SYMBOLIC)
++
+   if(AF_MODULE_MAP)
+     file(COPY
+            ${AF_MODULE_MAP}
+          DESTINATION
+-           ${CMAKE_BINARY_DIR}/${NAME}.framework/Modules
++           ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/Current/Modules
+          NO_SOURCE_PERMISSIONS)
++    file(CREATE_LINK Versions/Current/Modules ${CMAKE_BINARY_DIR}/${NAME}.framework/Modules SYMBOLIC)
+   endif()
+   if(AF_PUBLIC_HEADERS)
+     file(COPY
+            ${AF_PUBLIC_HEADERS}
+          DESTINATION
+-           ${CMAKE_BINARY_DIR}/${NAME}.framework/Headers
++           ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/Current/Headers
+          NO_SOURCE_PERMISSIONS)
++    file(CREATE_LINK Versions/Current/Headers ${CMAKE_BINARY_DIR}/${NAME}.framework/Headers SYMBOLIC)
+   endif()
+   if(AF_PRIVATE_HEADERS)
+     file(COPY
+            ${AF_PRIVATE_HEADERS}
+          DESTINATION
+-           ${CMAKE_BINARY_DIR}/${NAME}.framework/PrivateHeaders
++           ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/Current/PrivateHeaders
+          NO_SOURCE_PERMISSIONS)
++    file(CREATE_LINK Versions/Current/PrivateHeaders ${CMAKE_BINARY_DIR}/${NAME}.framework/PrivateHeaders SYMBOLIC)
+   endif()
+   add_custom_target(${NAME}_POPULATE_HEADERS
+                     DEPENDS
+@@ -51,13 +57,15 @@
+   set_target_properties(${NAME}
+                         PROPERTIES
+                           LIBRARY_OUTPUT_DIRECTORY
+-                              ${CMAKE_BINARY_DIR}/${NAME}.framework)
++                              ${CMAKE_BINARY_DIR}/${NAME}.framework/Versions/Current)
+   target_compile_options(${NAME}
+                          PRIVATE
+                            -F;${CMAKE_BINARY_DIR}
+                            -I;${CMAKE_BINARY_DIR}/${NAME}.framework/PrivateHeaders)
+   add_dependencies(${NAME} ${NAME}_POPULATE_HEADERS)
+ 
++  file(CREATE_LINK Versions/Current/${NAME} ${CMAKE_BINARY_DIR}/${NAME}.framework/${NAME} SYMBOLIC)
++
+   if(AF_FRAMEWORK_DIRECTORY)
+     set(${AF_FRAMEWORK_DIRECTORY} ${CMAKE_BINARY_DIR}/${NAME}.framework PARENT_SCOPE)
+   endif()
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0007-Use-nixpkgs-icu.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0007-Use-nixpkgs-icu.patch
new file mode 100644
index 000000000000..78fa517ce76d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0007-Use-nixpkgs-icu.patch
@@ -0,0 +1,31 @@
+diff -ur d/CoreFoundation/CMakeLists.txt e/CoreFoundation/CMakeLists.txt
+--- d/CoreFoundation/CMakeLists.txt	1969-12-31 19:00:01.000000000 -0500
++++ e/CoreFoundation/CMakeLists.txt	2023-06-29 19:13:15.561253229 -0400
+@@ -343,6 +343,7 @@
+ elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
+   find_package(CURL REQUIRED)
+   target_include_directories(CoreFoundation PRIVATE ${CURL_INCLUDE_DIRS})
++  find_package(ICU COMPONENTS uc i18n data REQUIRED)
+   find_package(LibXml2 REQUIRED)
+   target_include_directories(CoreFoundation PRIVATE ${LIBXML2_INCLUDE_DIR})
+ else()
+@@ -377,6 +378,9 @@
+ elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
+   target_link_libraries(CoreFoundation PRIVATE
+     ${CURL_LIBRARIES}
++    ICU::uc
++    ICU::i18n
++    ICU::data
+     ${LIBXML2_LIBRARIES})
+ else()
+   target_link_libraries(CoreFoundation
+@@ -408,9 +412,6 @@
+                         PROPERTIES LINK_FLAGS
+                           -Xlinker;@${CMAKE_SOURCE_DIR}/linux.ld;-Bsymbolic)
+ elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
+-  target_link_libraries(CoreFoundation
+-                        PRIVATE
+-                          icucore)
+   target_link_options(CoreFoundation
+                       PUBLIC
+                       "LINKER:-alias_list,../Base.subproj/DarwinSymbolAliases"
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0008-Dont-link-libcurl.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0008-Dont-link-libcurl.patch
new file mode 100644
index 000000000000..4207bf1a82f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0008-Dont-link-libcurl.patch
@@ -0,0 +1,46 @@
+diff -u a/CoreFoundation/CMakeLists.txt b/CoreFoundation/CMakeLists.txt
+--- a/CoreFoundation/CMakeLists.txt	1969-12-31 19:00:01.000000000 -0500
++++ b/CoreFoundation/CMakeLists.txt	2023-06-29 19:39:30.074449222 -0400
+@@ -104,7 +104,6 @@
+                 # URL
+                 URL.subproj/CFURL.inc.h
+                 URL.subproj/CFURLPriv.h
+-                URL.subproj/CFURLSessionInterface.h
+               PUBLIC_HEADERS
+                 # FIXME: PrivateHeaders referenced by public headers
+                 Base.subproj/CFKnownLocations.h
+@@ -120,7 +119,6 @@
+                 String.subproj/CFRegularExpression.h
+                 String.subproj/CFRunArray.h
+                 URL.subproj/CFURLPriv.h
+-                URL.subproj/CFURLSessionInterface.h
+ 
+                 # AppServices
+                 AppServices.subproj/CFNotificationCenter.h
+@@ -280,8 +278,7 @@
+                 URL.subproj/CFURL.c
+                 URL.subproj/CFURLAccess.c
+                 URL.subproj/CFURLComponents.c
+-                URL.subproj/CFURLComponents_URIParser.c
+-                URL.subproj/CFURLSessionInterface.c)
++                URL.subproj/CFURLComponents_URIParser.c)
+ if(CMAKE_SYSTEM_NAME STREQUAL Linux OR CMAKE_SYSTEM_NAME STREQUAL Android)
+   target_compile_definitions(CoreFoundation
+                              PRIVATE
+@@ -341,8 +338,6 @@
+                              PRIVATE
+                                ${CURL_INCLUDE_DIRS})
+ elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
+-  find_package(CURL REQUIRED)
+-  target_include_directories(CoreFoundation PRIVATE ${CURL_INCLUDE_DIRS})
+   find_package(ICU COMPONENTS uc i18n data REQUIRED)
+   find_package(LibXml2 REQUIRED)
+   target_include_directories(CoreFoundation PRIVATE ${LIBXML2_INCLUDE_DIR})
+@@ -377,7 +372,6 @@
+                           ${LIBXML2_LIBRARIES})
+ elseif(CMAKE_SYSTEM_NAME STREQUAL Darwin)
+   target_link_libraries(CoreFoundation PRIVATE
+-    ${CURL_LIBRARIES}
+     ICU::uc
+     ICU::i18n
+     ICU::data
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix
new file mode 100644
index 000000000000..5c593b1488e2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix
@@ -0,0 +1,91 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl, makeSetupHook, cmake, pkg-config, launchd, libdispatch, python3Minimal, libxml2, objc4, icu }:
+
+let
+  # 10.12 adds a new sysdir.h that our version of CF in the main derivation depends on, but
+  # isn't available publicly, so instead we grab an older version of the same file that did
+  # not use sysdir.h, but provided the same functionality. Luckily it's simple :) hack hack
+  sysdir-free-system-directories = fetchurl {
+    url    = "https://raw.githubusercontent.com/apple/swift-corelibs-foundation/9a5d8420f7793e63a8d5ec1ede516c4ebec939f0/CoreFoundation/Base.subproj/CFSystemDirectories.c";
+    sha256 = "0krfyghj4f096arvvpf884ra5czqlmbrgf8yyc0b3avqmb613pcc";
+  };
+in
+
+stdenv.mkDerivation {
+  pname = "swift-corefoundation";
+  version = "unstable-2018-09-14";
+
+  src = fetchFromGitHub {
+    owner  = "apple";
+    repo   = "swift-corelibs-foundation";
+    rev    = "71aaba20e1450a82c516af1342fe23268e15de0a";
+    sha256 = "17kpql0f27xxz4jjw84vpas5f5sn4vdqwv10g151rc3rswbwln1z";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config python3Minimal ];
+  buildInputs = [ (lib.getDev launchd) libdispatch libxml2 objc4 icu ];
+
+  patches = [
+    ./0001-Add-missing-TARGET_OS_-defines.patch
+    # CFMessagePort.h uses `bootstrap_check_in` without declaring it, which is defined in the launchd headers.
+    ./0002-Add-missing-launchd-header.patch
+    # CFURLComponents fails to build with clang 16 due to an invalid pointer conversion. This is fixed upstream.
+    ./0003-Fix-incompatible-pointer-conversion.patch
+    # Fix `CMakeLists.txt` to allow it to be used instead of `build.py` to build on Darwin.
+    ./0004-Fix-Darwin-cmake-build.patch
+    # Install CF framework in `$out/Library/Frameworks` instead of `$out/System/Frameworks`.
+    ./0005-Fix-framework-installation-path.patch
+    # Build a framework that matches the contents of the system CoreFoundation. This patch adds
+    # versioning and drops the prefix and suffix, so the dynamic library is named `CoreFoundation`
+    # instead of `libCoreFoundation.dylib`.
+    ./0006-System-CF-framework-compatibility.patch
+    # Link against the nixpkgs ICU instead of using Apple’s vendored version.
+    ./0007-Use-nixpkgs-icu.patch
+    # Don’t link against libcurl. This breaks a cycle between CF and curl, which depends on CF and
+    # uses the SystemConfiguration framework to support NAT64.
+    # This is safe because the symbols provided in CFURLSessionInterface are not provided by the
+    # system CoreFoundation. They are meant to be used by the implementation of `NSURLSession` in
+    # swift-corelibs-foundation, which is not built because it is not fully compatible with the
+    # system Foundation used on Darwin.
+    ./0008-Dont-link-libcurl.patch
+  ];
+
+  postPatch = ''
+    cd CoreFoundation
+
+    cp ${sysdir-free-system-directories} Base.subproj/CFSystemDirectories.c
+
+    # Includes xpc for some initialization routine that they don't define anyway, so no harm here
+    substituteInPlace PlugIn.subproj/CFBundlePriv.h \
+      --replace '#if (TARGET_OS_MAC' '#if (0'
+
+    # Why do we define __GNU__? Is that normal?
+    substituteInPlace Base.subproj/CFAsmMacros.h \
+      --replace '#if defined(__GNU__) ||' '#if 0 &&'
+
+    # The MIN macro doesn't seem to be defined sensibly for us. Not sure if our stdenv or their bug
+    substituteInPlace Base.subproj/CoreFoundation_Prefix.h \
+      --replace '#if DEPLOYMENT_TARGET_WINDOWS || DEPLOYMENT_TARGET_LINUX' '#if 1'
+  '';
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    # Silence warnings regarding other targets
+    "-Wno-error=undef-prefix"
+    # Avoid redefinitions when including objc headers
+    "-DINCLUDE_OBJC=1"
+  ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=ON"
+    "-DCF_ENABLE_LIBDISPATCH=OFF"
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    install_name_tool -id '@rpath/CoreFoundation.framework/Versions/A/CoreFoundation' \
+      "$out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation"
+
+    mkdir -p "$out/nix-support"
+    substituteAll ${./pure-corefoundation-hook.sh} "$out/nix-support/setup-hook"
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix
new file mode 100644
index 000000000000..a5b4b2a52df1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix
@@ -0,0 +1,13 @@
+{ stdenv, fetchFromGitHub, cmake, apple_sdk_sierra, xnu-new }:
+
+stdenv.mkDerivation rec {
+  name = "swift-corelibs-libdispatch";
+  src = fetchFromGitHub {
+    owner = "apple";
+    repo = name;
+    rev = "f83b5a498bad8e9ff8916183cf6e8ccf677c346b";
+    sha256 = "1czkyyc9llq2mnqfp19mzcfsxzas0y8zrk0gr5hg60acna6jkz2l";
+  };
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ apple_sdk_sierra.sdk xnu-new ];
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/pure-corefoundation-hook.sh b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/pure-corefoundation-hook.sh
new file mode 100644
index 000000000000..d5539f50861a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/pure-corefoundation-hook.sh
@@ -0,0 +1,7 @@
+usePureCoreFoundation() {
+# Avoid overriding value set by the impure CF
+    if [ -z "${NIX_COREFOUNDATION_RPATH:-}" ]; then
+        export NIX_COREFOUNDATION_RPATH=@out@/Library/Frameworks
+    fi
+}
+addEnvHooks "$hostOffset" usePureCoreFoundation
diff --git a/nixpkgs/pkgs/os-specific/darwin/swiftbar/default.nix b/nixpkgs/pkgs/os-specific/darwin/swiftbar/default.nix
new file mode 100644
index 000000000000..f2cd30fd6f16
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swiftbar/default.nix
@@ -0,0 +1,46 @@
+{ lib
+, fetchzip
+, stdenvNoCC
+, makeWrapper
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "swiftbar";
+  version = "1.4.3";
+
+  src = fetchzip {
+    url = "https://github.com/swiftbar/SwiftBar/releases/download/v${version}/SwiftBar.zip";
+    sha256 = "sha256-Ut+lr1E7bMp8Uz1aL7EV0ZsfdTh9t7zUjDU/DScRpHY=";
+    stripRoot = false;
+  };
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{Applications,bin}
+    cp -r ./SwiftBar.app $out/Applications
+
+    # Symlinking doesnt work; The auto-updater will fail to start which renders the app useless
+    makeWrapper $out/Applications/SwiftBar.app/Contents/MacOS/SwiftBar $out/bin/SwiftBar
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Powerful macOS menu bar customization tool";
+    homepage = "https://swiftbar.app";
+    changelog = "https://github.com/swiftbar/SwiftBar/releases/tag/v${version}";
+    mainProgram = "SwiftBar";
+    license = licenses.mit;
+    platforms = platforms.darwin;
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swiftdefaultapps/default.nix b/nixpkgs/pkgs/os-specific/darwin/swiftdefaultapps/default.nix
new file mode 100644
index 000000000000..44a40e8c8a70
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swiftdefaultapps/default.nix
@@ -0,0 +1,29 @@
+{ fetchzip, lib, stdenvNoCC }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "swiftdefaultapps";
+  version = "2.0.1";
+
+  # Fetch the release which includes the prebuild binary since this is a Swift project and nixpkgs
+  # doesn't currently have the ability to build Swift projects.
+  src = fetchzip {
+    url = "https://github.com/Lord-Kamina/SwiftDefaultApps/releases/download/v${version}/SwiftDefaultApps-v${version}.zip";
+    stripRoot = false;
+    sha256 = "sha256-0HsHjZBPUzmdvHy7E9EdZj6zwaXjSX2u5aj8pij0u3E=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+    install -D './swda' "$out/bin/swda"
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "View and change the default application for url schemes and UTIs";
+    homepage = "https://github.com/Lord-Kamina/SwiftDefaultApps";
+    license = licenses.beerware;
+    maintainers = [ maintainers.malo ];
+    platforms = platforms.darwin;
+    mainProgram = "swda";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/trash/default.nix b/nixpkgs/pkgs/os-specific/darwin/trash/default.nix
new file mode 100644
index 000000000000..a239f6607b1f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/trash/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, perl, AppKit, Cocoa, ScriptingBridge }:
+
+stdenv.mkDerivation rec {
+  version = "0.9.2";
+  pname = "trash";
+
+  src = fetchFromGitHub {
+    owner = "ali-rantakari";
+    repo = "trash";
+    rev = "v${version}";
+    sha256 = "1d3rc03vgz32faj7qi18iiggxvxlqrj9lsk5jkpa9r1mcs5d89my";
+  };
+
+  buildInputs = [ perl Cocoa AppKit ScriptingBridge ];
+
+  patches = [ ./trash.diff ];
+
+  buildPhase = "make all docs";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1
+    install -m 0755 trash $out/bin
+    install -m 0444 trash.1 $out/share/man/man1
+  '';
+
+  meta = {
+    homepage = "https://github.com/ali-rantakari/trash";
+    description = "Small command-line program for OS X that moves files or
+    folders to the trash.";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff b/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff
new file mode 100644
index 000000000000..d96f6c9c4fef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 5e4306f..9c975fc 100644
+--- a/Makefile
++++ b/Makefile
+@@ -10,7 +10,7 @@ trash: $(SOURCE_FILES)
+ 	@echo
+ 	@echo ---- Compiling:
+ 	@echo ======================================
+-	$(CC) -O2 -Wall -Wextra -Wpartial-availability -Wno-unguarded-availability -force_cpusubtype_ALL -mmacosx-version-min=10.7 -arch i386 -arch x86_64 -framework AppKit -framework ScriptingBridge -o $@ $(SOURCE_FILES)
++	$(CC) -O2 -Wall -Wextra -Wpartial-availability -Wno-unguarded-availability -framework AppKit -framework ScriptingBridge -o $@ $(SOURCE_FILES)
+ 
+ analyze:
+ 	@echo
diff --git a/nixpkgs/pkgs/os-specific/darwin/utm/default.nix b/nixpkgs/pkgs/os-specific/darwin/utm/default.nix
new file mode 100644
index 000000000000..f7055d378cbb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/utm/default.nix
@@ -0,0 +1,67 @@
+{ lib
+, undmg
+, makeWrapper
+, fetchurl
+, stdenvNoCC
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "utm";
+  version = "4.4.4";
+
+  src = fetchurl {
+    url = "https://github.com/utmapp/UTM/releases/download/v${version}/UTM.dmg";
+    hash = "sha256-SyrqkNWRUKQS3D17XYsC/dcCKlPLGNNsG5obEiHE1Lk=";
+  };
+
+  nativeBuildInputs = [ undmg makeWrapper ];
+
+  sourceRoot = ".";
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Applications
+    cp -r *.app $out/Applications
+
+    mkdir -p $out/bin
+    for bin in $out/Applications/UTM.app/Contents/MacOS/*; do
+      # Symlinking `UTM` doesn't work; seems to look for files in the wrong
+      # place
+      makeWrapper $bin "$out/bin/$(basename $bin)"
+    done
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Full featured system emulator and virtual machine host for iOS and macOS";
+    longDescription = ''
+      UTM is a full featured system emulator and virtual machine host for iOS
+      and macOS. It is based off of QEMU. In short, it allows you to run
+      Windows, Linux, and more on your Mac, iPhone, and iPad.
+
+      Features:
+        - Full system emulation (MMU, devices, etc) using QEMU
+        - 30+ processors supported including x86_64, ARM64, and RISC-V
+        - VGA graphics mode using SPICE and QXL
+        - Text terminal mode
+        - USB devices
+        - JIT based acceleration using QEMU TCG
+        - Frontend designed from scratch for macOS 11 and iOS 11+ using the
+          latest and greatest APIs
+        - Create, manage, run VMs directly from your device
+        - Hardware accelerated virtualization using Hypervisor.framework and
+          QEMU
+        - Boot macOS guests with Virtualization.framework on macOS 12+
+
+      See https://docs.getutm.app/ for more information.
+    '';
+    homepage = "https://mac.getutm.app/";
+    changelog = "https://github.com/utmapp/${pname}/releases/tag/v${version}";
+    mainProgram = "UTM";
+    license = licenses.asl20;
+    platforms = platforms.darwin; # 11.3 is the minimum supported version as of UTM 4.
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ rrbutani wegank ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix b/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix
new file mode 100644
index 000000000000..f66af1ddfb56
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "0.1.0";
+  pname = "wifi-password";
+
+  src = fetchFromGitHub {
+    owner = "rauchg";
+    repo = pname;
+    rev = version;
+    sha256 = "0sfvb40h7rz9jzp4l9iji3jg80paklqsbmnk5h7ipsv2xbsplp64";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp wifi-password.sh $out/bin/wifi-password
+  '';
+
+  meta = {
+    homepage = "https://github.com/rauchg/wifi-password";
+    description = "Get the password of the wifi you're on";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.nikitavoloboev ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix b/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix
new file mode 100644
index 000000000000..7fe0f84606ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix
@@ -0,0 +1,79 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, buildPythonPackage
+, python
+, ed
+, unifdef
+}:
+
+buildPythonPackage rec {
+  pname = "xattr";
+  version = "61.60.1";
+
+  src = fetchFromGitHub {
+    owner = "apple-oss-distributions";
+    repo = "python_modules";
+    rev = "python_modules-${version}";
+    hash = "sha256-kfMGPzNAJsPvvUCSzcR0kgg85U6/NFf/ie1uwg9tfqY=";
+  };
+
+  sourceRoot = "${src.name}/Modules/xattr-0.6.4";
+  format = "other";
+
+  nativeBuildInputs = [
+    ed
+    unifdef
+    python.pkgs.setuptools
+  ];
+
+  makeFlags = [
+    "OBJROOT=$(PWD)"
+    "DSTROOT=${placeholder "out"}"
+    "OSL=${placeholder "doc"}/share/xattr/OpenSourceLicenses"
+    "OSV=${placeholder "doc"}/share/xattr/OpenSourceVersions"
+  ];
+
+  # need to use `out` instead of `bin` since buildPythonPackage ignores the latter
+  outputs = [ "out" "doc" "python" ];
+
+  # We need to patch a reference to gnutar in an included Makefile
+  postUnpack = ''
+    chmod u+w $sourceRoot/..
+  '';
+
+  postPatch = ''
+    substituteInPlace ../Makefile.inc --replace gnutar tar
+    substituteInPlace Makefile --replace "/usr" ""
+  '';
+
+  preInstall = ''
+    # prevent setup.py from trying to download setuptools
+    sed -i xattr-*/setup.py -e '/ez_setup/d'
+
+    # create our custom target dirs we patch in
+    mkdir -p "$doc/share/xattr/"OpenSource{Licenses,Versions}
+    mkdir -p "$python/lib/${python.libPrefix}"
+  '';
+
+  # move python package to its own output to reduce clutter
+  postInstall = ''
+    mv "$out/lib/python" "$python/${python.sitePackages}"
+    rmdir "$out/lib"
+  '';
+
+  makeWrapperArgs = [
+    "--prefix"
+    "PYTHONPATH"
+    ":"
+    "${placeholder "python"}/${python.sitePackages}"
+  ];
+
+  meta = with lib; {
+    description = "Display and manipulate extended attributes";
+    license = [ licenses.psfl licenses.mit ]; # see $doc/share/xattr/OpenSourceLicenses
+    maintainers = [ maintainers.sternenseemann ];
+    homepage = "https://opensource.apple.com/source/python_modules/";
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix b/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix
new file mode 100644
index 000000000000..ec98a0b1cfb6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix
@@ -0,0 +1,84 @@
+{ stdenv, requireFile, lib }:
+
+let requireXcode = version: sha256:
+  let
+    xip = "Xcode_" + version +  ".xip";
+    # TODO(alexfmpe): Find out how to validate the .xip signature in Linux
+    unxip = if stdenv.buildPlatform.isDarwin
+            then ''
+              open -W ${xip}
+              rm -rf ${xip}
+            ''
+            else ''
+              xar -xf ${xip}
+              rm -rf ${xip}
+              pbzx -n Content | cpio -i
+              rm Content Metadata
+            '';
+    app = requireFile rec {
+      name     = "Xcode.app";
+      url      = "https://developer.apple.com/services-account/download?path=/Developer_Tools/Xcode_${version}/${xip}";
+      hashMode = "recursive";
+      inherit sha256;
+      message  = ''
+        Unfortunately, we cannot download ${name} automatically.
+        Please go to ${url}
+        to download it yourself, and add it to the Nix store by running the following commands.
+        Note: download (~ 5GB), extraction and storing of Xcode will take a while
+
+        ${unxip}
+        nix-store --add-fixed --recursive sha256 Xcode.app
+        rm -rf Xcode.app
+      '';
+    };
+    meta = with lib; {
+      homepage = "https://developer.apple.com/downloads/";
+      description = "Apple's XCode SDK";
+      license = licenses.unfree;
+      platforms = platforms.darwin ++ platforms.linux;
+    };
+
+  in app.overrideAttrs ( oldAttrs: oldAttrs // { inherit meta; });
+
+in lib.makeExtensible (self: {
+  xcode_8_1 = requireXcode "8.1" "sha256-VuAovU/b4rcLh+xMtcsZmbTWwTk35VGfMSp+fqPbsqM=";
+  xcode_8_2 = requireXcode "8.2" "sha256-ohqgGD7JEEmXEvmfn/N9Ga2lM8jNwhIuh+ky7PQPzY4=";
+  xcode_9_1 = requireXcode "9.1" "sha256-LG7pVMh1rNh5uP/bASvV9sKvGDrSGWH90J4gzwcgYSk=";
+  xcode_9_2 = requireXcode "9.2" "sha256-jMiG2G2zoGw4m00CjkGE+2cn0qeOdSUcXosZI2577q0=";
+  xcode_9_3 = requireXcode "9.3" "sha256-XIQYjfDVSmrYbyolnZIUtmOMhj9uhyWIn0KncsiaqYo=";
+  xcode_9_4 = requireXcode "9.4" "sha256-ZzE4F4UHVgKlJIn36kfs6Pba8iUAe6P/rh/VmxwLXwE=";
+  xcode_9_4_1 = requireXcode "9.4.1" "sha256-fFGB/XMZJQ2u9qh+2LYBHFh6mj5lr6gMlSQwgyS8M3k=";
+  xcode_10_1 = requireXcode "10.1" "sha256-u4Br3SsWbPCv6r4vGHFQUQmfPb9oUEmcdCFktMlbTes=";
+  xcode_10_2 = requireXcode "10.2" "sha256-592xNBS3Obp/3sDROyI4SxPN77cKMk45Lnis/QJd/vc=";
+  xcode_10_2_1 = requireXcode "10.2.1" "sha256-r65DbLDpiFJ78VH2hvfp7ZVpehoI44PSnaeDbElZTYc=";
+  xcode_10_3 = requireXcode "10.3" "sha256-61lDed7/Wi6uVBaj6/fUELISvmH3j69dQE19Y91GwsQ=";
+  xcode_11 = requireXcode "11" "sha256-EDM5tjuzGTzlVUg6MJKup/Q2OBrFXjzFdXSRO+eQA+Q=";
+  xcode_11_1 = requireXcode "11.1" "sha256-gXGVkEG+dFEoDbRjtfyN8MeUcoA6hcfsUaVDKAn7T7A=";
+  xcode_11_2 = requireXcode "11.2" "sha256-8qFEgRVhgOomSnJk23WaM/nACK9JFmiIICjUfT/Co9I=";
+  xcode_11_3 = requireXcode "11.3" "sha256-6nPCY0rIU2c7nRYDXMWcDHrCm34eqZq6wx157mk3OxM=";
+  xcode_11_3_1 = requireXcode "11.3.1" "sha256-BI8Olfqyxh51jyNpydiRkPwTQ4OK+ZpHUybPkCSL1tw=";
+  xcode_11_4 = requireXcode "11.4" "sha256-x/sLazHPs4SoCPKJ0CgFbTEmxlzJeZ7HtinMlse6uRg=";
+  xcode_11_5 = requireXcode "11.5" "sha256-fLqMcIOM6ZqacTBMF6N0swJzOmnt+FfYlDt8m/BXP7Y=";
+  xcode_11_6 = requireXcode "11.6" "sha256-nVDsbD7pGCM2jgXzRtV+VIFc/klmX05W6x/eOAOHjvg=";
+  xcode_11_7 = requireXcode "11.7" "sha256-stKqjXmERNQ4qF/73EE34oLtfF9+WZXK9BwXSVjLQhA=";
+  xcode_12 = requireXcode "12" "sha256-H8Hcre9dB2v2VT8/SrEkU+RZ2rZRiM0JqMX6i4yoffA=";
+  xcode_12_0_1 = requireXcode "12.0.1" "sha256-gK7PZ22aR3ow72pSjr7tUIOsgoAEUqcMZgNCEFVp29w=";
+  xcode_12_1 = requireXcode "12.1" "sha256-l4+MW8IWMqR/9dxd9FVtfxJs3M/qtIcj6nyQ2cjxLfI=";
+  xcode_12_2 = requireXcode "12.2" "sha256-G8jku/9WB8Q1zgKWGbSv06bSWE385sPlc7xnfonjIJ4=";
+  xcode_12_3 = requireXcode "12.3" "sha256-CYU2fAeT+DWiK/mpRoGv57RjGfseL23BDU57SokPjk8=";
+  xcode_12_4 = requireXcode "12.4" "sha256-Qw4j+XFry85/AviHQVhjjjKLAfmRNNwMGN5G8FheJwQ=";
+  xcode_12_5 = requireXcode "12.5" "sha256-xiGffnV0P9Ojd6IrJSXILUX4oznPif7zm00WAksn3qU=";
+  xcode_12_5_1 = requireXcode "12.5.1" "sha256-zL0kS86ZzBkIrKLPKvWguDvXj9Tqbr7uR/VZaT/uZ9A=";
+  xcode_13 = requireXcode "13" "sha256-uTY6d5DBu4OOQLkxs3ExDfLXh50rE2LLlqtCbk3Qn6E=";
+  xcode_13_1 = requireXcode "13.1" "sha256-vd+4eFVaAyvXsdaExcfbDZSXOwkpt+rEbkBYSMjdUEA=";
+  xcode_13_2 = requireXcode "13.2" "sha256-guJXm/QnMfvUZwAcJwoy0QeO+DpDcUhs8AxVKvm9tYQ=";
+  xcode_13_2_1 = requireXcode "13.2.1" "sha256-r832Uu+Q8utK4zN0CtwiMCvMYT5HstWInyq4cNIaZJM=";
+  xcode_13_3 = requireXcode "13.3" "sha256-p2zaWMpmUeNHQtYOOaVdhCt3cgapvzL3l73/J+UwzCE=";
+  xcode_13_3_1 = requireXcode "13.3.1" "sha256-j71vpJVJpyj/IOlL+4+5lYgOlhf/zn+7ExIHbxL51cQ=";
+  xcode_13_4 = requireXcode "13.4" "sha256-IY1coss90GlBeJg/HQPMU8v2rOOxsqlY5q+2Qxe8nnY=";
+  xcode_13_4_1 = requireXcode "13.4.1" "sha256-Jk8fLgvnODoIhuVJqfV0KrpBBL40fRrHJbFmm44NRKE=";
+  xcode_14 = requireXcode "14" "sha256-E+wjPgQx/lbYAsauksdmGsygL5VPBA8R9pHB93eA7T0=";
+  xcode_14_1 = requireXcode "14.1" "sha256-QJGAUVIhuDYyzDNttBPv5lIGOfvkYqdOFSUAr5tlkfs=";
+  xcode = self."xcode_${lib.replaceStrings ["."] ["_"] (if (stdenv.targetPlatform ? xcodeVer) then stdenv.targetPlatform.xcodeVer else "12.3")}";
+})
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix b/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix
new file mode 100644
index 000000000000..50eb50ea6b78
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix
@@ -0,0 +1,61 @@
+{ stdenv
+, clang-unwrapped
+, binutils-unwrapped
+, runCommand
+
+, wrapBintoolsWith
+, wrapCCWith
+, buildIosSdk, targetIosSdkPkgs
+, xcode
+, lib
+}:
+
+let
+
+minSdkVersion = stdenv.targetPlatform.minSdkVersion or "9.0";
+
+in
+
+rec {
+  sdk = rec {
+    name = "ios-sdk";
+    type = "derivation";
+    outPath = xcode + "/Contents/Developer/Platforms/${platform}.platform/Developer/SDKs/${platform}${version}.sdk";
+
+    platform = stdenv.targetPlatform.xcodePlatform;
+    version = stdenv.targetPlatform.sdkVer;
+  };
+
+  binutils = wrapBintoolsWith {
+    libc = targetIosSdkPkgs.libraries;
+    bintools = binutils-unwrapped;
+  };
+
+  clang = (wrapCCWith {
+    cc = clang-unwrapped;
+    bintools = binutils;
+    libc = targetIosSdkPkgs.libraries;
+    extraPackages = [ "${sdk}/System" ];
+    extraBuildCommands = ''
+      tr '\n' ' ' < $out/nix-support/cc-cflags > cc-cflags.tmp
+      mv cc-cflags.tmp $out/nix-support/cc-cflags
+      echo "-target ${stdenv.targetPlatform.config}" >> $out/nix-support/cc-cflags
+      echo "-isystem ${sdk}/usr/include${lib.optionalString (lib.versionAtLeast "10" sdk.version) " -isystem ${sdk}/usr/include/c++/4.2.1/ -stdlib=libstdc++"}" >> $out/nix-support/cc-cflags
+      ${lib.optionalString (lib.versionAtLeast sdk.version "14") "echo -isystem ${xcode}/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1 >> $out/nix-support/cc-cflags"}
+    '';
+  }) // {
+    inherit sdk;
+  };
+
+  libraries = let sdk = buildIosSdk; in runCommand "libSystem-prebuilt" {
+    passthru = {
+      inherit sdk;
+    };
+  } ''
+    if ! [ -d ${sdk} ]; then
+        echo "You must have version ${sdk.version} of the ${sdk.platform} sdk installed at ${sdk}" >&2
+        exit 1
+    fi
+    ln -s ${sdk}/usr $out
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix b/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix
new file mode 100644
index 000000000000..841746957c76
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix
@@ -0,0 +1,146 @@
+{ lib
+, stdenv
+, stdenvNoCC
+, fetchFromGitHub
+, fetchzip
+, installShellFiles
+, testers
+, yabai
+, xxd
+, xcodebuild
+  # These all need to be from SDK 11.0 or later starting with yabai 5.0.0
+, Carbon
+, Cocoa
+, ScriptingBridge
+, SkyLight
+}:
+
+let
+  pname = "yabai";
+  version = "6.0.1";
+
+  test-version = testers.testVersion {
+    package = yabai;
+    version = "yabai-v${version}";
+  };
+
+  _meta = with lib; {
+    description = "A tiling window manager for macOS based on binary space partitioning";
+    longDescription = ''
+      yabai is a window management utility that is designed to work as an extension to the built-in
+      window manager of macOS. yabai allows you to control your windows, spaces and displays freely
+      using an intuitive command line interface and optionally set user-defined keyboard shortcuts
+      using skhd and other third-party software.
+    '';
+    homepage = "https://github.com/koekeishiya/yabai";
+    changelog = "https://github.com/koekeishiya/yabai/blob/v${version}/CHANGELOG.md";
+    license = licenses.mit;
+    platforms = platforms.darwin;
+    mainProgram = "yabai";
+    maintainers = with maintainers; [
+      cmacrae
+      shardy
+      ivar
+      khaneliman
+    ];
+  };
+in
+{
+  # Unfortunately compiling yabai from source on aarch64-darwin is a bit complicated. We use the precompiled binary instead for now.
+  # See the comments on https://github.com/NixOS/nixpkgs/pull/188322 for more information.
+  aarch64-darwin = stdenvNoCC.mkDerivation {
+    inherit pname version;
+
+    src = fetchzip {
+      url = "https://github.com/koekeishiya/yabai/releases/download/v${version}/yabai-v${version}.tar.gz";
+      hash = "sha256-CXkGVoJcGSkooxe7eIhwaM6FkOI45NVw5jdLJAzgFBM=";
+    };
+
+    nativeBuildInputs = [
+      installShellFiles
+    ];
+
+    dontConfigure = true;
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out
+      cp -r ./bin $out
+      installManPage ./doc/yabai.1
+
+      runHook postInstall
+    '';
+
+    passthru.tests.version = test-version;
+
+    meta = _meta // {
+      sourceProvenance = with lib.sourceTypes; [
+        binaryNativeCode
+      ];
+    };
+  };
+
+  x86_64-darwin = stdenv.mkDerivation {
+    inherit pname version;
+
+    src = fetchFromGitHub {
+      owner = "koekeishiya";
+      repo = "yabai";
+      rev = "v${version}";
+      hash = "sha256-u+MkGd/rkT1RVkzC2IcAcFM9eClFdj3WBFnftUVwkwc=";
+    };
+
+    nativeBuildInputs = [
+      installShellFiles
+      xcodebuild
+      xxd
+    ];
+
+    buildInputs = [
+      Carbon
+      Cocoa
+      ScriptingBridge
+      SkyLight
+    ];
+
+    dontConfigure = true;
+    enableParallelBuilding = true;
+
+    postPatch = ''
+      # aarch64 code is compiled on all targets, which causes our Apple SDK headers to error out.
+      # Since multilib doesnt work on darwin i dont know of a better way of handling this.
+      substituteInPlace makefile \
+        --replace "-arch arm64e" "" \
+        --replace "-arch arm64" "" \
+        --replace "clang" "${stdenv.cc.targetPrefix}clang"
+
+      # `NSScreen::safeAreaInsets` is only available on macOS 12.0 and above, which frameworks arent packaged.
+      # When a lower OS version is detected upstream just returns 0, so we can hardcode that at compiletime.
+      # https://github.com/koekeishiya/yabai/blob/v4.0.2/src/workspace.m#L109
+      substituteInPlace src/workspace.m \
+        --replace 'return screen.safeAreaInsets.top;' 'return 0;'
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,share/icons/hicolor/scalable/apps}
+
+      cp ./bin/yabai $out/bin/yabai
+      cp ./assets/icon/icon.svg $out/share/icons/hicolor/scalable/apps/yabai.svg
+      installManPage ./doc/yabai.1
+
+      runHook postInstall
+    '';
+
+    passthru.tests.version = test-version;
+
+    meta = _meta // {
+      sourceProvenance = with lib.sourceTypes; [
+        fromSource
+      ];
+    };
+  };
+}.${stdenv.hostPlatform.system} or (throw "Unsupported platform ${stdenv.hostPlatform.system}")
diff --git a/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix b/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix
new file mode 100644
index 000000000000..b67d737034e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix
@@ -0,0 +1,21 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "915resolution";
+  version = "0.5.3";
+
+  src = fetchurl {
+    url = "http://915resolution.mango-lang.org/915resolution-${version}.tar.gz";
+    sha256 = "0hmmy4kkz3x6yigz6hk99416ybznd67dpjaxap50nhay9f1snk5n";
+  };
+
+  patchPhase = "rm *.o";
+  installPhase = "mkdir -p $out/sbin; cp 915resolution $out/sbin/";
+
+  meta = with lib; {
+    homepage = "http://915resolution.mango-lang.org/";
+    description = "A tool to modify Intel 800/900 video BIOS";
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = licenses.publicDomain;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/9ptls/default.nix b/nixpkgs/pkgs/os-specific/linux/9ptls/default.nix
new file mode 100644
index 000000000000..20fa779ecf61
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/9ptls/default.nix
@@ -0,0 +1,28 @@
+{ lib
+, stdenv
+, tlsclient
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  inherit (tlsclient) src version enableParallelBuilding;
+  pname = "9ptls";
+
+  strictDeps = true;
+
+  buildFlags = [ "mount.9ptls" ];
+  installFlags = [ "PREFIX=$(out)" "SBIN=$(out)/bin" ];
+  installTargets = "mount.9ptls.install";
+
+  meta = with lib; {
+    description = "mount.9ptls mount helper";
+    longDescription = ''
+      mount.9ptls wraps the v9fs mount type in a dp9ik authenticated
+      tls tunnel using tlsclient.
+    '';
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    mainProgram = "mount.9ptls";
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix b/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix
new file mode 100644
index 000000000000..b84ecd21293a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "acpi-call";
+  version = "1.2.2";
+  name = "${pname}-${version}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "acpi_call";
+    rev = "v${version}";
+    sha256 = "1s7h9y3adyfhw7cjldlfmid79lrwz3vqlvziw9nwd6x5qdj4w9vp";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D acpi_call.ko $out/lib/modules/${kernel.modDirVersion}/misc/acpi_call.ko
+    install -D -m755 examples/turn_off_gpu.sh $out/bin/test_discrete_video_off.sh
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ raskin mic92 ];
+    homepage = "https://github.com/nix-community/acpi_call";
+    platforms = platforms.linux;
+    description = "A module allowing arbitrary ACPI calls; use case: hybrid video";
+    license = licenses.gpl3Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpi/default.nix b/nixpkgs/pkgs/os-specific/linux/acpi/default.nix
new file mode 100644
index 000000000000..d257553299cf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpi/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "acpi";
+  version = "1.7";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpiclient/${version}/${pname}-${version}.tar.gz";
+    sha256 = "01ahldvf0gc29dmbd5zi4rrnrw2i1ajnf30sx2vyaski3jv099fp";
+  };
+
+  meta = with lib; {
+    description = "Show battery status and other ACPI information";
+    longDescription = ''
+      Linux ACPI client is a small command-line
+      program that attempts to replicate the functionality of
+      the "old" `apm' command on ACPI systems.  It includes
+      battery and thermal information.
+    '';
+    homepage = "https://sourceforge.net/projects/acpiclient/";
+    license = lib.licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpid/default.nix b/nixpkgs/pkgs/os-specific/linux/acpid/default.nix
new file mode 100644
index 000000000000..8f981ec401bc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpid/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "acpid";
+  version = "2.0.34";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpid2/acpid-${version}.tar.xz";
+    sha256 = "sha256-LQlcjPy8hHyux0bWLNyNC/8ewbxy73xnTHIeBNpqszM=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/acpid2/";
+    description = "A daemon for delivering ACPI events to userspace programs";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix b/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix
new file mode 100644
index 000000000000..d494e95e3db6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix
@@ -0,0 +1,52 @@
+{lib, stdenv, fetchurl, fetchpatch}:
+
+let
+   acpitool-patch-051-4 = params: fetchpatch rec {
+     inherit (params) name sha256;
+     url = "https://salsa.debian.org/debian/acpitool/raw/33e2ef42a663de820457b212ea2925e506df3b88/debian/patches/${name}";
+   };
+
+in stdenv.mkDerivation rec {
+  pname = "acpitool";
+  version = "0.5.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpitool/acpitool-${version}.tar.bz2";
+    sha256 = "004fb6cd43102918b6302cf537a2db7ceadda04aef2e0906ddf230f820dad34f";
+  };
+
+  patches = [
+    (acpitool-patch-051-4 {
+      name = "ac_adapter.patch";
+      sha256 = "0rn14vfv9x5gmwyvi6bha5m0n0pm4wbpg6h8kagmy3i1f8lkcfi8";
+    })
+    (acpitool-patch-051-4 {
+      name = "battery.patch";
+      sha256 = "190msm5cgqgammxp1j4dycfz206mggajm5904r7ifngkcwizh9m7";
+    })
+    (acpitool-patch-051-4 {
+      name = "kernel3.patch";
+      sha256 = "1qb47iqnv09i7kgqkyk9prr0pvlx0yaip8idz6wc03wci4y4bffg";
+    })
+    (acpitool-patch-051-4 {
+      name = "wakeup.patch";
+      sha256 = "1mmzf8n4zsvc7ngn51map2v42axm9vaf8yknbd5amq148sjf027z";
+    })
+    (acpitool-patch-051-4 {
+      name = "0001-Do-not-assume-fixed-line-lengths-for-proc-acpi-wakeu.patch";
+      sha256 = "10wwh7l3jbmlpa80fzdr18nscahrg5krl18pqwy77f7683mg937m";
+    })
+    (acpitool-patch-051-4 {
+      name = "typos.patch";
+      sha256 = "1178fqpk6sbqp1cyb1zf9qv7ahpd3pidgpid3bbpms7gyhqvvdpa";
+    })
+  ];
+
+  meta = {
+    description = "A small, convenient command-line ACPI client with a lot of features";
+    homepage = "https://sourceforge.net/projects/acpitool/";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.guibert ];
+    platforms = lib.platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/adcli/default.nix b/nixpkgs/pkgs/os-specific/linux/adcli/default.nix
new file mode 100644
index 000000000000..66e017437f9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/adcli/default.nix
@@ -0,0 +1,70 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, openldap
+, libkrb5
+, libxslt
+, autoreconfHook
+, pkg-config
+, cyrus_sasl
+, util-linux
+, xmlto
+, docbook_xsl
+, docbook_xml_dtd_43
+}:
+
+stdenv.mkDerivation rec {
+  pname = "adcli";
+  version = "0.9.2";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "realmd";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-dipNKlIdc1DpXLg/YJjUxZlNoMFy+rt8Y/+AfWFA4dE=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    docbook_xsl
+    util-linux
+    xmlto
+  ];
+
+  buildInputs = [
+    openldap
+    libkrb5
+    libxslt
+    cyrus_sasl
+  ];
+
+  configureFlags = [ "--disable-debug" ];
+
+  postPatch = ''
+    substituteInPlace tools/Makefile.am \
+      --replace 'sbin_PROGRAMS' 'bin_PROGRAMS'
+
+    substituteInPlace doc/Makefile.am \
+        --replace 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl' \
+                  '${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl'
+
+    function patch_docbook() {
+      substituteInPlace $1 \
+        --replace "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" \
+                  "${docbook_xml_dtd_43}/xml/dtd/docbook/docbookx.dtd"
+    }
+    patch_docbook doc/adcli.xml
+    patch_docbook doc/adcli-devel.xml
+    patch_docbook doc/adcli-docs.xml
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/software/realmd/adcli/adcli.html";
+    description = "A helper library and tools for Active Directory client operations.";
+    license = licenses.lgpl21Only;
+    maintainers = with maintainers; [ SohamG anthonyroussel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/afuse/default.nix b/nixpkgs/pkgs/os-specific/linux/afuse/default.nix
new file mode 100644
index 000000000000..6d8bb81b99c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/afuse/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook, fuse }:
+
+stdenv.mkDerivation rec {
+  pname = "afuse";
+  version = "0.5.0";
+
+  src = fetchFromGitHub {
+    owner = "pcarrier";
+    repo = "afuse";
+    rev = "v${version}";
+    sha256 = "sha256-KpysJRvDx+12BSl9pIGRqbJAM4W1NbzxMgDycGCr2RM=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ fuse ];
+
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    # Fix the build on macOS with macFUSE installed
+    substituteInPlace configure.ac --replace \
+      'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH' \
+      ""
+  '';
+
+  meta = {
+    description = "Automounter in userspace";
+    homepage = "https://github.com/pcarrier/afuse";
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.marcweber ];
+    platforms = lib.platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix b/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix
new file mode 100644
index 000000000000..d2b24855b0b2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "akvcam";
+  version = "1.2.4";
+
+  src = fetchFromGitHub {
+    owner = "webcamoid";
+    repo = "akvcam";
+    rev = version;
+    sha256 = "sha256-zvMPwgItp1bTq64DZcUbYls60XhgufOeEKaAoAFf64M=";
+  };
+  sourceRoot = "${src.name}/src";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D akvcam.ko $out/lib/modules/${kernel.modDirVersion}/akvcam.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Virtual camera driver for Linux";
+    homepage = "https://github.com/webcamoid/akvcam";
+    maintainers = with maintainers; [ freezeboy ];
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/amdctl/default.nix b/nixpkgs/pkgs/os-specific/linux/amdctl/default.nix
new file mode 100644
index 000000000000..1fcd8fc93402
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/amdctl/default.nix
@@ -0,0 +1,32 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+}:
+
+stdenv.mkDerivation rec {
+  pname = "amdctl";
+  version = "0.11";
+
+  src = fetchFromGitHub {
+    owner = "kevinlekiller";
+    repo = "amdctl";
+    rev = "v${version}";
+    hash = "sha256-2wBk/9aAD7ARMGbcVxk+CzEvUf8U4RS4ZwTCj8cHNNo=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 amdctl $out/bin/amdctl
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Set P-State voltages and clock speeds on recent AMD CPUs on Linux.";
+    homepage = "https://github.com/kevinlekiller/amdctl";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ thiagokokada ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix b/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix
new file mode 100644
index 000000000000..241145a24843
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix
@@ -0,0 +1,222 @@
+{ lib
+, stdenv
+, fetchurl
+, elfutils
+, xorg
+, patchelf
+, libxcb
+, libxshmfence
+, perl
+, zlib
+, expat
+, libffi
+, libselinux
+, libdrm
+, udev
+, kernel ? null
+}:
+
+with lib;
+
+let
+
+  bitness = if stdenv.is64bit then "64" else "32";
+
+  libArch =
+    if stdenv.hostPlatform.system == "i686-linux" then
+      "i386-linux-gnu"
+    else if stdenv.hostPlatform.system == "x86_64-linux" then
+      "x86_64-linux-gnu"
+    else throw "amdgpu-pro is Linux only. Sorry.";
+
+in stdenv.mkDerivation rec {
+
+  version = "21.30";
+  pname = "amdgpu-pro";
+  build = "${version}-1290604";
+
+  src = fetchurl {
+    url = "https://drivers.amd.com/drivers/linux/amdgpu-pro-${build}-ubuntu-20.04.tar.xz";
+    sha256 = "sha256-WECqxjo2WLP3kMWeVyJgYufkvHTzwGaj57yeMGXiQ4I=";
+    curlOpts = "--referer https://www.amd.com/en/support/kb/release-notes/rn-amdgpu-unified-linux-21-30";
+  };
+
+  postUnpack = ''
+    mkdir root
+    pushd $sourceRoot
+    for deb in *_all.deb *_${if stdenv.is64bit then "amd64" else "i386"}.deb
+    do
+      ar p $deb data.tar.xz | tar -C ../root -xJ
+    done
+    popd
+    # if we don't use a short sourceRoot, compilation can fail due to command
+    # line length
+    sourceRoot=root
+  '';
+
+  passthru = optionalAttrs (kernel != null) {
+    kmod = stdenv.mkDerivation rec {
+      inherit version src postUnpack;
+      name = "${pname}-${version}-kmod-${kernel.dev.version}";
+
+      postPatch = ''
+        pushd usr/src/amdgpu-*
+        patchShebangs amd/dkms/*.sh
+        substituteInPlace amd/dkms/pre-build.sh --replace "./configure" "./configure --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source --with-linux-obj=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+        popd
+      '';
+
+      preConfigure = ''
+        pushd usr/src/amdgpu-*
+        makeFlags="$makeFlags M=$(pwd)"
+        amd/dkms/pre-build.sh ${kernel.version}
+        popd
+      '';
+
+      postBuild = ''
+        pushd usr/src/amdgpu-*
+        find -name \*.ko -exec xz {} \;
+        popd
+      '';
+
+      makeFlags = optionalString (kernel != null) "-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build modules";
+
+      installPhase = ''
+        runHook preInstall
+
+        pushd usr/src/amdgpu-*
+        find -name \*.ko.xz -exec install -Dm444 {} $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/gpu/drm/{} \;
+        popd
+
+        runHook postInstall
+      '';
+
+      # without this we get a collision with the ttm module from linux
+      meta.priority = 4;
+    };
+
+    fw = stdenv.mkDerivation rec {
+      inherit version src postUnpack;
+      name = "${pname}-${version}-fw";
+
+      installPhase = ''
+        runHook preInstall
+
+        mkdir -p $out/lib
+        cp -r usr/src/amdgpu-*/firmware $out/lib/firmware
+
+        runHook postInstall
+      '';
+    };
+  };
+
+  outputs = [ "out" "vulkan" ];
+
+  depLibPath = makeLibraryPath [
+    stdenv.cc.cc.lib
+    zlib
+    libxcb
+    libxshmfence
+    elfutils
+    expat
+    libffi
+    libselinux
+    # libudev is not listed in any dependencies, but is loaded dynamically
+    udev
+    xorg.libXext
+    xorg.libX11
+    xorg.libXfixes
+    xorg.libXdamage
+    xorg.libXxf86vm
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+
+    cp -r usr/lib/${libArch} $out/lib
+    cp -r usr/share $out/share
+
+    mkdir -p $out/opt/amdgpu{,-pro}
+    cp -r opt/amdgpu-pro/lib/${libArch} $out/opt/amdgpu-pro/lib
+    cp -r opt/amdgpu/lib/${libArch} $out/opt/amdgpu/lib
+
+    pushd $out/lib
+    ln -s ../opt/amdgpu-pro/lib/libGL.so* .
+    ln -s ../opt/amdgpu-pro/lib/libEGL.so* .
+    popd
+
+    # short name to allow replacement below
+    ln -s lib/dri $out/dri
+
+  '' + optionalString (stdenv.is64bit) ''
+    mkdir -p $out/etc
+    pushd etc
+    cp -r modprobe.d udev amd $out/etc
+    popd
+
+    cp -r lib/udev/rules.d/* $out/etc/udev/rules.d
+    cp -r opt/amdgpu/lib/xorg $out/lib/xorg
+    cp -r opt/amdgpu-pro/lib/xorg/* $out/lib/xorg
+    cp -r opt/amdgpu/share $out/opt/amdgpu/share
+  '' + ''
+
+    mkdir -p $vulkan/share/vulkan/icd.d
+    install opt/amdgpu-pro/etc/vulkan/icd.d/amd_icd${bitness}.json $vulkan/share/vulkan/icd.d
+
+    runHook postInstall
+  '';
+
+  preFixup = (if stdenv.is64bit
+    # this could also be done with LIBGL_DRIVERS_PATH, but it would need to be
+    # set in the user session and for Xorg
+    then ''
+      expr1='s:/opt/amdgpu/lib/x86_64-linux-gnu/dri\0:/run/opengl-driver/lib/dri\0\0\0\0\0\0\0\0\0\0\0:g'
+      expr2='s:/usr/lib/x86_64-linux-gnu/dri[\0\:]:/run/opengl-driver/lib/dri\0\0\0\0:g'
+      perl -pi -e "$expr2" $out/lib/xorg/modules/extensions/libglx.so
+    ''
+    else ''
+      expr1='s:/opt/amdgpu/lib/i386-linux-gnu/dri\0:/run/opengl-driver-32/lib/dri\0\0\0\0\0\0:g'
+      # we replace a different path on 32-bit because it's the only one long
+      # enough to fit the target path :(
+      expr2='s:/usr/lib/i386-linux-gnu/dri[\0\:]:/run/opengl-driver-32/dri\0\0\0:g'
+    '') + ''
+    perl -pi -e "$expr1" \
+      $out/opt/amdgpu/lib/libEGL.so.1.0.0 \
+      $out/opt/amdgpu/lib/libgbm.so.1.0.0 \
+      $out/opt/amdgpu/lib/libGL.so.1.2.0
+
+    perl -pi -e "$expr2" \
+      $out/opt/amdgpu-pro/lib/libEGL.so.1 \
+      $out/opt/amdgpu-pro/lib/libGL.so.1.2 \
+      $out/opt/amdgpu-pro/lib/libGLX_amd.so.0
+
+    find $out -type f -exec perl -pi -e 's:/opt/amdgpu-pro/:/run/amdgpu-pro/:g' {} \;
+    find $out -type f -exec perl -pi -e 's:/opt/amdgpu/:/run/amdgpu/:g' {} \;
+
+    substituteInPlace $vulkan/share/vulkan/icd.d/*.json --replace /opt/amdgpu-pro/lib/${libArch} "$out/opt/amdgpu-pro/lib"
+  '';
+
+  # doing this in post because shrinking breaks things that dynamically load
+  postFixup = ''
+    libPath="$out/opt/amdgpu/lib:$out/opt/amdgpu-pro/lib:$depLibPath"
+    find "$out" -name '*.so*' -type f -exec patchelf --set-rpath "$libPath" {} \;
+  '';
+
+  buildInputs = [
+    libdrm
+    patchelf
+    perl
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "AMDGPU-PRO drivers";
+    homepage =  "https://www.amd.com/en/support";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ corngood ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/anbox/0001-NixOS-Use-anbox-from-PATH-in-desktop-files.patch b/nixpkgs/pkgs/os-specific/linux/anbox/0001-NixOS-Use-anbox-from-PATH-in-desktop-files.patch
new file mode 100644
index 000000000000..1c3450238c7f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/anbox/0001-NixOS-Use-anbox-from-PATH-in-desktop-files.patch
@@ -0,0 +1,34 @@
+From cb61e856c4357d9787f7a2313bacb1c3b2133d36 Mon Sep 17 00:00:00 2001
+From: Samuel Dionne-Riel <samuel@dionne-riel.com>
+Date: Fri, 4 Jun 2021 19:05:53 -0400
+Subject: [PATCH] [NixOS] Use `anbox` from PATH in desktop files
+
+---
+ src/anbox/application/launcher_storage.cpp | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/anbox/application/launcher_storage.cpp b/src/anbox/application/launcher_storage.cpp
+index d5053cf..a4be719 100644
+--- a/src/anbox/application/launcher_storage.cpp
++++ b/src/anbox/application/launcher_storage.cpp
+@@ -69,9 +69,7 @@ void LauncherStorage::add_or_update(const Database::Item &item) {
+   auto package_name = item.package;
+   std::replace(package_name.begin(), package_name.end(), '.', '-');
+ 
+-  auto exe_path = utils::process_get_exe_path(getpid());
+-  if (utils::get_env_value("SNAP").length() > 0)
+-    exe_path = snap_exe_path;
++  auto exe_path = "anbox";
+ 
+   std::string exec = utils::string_format("%s launch ", exe_path);
+ 
+@@ -121,4 +119,4 @@ void LauncherStorage::remove(const Database::Item &item) {
+     fs::remove(item_icon_path);
+ }
+ 
+-}
+\ No newline at end of file
++}
+-- 
+2.29.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/anbox/default.nix b/nixpkgs/pkgs/os-specific/linux/anbox/default.nix
new file mode 100644
index 000000000000..856664fed806
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/anbox/default.nix
@@ -0,0 +1,167 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl
+, callPackage
+, fetchpatch
+, cmake, pkg-config, dbus, makeWrapper
+, boost
+, elfutils # for libdw
+, git
+, glib
+, glm
+, gtest
+, libbfd
+, libcap
+, libdwarf
+, libGL
+, libglvnd
+, lxc
+, mesa
+, properties-cpp
+, protobuf
+, protobufc
+, python3
+, runtimeShell
+, SDL2
+, SDL2_image
+, systemd
+, writeText
+, writeShellScript
+, nixosTests
+}:
+
+let
+
+  dbus-service = writeText "org.anbox.service" ''
+    [D-BUS Service]
+    Name=org.anbox
+    Exec=@out@/libexec/anbox-session-manager
+  '';
+
+  anbox-application-manager = writeShellScript "anbox-application-manager" ''
+    exec @out@/bin/anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
+  '';
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "anbox";
+  version = "unstable-2023-02-03";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "ddf4c57ebbe3a2e46099087570898ab5c1e1f279";
+    sha256 = "sha256-QXWhatewiUDQ93cH1UZsYgbjUxpgB1ajtGFYZnKmabc=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    makeWrapper
+  ];
+
+  buildInputs = [
+    boost
+    dbus
+    elfutils # libdw
+    glib
+    glm
+    gtest
+    libbfd
+    libcap
+    libdwarf
+    libGL
+    lxc
+    mesa
+    properties-cpp
+    protobuf protobufc
+    python3
+    SDL2 SDL2_image
+    systemd
+  ];
+
+  # Flag needed by GCC 12 but unrecognized by GCC 9 (aarch64-linux default now)
+  env.NIX_CFLAGS_COMPILE = toString (lib.optionals (with stdenv; cc.isGNU && lib.versionAtLeast cc.version "12") [
+    "-Wno-error=mismatched-new-delete"
+  ]);
+
+  prePatch = ''
+    patchShebangs scripts
+
+    cat >cmake/FindGMock.cmake <<'EOF'
+      add_library(gtest INTERFACE)
+      target_include_directories(gtest INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gtest INTERFACE ${gtest}/lib/libgtest.so ''${CMAKE_THREAD_LIBS_INIT})
+      add_dependencies(gtest GMock)
+
+      add_library(gtest_main INTERFACE)
+      target_include_directories(gtest_main INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gtest_main INTERFACE ${gtest}/lib/libgtest_main.so gtest)
+
+      add_library(gmock INTERFACE)
+      target_include_directories(gmock INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gmock INTERFACE ${gtest}/lib/libgmock.so gtest)
+
+      add_library(gmock_main INTERFACE)
+      target_include_directories(gmock_main INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gmock_main INTERFACE ${gtest}/lib/libgmock_main.so gmock gtest_main)
+
+      set(GTEST_LIBRARIES gtest)
+      set(GTEST_MAIN_LIBRARIES gtest_main)
+      set(GMOCK_LIBRARIES gmock gmock_main)
+      set(GTEST_BOTH_LIBRARIES ''${GTEST_LIBRARIES} ''${GTEST_MAIN_LIBRARIES})
+    EOF
+  '';
+
+  patches = [
+    # Fixes compatibility with lxc 4
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/aports/plain/community/anbox/lxc4.patch?id=64243590a16aee8d4e72061886fc1b15256492c3";
+      sha256 = "1da5xyzyjza1g2q9nbxb4p3njj2sf3q71vkpvmmdphia5qnb0gk5";
+    })
+    # Wait 10× more time when starting
+    # Not *strictly* needed, but helps a lot on slower hardware
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/aports/plain/community/anbox/give-more-time-to-start.patch?id=058b56d4b332ef3379551b343bf31e0f2004321a";
+      sha256 = "0iiz3c7fgfgl0dvx8sf5hv7a961xqnihwpz6j8r0ib9v8piwxh9a";
+    })
+    # Ensures generated desktop files work on store path change
+    ./0001-NixOS-Use-anbox-from-PATH-in-desktop-files.patch
+    # Provide window icons
+    (fetchpatch {
+      url = "https://github.com/samueldr/anbox/commit/2387f4fcffc0e19e52e58fb6f8264fbe87aafe4d.patch";
+      sha256 = "12lmr0kxw1n68g3abh1ak5awmpczfh75c26f53jc8qpvdvv1ywha";
+    })
+  ];
+
+  postInstall = ''
+    wrapProgram $out/bin/anbox \
+      --set SDL_VIDEO_X11_WMCLASS "anbox" \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [libGL libglvnd]} \
+      --prefix PATH : ${git}/bin
+
+    mkdir -p $out/share/dbus-1/services
+    substitute ${dbus-service} $out/share/dbus-1/services/org.anbox.service \
+      --subst-var out
+
+    mkdir $out/libexec
+    makeWrapper $out/bin/anbox $out/libexec/anbox-session-manager \
+      --add-flags session-manager
+
+    substitute ${anbox-application-manager} $out/bin/anbox-application-manager \
+      --subst-var out
+    chmod +x $out/bin/anbox-application-manager
+  '';
+
+  passthru.tests = { inherit (nixosTests) anbox; };
+  passthru.image = callPackage ./postmarketos-image.nix { };
+
+  meta = with lib; {
+    homepage = "https://anbox.io";
+    description = "Android in a box";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ edwtjo ];
+    platforms = [ "armv7l-linux" "aarch64-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/anbox/postmarketos-image.nix b/nixpkgs/pkgs/os-specific/linux/anbox/postmarketos-image.nix
new file mode 100644
index 000000000000..648a1a5ea9a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/anbox/postmarketos-image.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchurl }:
+
+let
+  imgroot = "https://web.archive.org/web/20211027150924/https://anbox.postmarketos.org";
+in
+  {
+    armv7l-linux = fetchurl {
+      url = imgroot + "/android-7.1.2_r39.1-anbox_armv7a_neon-userdebug.img";
+      sha256 = "1bgzqw4yp52a2q40dr1jlay1nh73jl5mx6wqsxvpb09xghxsng0a";
+    };
+    aarch64-linux = fetchurl {
+      url = imgroot + "/android-7.1.2_r39-anbox_arm64-userdebug.img";
+      sha256 = "0dx8mhfcjbkak982zfh65bvy35slz5jk31yl4ara50ryrxsp32nx";
+    };
+    x86_64-linux = fetchurl {
+      url = imgroot + "/android-7.1.2_r39-anbox_x86_64-userdebug.img";
+      sha256 = "16vmiz5al2r19wjpd44nagvz7d901ljxdms8gjp2w4xz1d91vzpm";
+    };
+  }.${stdenv.system} or (throw "Unsupported platform ${stdenv.system}")
diff --git a/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix
new file mode 100644
index 000000000000..07cdbf6bdce7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+## Usage
+# In NixOS, simply add this package to services.udev.packages:
+#   services.udev.packages = [ pkgs.android-udev-rules ];
+
+stdenv.mkDerivation rec {
+  pname = "android-udev-rules";
+  version = "20231030";
+
+  src = fetchFromGitHub {
+    owner = "M0Rf30";
+    repo = "android-udev-rules";
+    rev = version;
+    sha256 = "sha256-+h0FwvfIoluhldOi6cgVDvmNWe1Lvj1SV3pL8Zh+gRM=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+    install -D 51-android.rules $out/lib/udev/rules.d/51-android.rules
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/M0Rf30/android-udev-rules";
+    description = "Android udev rules list aimed to be the most comprehensive on the net";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apfs/default.nix b/nixpkgs/pkgs/os-specific/linux/apfs/default.nix
new file mode 100644
index 000000000000..98487799aa8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apfs/default.nix
@@ -0,0 +1,49 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+, nixosTests
+}:
+
+let
+  tag = "0.3.5";
+in
+stdenv.mkDerivation {
+  pname = "apfs";
+  version = "${tag}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "linux-apfs";
+    repo = "linux-apfs-rw";
+    rev = "v${tag}";
+    hash = "sha256-rKz9a4Z+tx63rhknQIl/zu/WIMjxxM0+NGyaxnzxLk4=";
+  };
+
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  passthru.tests.apfs = nixosTests.apfs;
+
+  meta = with lib; {
+    description = "APFS module for linux";
+    longDescription = ''
+      The Apple File System (APFS) is the copy-on-write filesystem currently
+      used on all Apple devices. This module provides a degree of experimental
+      support on Linux.
+      If you make use of the write support, expect data corruption.
+      Read-only support is somewhat more complete, with sealed volumes,
+      snapshots, and all the missing compression algorithms recently added.
+      Encryption is still not in the works though.
+    '';
+    homepage = "https://github.com/linux-apfs/linux-apfs-rw";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix b/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix
new file mode 100644
index 000000000000..ed1e31cc40eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix
@@ -0,0 +1,350 @@
+{ stdenv, lib, fetchFromGitLab, fetchpatch, makeWrapper, autoreconfHook
+, pkg-config, which
+, flex, bison
+, linuxHeaders ? stdenv.cc.libc.linuxHeaders
+, gawk
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python3, python3
+, swig
+, ncurses
+, pam
+, libnotify
+, buildPackages
+, coreutils
+, bash
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
+, libxcrypt
+}:
+
+let
+  apparmor-version = "3.1.6";
+
+  apparmor-meta = component: with lib; {
+    homepage = "https://apparmor.net/";
+    description = "A mandatory access control system - ${component}";
+    license = with licenses; [ gpl2Only lgpl21Only ];
+    maintainers = with maintainers; [ julm thoughtpolice ajs124 ];
+    platforms = platforms.linux;
+  };
+
+  apparmor-sources = fetchFromGitLab {
+    owner = "apparmor";
+    repo = "apparmor";
+    rev = "v${apparmor-version}";
+    hash = "sha256-VPgRmmQv+kgLduc6RTu9gotyjT6OImUXsPeatgG7m9E=";
+  };
+
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
+
+  prePatchCommon = ''
+    chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
+    patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
+    substituteInPlace ./common/Make.rules \
+      --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man" \
+      --replace "/usr/bin/pod2html" "${buildPackages.perl}/bin/pod2html" \
+      --replace "/usr/share/man" "share/man"
+    substituteInPlace ./utils/Makefile \
+      --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
+  '';
+
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
+      name = "0003-Added-missing-typedef-definitions-on-parser.patch";
+      sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
+    })
+  ];
+
+  python = python3.withPackages (ps: with ps; [ setuptools ]);
+
+  # Set to `true` after the next FIXME gets fixed or this gets some
+  # common derivation infra. Too much copy-paste to fix one by one.
+  doCheck = false;
+
+  # FIXME: convert these to a single multiple-outputs package?
+
+  libapparmor = stdenv.mkDerivation {
+    pname = "libapparmor";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+   # checking whether python bindings are enabled... yes
+   # checking for python3... no
+   # configure: error: python is required when enabling python bindings
+    strictDeps = false;
+
+    nativeBuildInputs = [
+      autoreconfHook
+      bison
+      flex
+      pkg-config
+      swig
+      ncurses
+      which
+      perl
+    ] ++ lib.optional withPython python;
+
+    buildInputs = [ libxcrypt ]
+      ++ lib.optional withPerl perl
+      ++ lib.optional withPython python;
+
+    # required to build apparmor-parser
+    dontDisableStatic = true;
+
+    prePatch = prePatchCommon + ''
+      substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
+    '';
+    inherit patches;
+
+    postPatch = ''
+      cd ./libraries/libapparmor
+    '';
+
+    # https://gitlab.com/apparmor/apparmor/issues/1
+    configureFlags = [
+      (lib.withFeature withPerl "perl")
+      (lib.withFeature withPython "python")
+    ];
+
+    outputs = [ "out" ] ++ lib.optional withPython "python";
+
+    postInstall = lib.optionalString withPython ''
+      mkdir -p $python/lib
+      mv $out/lib/python* $python/lib/
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "library";
+  };
+
+  apparmor-utils = python.pkgs.buildPythonApplication {
+    pname = "apparmor-utils";
+    version = apparmor-version;
+    format = "other";
+
+    src = apparmor-sources;
+
+    strictDeps = true;
+
+    nativeBuildInputs = [ makeWrapper which python ];
+
+    buildInputs = [
+      bash
+      perl
+      python
+      libapparmor
+      (libapparmor.python or null)
+    ];
+
+    propagatedBuildInputs = [
+      libapparmor.python
+
+      # Used by aa-notify
+      python.pkgs.notify2
+      python.pkgs.psutil
+    ];
+
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
+      sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' ./utils/Makefile
+
+      sed -i utils/aa-unconfined -e "/my_env\['PATH'\]/d"
+
+      substituteInPlace utils/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+    '';
+    inherit patches;
+    postPatch = "cd ./utils";
+    makeFlags = [ "LANGS=" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
+
+    postInstall = ''
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [ gawk ]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "user-land utilities" // {
+      broken = !(withPython && withPerl);
+    };
+  };
+
+  apparmor-bin-utils = stdenv.mkDerivation {
+    pname = "apparmor-bin-utils";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [
+      pkg-config
+      libapparmor
+      which
+    ];
+
+    buildInputs = [
+      libapparmor
+    ];
+
+    prePatch = prePatchCommon;
+    postPatch = ''
+      cd ./binutils
+    '';
+    makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "binary user-land utilities";
+  };
+
+  apparmor-parser = stdenv.mkDerivation {
+    pname = "apparmor-parser";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ bison flex which ];
+
+    buildInputs = [ libapparmor ];
+
+    prePatch = prePatchCommon + ''
+      ## techdoc.pdf still doesn't build ...
+      substituteInPlace ./parser/Makefile \
+        --replace "/usr/bin/bison" "${bison}/bin/bison" \
+        --replace "/usr/bin/flex" "${flex}/bin/flex" \
+        --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" \
+        --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
+    '';
+    inherit patches;
+    postPatch = ''
+      cd ./parser
+    '';
+    makeFlags = [
+      "LANGS=" "USE_SYSTEM=1" "INCLUDEDIR=${libapparmor}/include"
+      "AR=${stdenv.cc.bintools.targetPrefix}ar"
+    ];
+    installFlags = [ "DESTDIR=$(out)" "DISTRO=unknown" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "rule parser";
+  };
+
+  apparmor-pam = stdenv.mkDerivation {
+    pname = "apparmor-pam";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ pkg-config which ];
+
+    buildInputs = [ libapparmor pam ];
+
+    postPatch = ''
+      cd ./changehat/pam_apparmor
+    '';
+    makeFlags = [ "USE_SYSTEM=1" ];
+    installFlags = [ "DESTDIR=$(out)" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "PAM service";
+  };
+
+  apparmor-profiles = stdenv.mkDerivation {
+    pname = "apparmor-profiles";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ which ];
+
+    postPatch = ''
+      cd ./profiles
+    '';
+
+    installFlags = [ "DESTDIR=$(out)" "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "profiles";
+  };
+
+  apparmor-kernel-patches = stdenv.mkDerivation {
+    pname = "apparmor-kernel-patches";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    dontBuild = true;
+
+    installPhase = ''
+      mkdir "$out"
+      cp -R ./kernel-patches/* "$out"
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "kernel patches";
+  };
+
+  # Generate generic AppArmor rules in a file, from the closure of given
+  # rootPaths. To be included in an AppArmor profile like so:
+  #
+  #   include "${apparmorRulesFromClosure { } [ pkgs.hello ]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo { inherit rootPaths; }}/store-paths
+  '';
+in
+{
+  inherit
+    libapparmor
+    apparmor-utils
+    apparmor-bin-utils
+    apparmor-parser
+    apparmor-pam
+    apparmor-profiles
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
new file mode 100644
index 000000000000..ebc1baaa92d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
@@ -0,0 +1,32 @@
+aa_action() {
+  STRING=$1
+  shift
+  $*
+  rc=$?
+  if [ $rc -eq 0 ] ; then
+    aa_log_success_msg $"$STRING "
+  else
+    aa_log_failure_msg $"$STRING "
+  fi
+  return $rc
+}
+
+aa_log_success_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": done."
+}
+
+aa_log_warning_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Warning."
+}
+
+aa_log_failure_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Failed."
+}
+
+aa_log_skipped_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Skipped."
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix b/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix
new file mode 100644
index 000000000000..ac1a8220d564
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, pkg-config, alsa-lib, glib, json-glib }:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "aseq2json";
+  version = "unstable-2018-04-28";
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "midi-dump-tools";
+    rev = "8572e6313a0d7ec95492dcab04a46c5dd30ef33a";
+    sha256 = "LQ9LLVumi3GN6c9tuMSOd1Bs2pgrwrLLQbs5XF+NZeA=";
+  };
+  sourceRoot = "${finalAttrs.src.name}/aseq2json";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib glib json-glib ];
+
+  installPhase = ''
+    install -D --target-directory "$out/bin" aseq2json
+  '';
+
+  meta = with lib; {
+    description = "Listens for MIDI events on the Alsa sequencer and outputs as JSON to stdout";
+    homepage = "https://github.com/google/midi-dump-tools";
+    license = licenses.asl20;
+    maintainers = [ maintainers.queezle ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix
new file mode 100644
index 000000000000..c80f18a78ece
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "asus-ec-sensors-${version}-${kernel.version}";
+  version = "unstable-2022-07-10";
+
+  src = fetchFromGitHub {
+    owner = "zeule";
+    repo = "asus-ec-sensors";
+    rev = "5fbdd1461dc88fc952e02717b8120438ce5558b3";
+    sha256 = "sha256-kBGl8i7HzdItMoM7L91OfX6y+bqDfd22WICRg0n25pI=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+  ];
+
+  installPhase = ''
+    install asus-ec-sensors.ko -Dm444 -t ${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon
+  '';
+
+  meta = with lib; {
+    description = "Linux HWMON sensors driver for ASUS motherboards to read sensor data from the embedded controller";
+    homepage = "https://github.com/zeule/asus-ec-sensors";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ nickhu ];
+    broken = kernel.kernelOlder "5.11";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
new file mode 100644
index 000000000000..3098cbb72538
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "asus-wmi-sensors-${version}-${kernel.version}";
+  version = "unstable-2019-11-07";
+
+  # The original was deleted from github, but this seems to be an active fork
+  src = fetchFromGitHub {
+    owner = "electrified";
+    repo = "asus-wmi-sensors";
+    rev = "8daafd45d1b860cf5b17eee1c94d93feb04164a9";
+    sha256 = "0kc0xlrsmf783ln5bqyj6qxzmrhdxdfdd2b9ygf2lbl2153i04vc";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|depmod|#depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "TARGET=${kernel.modDirVersion}"
+    "KERNEL_MODULES=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "MODDESTDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
+  ];
+
+  meta = with lib; {
+    description = "Linux HWMON (lmsensors) sensors driver for various ASUS Ryzen and Threadripper motherboards";
+    homepage = "https://github.com/electrified/asus-wmi-sensors";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ Frostman ];
+    broken = versionOlder kernel.version "4.12";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch b/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch
new file mode 100644
index 000000000000..3ef59e60cbc0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch
@@ -0,0 +1,10 @@
+--- a/atop.service
++++ b/atop.service
+@@ -9,5 +9,6 @@
+ Environment=LOGPATH=/var/log/atop
+-EnvironmentFile=/etc/default/atop
++EnvironmentFile=-/etc/default/atop
+ ExecStartPre=/bin/sh -c 'test -n "$LOGINTERVAL" -a "$LOGINTERVAL" -eq "$LOGINTERVAL"'
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
++ExecStartPre=/bin/sh -c 'mkdir -p "${LOGPATH}"'
+ ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch b/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch
new file mode 100644
index 000000000000..9f2cd8f2e9ca
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch
@@ -0,0 +1,7 @@
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -9,3 +9,3 @@
+ Type=forking
+-PIDFile=/var/run/atopacctd.pid
++PIDFile=/run/atopacctd.pid
+ ExecStart=@out@/bin/atopacctd
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/default.nix b/nixpkgs/pkgs/os-specific/linux/atop/default.nix
new file mode 100644
index 000000000000..808d1bc42376
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/default.nix
@@ -0,0 +1,95 @@
+{ lib
+, stdenv
+, fetchurl
+, zlib
+, ncurses
+, findutils
+, systemd
+, python3
+# makes the package unfree via pynvml
+, withAtopgpu ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "atop";
+  version = "2.8.1";
+
+  src = fetchurl {
+    url = "https://www.atoptool.nl/download/atop-${version}.tar.gz";
+    sha256 = "sha256-lwBYoZt5w0RPlx+FRXKg5jiR3C1fcDf/g3VwhUzg2h4=";
+  };
+
+  nativeBuildInputs = lib.optionals withAtopgpu [
+    python3.pkgs.wrapPython
+  ];
+
+  buildInputs = [
+    zlib
+    ncurses
+  ] ++ lib.optionals withAtopgpu [
+    python3
+  ];
+
+  pythonPath = lib.optionals withAtopgpu [
+    python3.pkgs.pynvml
+  ];
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "BINPATH=/bin"
+    "SBINPATH=/bin"
+    "MAN1PATH=/share/man/man1"
+    "MAN5PATH=/share/man/man5"
+    "MAN8PATH=/share/man/man8"
+    "SYSDPATH=/lib/systemd/system"
+    "PMPATHD=/lib/systemd/system-sleep"
+  ];
+
+  patches = [
+    # Fix paths in atop.service, atop-rotate.service, atopgpu.service, atopacct.service,
+    # and atop-pm.sh
+    ./fix-paths.patch
+    # Don't fail on missing /etc/default/atop, make sure /var/log/atop exists pre-start
+    ./atop.service.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./atopacct.service.patch
+  ];
+
+  preConfigure = ''
+    for f in *.{sh,service}; do
+      findutils=${findutils} systemd=${systemd} substituteAllInPlace "$f"
+    done
+
+    substituteInPlace Makefile --replace 'chown' 'true'
+    substituteInPlace Makefile --replace 'chmod 04711' 'chmod 0711'
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  postInstall = ''
+    # Remove extra files we don't need
+    rm -r $out/{var,etc} $out/bin/atop{sar,}-${version}
+  '' + (if withAtopgpu then ''
+    wrapPythonPrograms
+  '' else ''
+    rm $out/lib/systemd/system/atopgpu.service $out/bin/atopgpud $out/share/man/man8/atopgpud.8
+  '');
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ raskin ];
+    description = "Console system performance monitor";
+    longDescription = ''
+      Atop is an ASCII full-screen performance monitor that is capable of reporting the activity of
+      all processes (even if processes have finished during the interval), daily logging of system
+      and process activity for long-term analysis, highlighting overloaded system resources by using
+      colors, etc. At regular intervals, it shows system-level activity related to the CPU, memory,
+      swap, disks and network layers, and for every active process it shows the CPU utilization,
+      memory growth, disk utilization, priority, username, state, and exit code.
+    '';
+    license = licenses.gpl2Plus;
+    downloadPage = "http://atoptool.nl/downloadatop.php";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch
new file mode 100644
index 000000000000..e6cd631d3c11
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch
@@ -0,0 +1,48 @@
+--- a/atop.service
++++ b/atop.service
+@@ -12,4 +12,4 @@
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
+-ExecStart=/bin/sh -c 'exec /usr/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
+-ExecStartPost=/usr/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
++ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
++ExecStartPost=@findutils@/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
+ KillSignal=SIGUSR2
+
+--- a/atop-rotate.service
++++ b/atop-rotate.service
+@@ -4,3 +4,3 @@
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/systemctl try-restart atop.service
++ExecStart=@systemd@/bin/systemctl try-restart atop.service
+
+--- a/atopgpu.service
++++ b/atopgpu.service
+@@ -6,5 +6,5 @@
+
+ [Service]
+-ExecStart=/usr/sbin/atopgpud
++ExecStart=@out@/bin/atopgpud
+ Type=oneshot
+ RemainAfterExit=yes
+
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -10,3 +10,3 @@
+ PIDFile=/var/run/atopacctd.pid
+-ExecStart=/usr/sbin/atopacctd
++ExecStart=@out@/bin/atopacctd
+
+--- a/atop-pm.sh
++++ b/atop-pm.sh
+@@ -2,8 +2,8 @@
+
+ case "$1" in
+-	pre)	/usr/bin/systemctl stop atop
++	pre)	@systemd@/bin/systemctl stop atop
+ 		exit 0
+ 		;;
+-	post)	/usr/bin/systemctl start atop
++	post)	@systemd@/bin/systemctl start atop
+ 		exit 0
+ 		;;
diff --git a/nixpkgs/pkgs/os-specific/linux/audit/default.nix b/nixpkgs/pkgs/os-specific/linux/audit/default.nix
new file mode 100644
index 000000000000..1e941a13767e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/audit/default.nix
@@ -0,0 +1,73 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, autoreconfHook
+, bash
+, buildPackages
+, libtool
+, linuxHeaders
+, python3
+, swig
+
+# Enabling python support while cross compiling would be possible, but the
+# configure script tries executing python to gather info instead of relying on
+# python3-config exclusively
+, enablePython ? stdenv.hostPlatform == stdenv.buildPlatform,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "audit";
+  version = "3.1.2";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/sgrubb/audit/audit-${finalAttrs.version}.tar.gz";
+    hash = "sha256-wLF5LR8KiMbxgocQUJy7mHBZ/GhxLJdmnKkOrhA9KH0=";
+  };
+
+  postPatch = ''
+    substituteInPlace bindings/swig/src/auditswig.i \
+      --replace "/usr/include/linux/audit.h" \
+                "${linuxHeaders}/include/linux/audit.h"
+  '';
+
+  outputs = [ "bin" "dev" "out" "man" ];
+
+  strictDeps = true;
+
+  depsBuildBuild = [
+    buildPackages.stdenv.cc
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+  ]
+  ++ lib.optionals enablePython [
+    python3
+    swig
+  ];
+
+  buildInputs = [
+    bash
+  ];
+
+  configureFlags = [
+    # z/OS plugin is not useful on Linux, and pulls in an extra openldap
+    # dependency otherwise
+    "--disable-zos-remote"
+    "--with-arm"
+    "--with-aarch64"
+    (if enablePython then "--with-python" else "--without-python")
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = {
+    homepage = "https://people.redhat.com/sgrubb/audit/";
+    description = "Audit Library";
+    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}";
+    license = lib.licenses.gpl2Plus;
+    maintainers = with lib.maintainers; [ AndersonTorres ];
+    platforms = lib.platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/autofs/default.nix b/nixpkgs/pkgs/os-specific/linux/autofs/default.nix
new file mode 100644
index 000000000000..48d12abcf2f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/autofs/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
+, libxml2, libkrb5, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto
+, fetchpatch
+}:
+
+stdenv.mkDerivation rec {
+  version = "5.1.6";
+  pname = "autofs";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/daemons/autofs/v5/autofs-${version}.tar.xz";
+    sha256 = "1vya21mb4izj3khcr3flibv7xc15vvx2v0rjfk5yd31qnzcy7pnx";
+  };
+
+  patches = [
+    # glibc 2.34 compat
+    (fetchpatch {
+      url = "https://src.fedoraproject.org/rpms/autofs/raw/cc745af5e42396d540d5b3b92fae486e232bf6bd/f/autofs-5.1.7-use-default-stack-size-for-threads.patch";
+      sha256 = "sha256-6ETDFbW7EhHR03xFWF+6OJBgn9NX3WW3bGhTNGodaOc=";
+      excludes = [ "CHANGELOG" ];
+    })
+  ];
+
+  preConfigure = ''
+    configureFlags="--enable-force-shutdown --enable-ignore-busy --with-path=$PATH"
+    export sssldir="${sssd}/lib/sssd/modules"
+    export HAVE_SSS_AUTOFS=1
+
+    export MOUNT=${mount}/bin/mount
+    export MOUNT_NFS=${nfs-utils}/bin/mount.nfs
+    export UMOUNT=${umount}/bin/umount
+    export MODPROBE=${kmod}/bin/modprobe
+    export E2FSCK=${e2fsprogs}/bin/fsck.ext2
+    export E3FSCK=${e2fsprogs}/bin/fsck.ext3
+    export E4FSCK=${e2fsprogs}/bin/fsck.ext4
+
+    unset STRIP # Makefile.rules defines a usable STRIP only without the env var.
+  '';
+
+  # configure script is not finding the right path
+  env.NIX_CFLAGS_COMPILE = toString [ "-I${libtirpc.dev}/include/tirpc" ];
+
+  installPhase = ''
+    make install SUBDIRS="lib daemon modules man" # all but samples
+    #make install SUBDIRS="samples" # impure!
+  '';
+
+  buildInputs = [ linuxHeaders libtirpc libxml2 libkrb5 kmod openldap sssd
+                  openssl cyrus_sasl rpcsvc-proto ];
+
+  nativeBuildInputs = [ flex bison ];
+
+  meta = {
+    description = "Kernel-based automounter";
+    homepage = "https://www.kernel.org/pub/linux/daemons/autofs/";
+    license = lib.licenses.gpl2Plus;
+    executables = [ "automount" ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix b/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix
new file mode 100644
index 000000000000..fc2b2f0c4e38
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix
@@ -0,0 +1,79 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+let
+  python = python3.override {
+    packageOverrides = self: super: {
+      # autosuspend is incompatible with tzlocal v5
+      # See https://github.com/regebro/tzlocal#api-change
+      tzlocal = super.tzlocal.overridePythonAttrs (prev: {
+        src = prev.src.override {
+          version = "4.3.1";
+          hash = "sha256-7jLvjCCAPBmpbtNmrd09SnKe9jCctcc1mgzC7ut/pGo=";
+        };
+      });
+    };
+  };
+in
+python.pkgs.buildPythonApplication rec {
+  pname = "autosuspend";
+  version = "6.0.0";
+
+  disabled = python3.pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "languitar";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    hash = "sha256-gS8NNks4GaIGl7cEqWSP53I4/tIV4LypkmZ5vNOjspY=";
+  };
+
+  postPatch = ''
+    substituteInPlace setup.cfg \
+      --replace '--cov-config=setup.cfg' ""
+  '';
+
+  propagatedBuildInputs = with python.pkgs; [
+    dbus-python
+    icalendar
+    jsonpath-ng
+    lxml
+    mpd2
+    portalocker
+    psutil
+    python-dateutil
+    pytz
+    requests
+    requests-file
+    tzlocal
+  ];
+
+  nativeCheckInputs = with python.pkgs; [
+    freezegun
+    pytest-datadir
+    pytest-httpserver
+    pytest-mock
+    pytestCheckHook
+    python-dbusmock
+  ];
+
+  # Disable tests that need root
+  disabledTests = [
+    "test_smoke"
+    "test_multiple_sessions"
+  ];
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "A daemon to automatically suspend and wake up a system";
+    homepage = "https://autosuspend.readthedocs.io";
+    changelog = "https://github.com/languitar/autosuspend/releases/tag/v${version}";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ bzizou anthonyroussel ];
+    mainProgram = "autosuspend";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix b/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix
new file mode 100644
index 000000000000..761800cfd7ba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix
@@ -0,0 +1,53 @@
+{ kernel, stdenv, kmod, lib, fetchzip, dos2unix }:
+
+stdenv.mkDerivation {
+  pname = "ax99100";
+  version = "1.8.0";
+
+  nativeBuildInputs = [ dos2unix kmod ] ++ kernel.moduleBuildDependencies;
+
+  src = fetchzip {
+    url = "https://www.asix.com.tw/en/support/download/file/1229";
+    sha256 = "1rbp1m01qr6b3nbr72vpbw89pjh8mddc60im78z2yjd951xkbcjh";
+    extension = "tar.bz2";
+  };
+
+  prePatch = ''
+    # The sources come with Windows file endings and that makes
+    # applying patches hard without first fixing the line endings.
+    dos2unix *.c *.h
+  '';
+
+  # The patches are adapted from: https://aur.archlinux.org/packages/asix-ax99100
+  #
+  # We included them here instead of fetching them, because of line
+  # ending issues that are easier to fix manually. Also the
+  # set_termios patch needs to be applied for 6.1 not for 6.0.
+  patches = [
+    ./kernel-5.18-pci_free_consistent-pci_alloc_consistent.patch
+    ./kernel-6.1-set_termios-const-ktermios.patch
+  ] ++ lib.optionals (lib.versionAtLeast kernel.version "6.2") [
+    ./kernel-6.2-fix-pointer-type.patch
+    ./kernel-6.4-fix-define-semaphore.patch
+  ];
+
+  patchFlags = [ "-p0" ];
+
+  makeFlags = [ "KDIR='${kernel.dev}/lib/modules/${kernel.modDirVersion}/build'" ];
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+    cp ax99100.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+  '';
+
+  meta = {
+    description = "ASIX AX99100 Serial and Parallel Port driver";
+    homepage = "https://www.asix.com.tw/en/product/Interface/PCIe_Bridge/AX99100";
+    # According to the source code in the tarball, the license is gpl2.
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+
+    # Older Linux versions need more patches to work.
+    broken = lib.versionOlder kernel.version "5.4.0";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-5.18-pci_free_consistent-pci_alloc_consistent.patch b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-5.18-pci_free_consistent-pci_alloc_consistent.patch
new file mode 100644
index 000000000000..05ec0cfad222
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-5.18-pci_free_consistent-pci_alloc_consistent.patch
@@ -0,0 +1,14 @@
+diff -pNaru5 a/ax99100_sp.h b/ax99100_sp.h
+--- ax99100_sp.h	2022-06-07 16:55:26.621034945 -0400
++++ ax99100_sp.h	2022-06-07 16:58:32.488989767 -0400
+@@ -255,5 +255,10 @@ struct custom_eeprom {
+ #define _INLINE_
+ #endif
+ 
+ #define DEFAULT99100_BAUD 115200
+ #endif
++
++/* #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,18,0) */
++#define pci_alloc_consistent(hwdev,size,dma_handle) dma_alloc_coherent(&hwdev->dev, size, dma_handle, GFP_ATOMIC)
++#define pci_free_consistent(hwdev,size,vaddr,dma_handle) dma_free_coherent(&hwdev->dev, size, vaddr, dma_handle)
++/* #endif */
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.1-set_termios-const-ktermios.patch b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.1-set_termios-const-ktermios.patch
new file mode 100644
index 000000000000..8d75ad454cfe
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.1-set_termios-const-ktermios.patch
@@ -0,0 +1,18 @@
+diff -pNaru5 a/ax99100_sp.c b/ax99100_sp.c
+--- ax99100_sp.c	2023-01-02 23:44:46.707423858 -0500
++++ ax99100_sp.c	2023-01-02 23:44:27.171293092 -0500
+@@ -1915,11 +1915,13 @@ static unsigned int serial99100_get_divi
+ 	DEBUG("In %s quot=%u----baud=%u-----------------------------END\n",__FUNCTION__,quot,baud);
+ 	return quot;	
+ }
+ 
+ //This is a port ops function to set the terminal settings.
+-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6,1,0)
++static void serial99100_set_termios(struct uart_port *port, struct ktermios *termios, const struct ktermios *old)
++#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
+ static void serial99100_set_termios(struct uart_port *port, struct ktermios *termios, struct ktermios *old)
+ #else
+ static void serial99100_set_termios(struct uart_port *port, struct termios *termios, struct termios *old)
+ #endif
+ {
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.2-fix-pointer-type.patch b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.2-fix-pointer-type.patch
new file mode 100644
index 000000000000..39071f2f4798
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.2-fix-pointer-type.patch
@@ -0,0 +1,11 @@
+--- ax99100_spi.c
++++ ax99100_spi.c
+@@ -76,7 +76,7 @@ int spi_suspend_count;
+ static unsigned int spi_major = 241;
+ static unsigned int spi_min_count = 0;
+ /* device Class */
+-static char *ax_devnode(struct device *dev, umode_t *mode)
++static char *ax_devnode(const struct device *dev, umode_t *mode)
+ {
+ 	return kasprintf(GFP_KERNEL, "%s", dev_name(dev));
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.4-fix-define-semaphore.patch b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.4-fix-define-semaphore.patch
new file mode 100644
index 000000000000..434bb559e177
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/kernel-6.4-fix-define-semaphore.patch
@@ -0,0 +1,14 @@
+--- ax99100_sp.c
++++ ax99100_sp.c
+@@ -2670,8 +2670,10 @@ static void serial99100_dma_tx_tasklet (unsigned long param)
+ 
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,37)
+ static DECLARE_MUTEX(serial99100_sem);
+-#else
++#elif LINUX_VERSION_CODE < KERNEL_VERSION(6,4,0)
+ static DEFINE_SEMAPHORE(serial99100_sem);
++#else
++static DEFINE_SEMAPHORE(serial99100_sem, 1);
+ #endif
+ 
+ static struct uart_driver starex_serial_driver = {
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix
new file mode 100644
index 000000000000..ae7d784591d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl, pkg-config, gpsd, libcap, libnl }:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "alfred";
+  inherit (cfg) version;
+
+  src = fetchurl {
+    url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${version}/${pname}-${version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ gpsd libcap libnl ];
+
+  preBuild = ''
+    makeFlags="PREFIX=$out"
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, information distribution tool";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix
new file mode 100644
index 000000000000..b01f48a242a6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "batctl";
+  inherit (cfg) version;
+
+  src = fetchurl {
+    url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${version}/${pname}-${version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl ];
+
+  preBuild = ''
+    makeFlags="PREFIX=$out"
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, control tool";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix
new file mode 100644
index 000000000000..3d22720b9625
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, kernel
+}:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "batman-adv";
+  version = "${cfg.version}-${kernel.version}";
+
+  src = fetchurl {
+    url = "http://downloads.open-mesh.org/batman/releases/${pname}-${cfg.version}/${pname}-${cfg.version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  preBuild = ''
+    sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \
+      -e /depmod/d Makefile
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz hexa ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix
new file mode 100644
index 000000000000..53a255fc2157
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix
@@ -0,0 +1,9 @@
+{
+  version = "2023.2";
+
+  sha256 = {
+    batman-adv = "sha256-OQfc1X4sW/2dQHE5YLlAK/HaT4DFm1/wN3ifu7vY+iU=";
+    alfred = "sha256-qSBgKFZPieW/t3FK4piDoWEPYr4+YcCW4f6zYgBxjg4=";
+    batctl = "sha256-cLX5MfpjYyVpe9829tE0oDxJBvTBfLdlCjxxSQFDbsg=";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix b/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix
new file mode 100644
index 000000000000..8312d64acddc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix
@@ -0,0 +1,64 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, runtimeShell }:
+
+let
+  baseName = "bbswitch";
+  version = "unstable-2021-11-29";
+  name = "${baseName}-${version}-${kernel.version}";
+
+in
+
+stdenv.mkDerivation {
+  inherit name;
+
+  src = fetchFromGitHub {
+    owner = "Bumblebee-Project";
+    repo = "bbswitch";
+    # https://github.com/Bumblebee-Project/bbswitch/tree/develop
+    rev = "23891174a80ea79c7720bcc7048a5c2bfcde5cd9";
+    hash = "sha256-50v1Jxem5kaI1dHOKmgBbPLxI82QeYxiaRHhrHpWRzU=";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/0bd986055ba52887b81048de5c61e618eec06eb0/trunk/0003-kernel-5.18.patch";
+      sha256 = "sha256-va62/bR1qyBBMPg0lUwCH7slGG0XijxVCsFa4FCoHEQ=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  preBuild = ''
+    substituteInPlace Makefile \
+      --replace "/lib/modules" "${kernel.dev}/lib/modules"
+  '';
+
+  makeFlags = kernel.makeFlags;
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/misc
+    cp bbswitch.ko $out/lib/modules/${kernel.modDirVersion}/misc
+
+    mkdir -p $out/bin
+    tee $out/bin/discrete_vga_poweroff << EOF
+    #!${runtimeShell}
+
+    echo -n OFF > /proc/acpi/bbswitch
+    EOF
+    tee $out/bin/discrete_vga_poweron << EOF
+    #!${runtimeShell}
+
+    echo -n ON > /proc/acpi/bbswitch
+    EOF
+    chmod +x $out/bin/discrete_vga_poweroff $out/bin/discrete_vga_poweron
+  '';
+
+  meta = with lib; {
+    description = "A module for powering off hybrid GPUs";
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    homepage = "https://github.com/Bumblebee-Project/bbswitch";
+    maintainers = with maintainers; [ abbradar ];
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch b/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
new file mode 100644
index 000000000000..7480e9c5d97b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
@@ -0,0 +1,43 @@
+From 01e793163231c5085afced37471df32b94a313f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Thu, 30 Dec 2021 06:34:41 +0100
+Subject: [PATCH] absolute ausyscall
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ libbpf-tools/syscall_helpers.c | 2 +-
+ src/python/bcc/syscall.py      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libbpf-tools/syscall_helpers.c b/libbpf-tools/syscall_helpers.c
+index e114a08f..62adea78 100644
+--- a/libbpf-tools/syscall_helpers.c
++++ b/libbpf-tools/syscall_helpers.c
+@@ -47,7 +47,7 @@ void init_syscall_names(void)
+ 	int err;
+ 	FILE *f;
+ 
+-	f = popen("ausyscall --dump 2>/dev/null", "r");
++	f = popen("@ausyscall@ --dump 2>/dev/null", "r");
+ 	if (!f) {
+ 		warn("popen: ausyscall --dump: %s\n", strerror(errno));
+ 		return;
+diff --git a/src/python/bcc/syscall.py b/src/python/bcc/syscall.py
+index 1346b4e8..e7e29a11 100644
+--- a/src/python/bcc/syscall.py
++++ b/src/python/bcc/syscall.py
+@@ -376,7 +376,7 @@ def _parse_syscall(line):
+ try:
+     # Skip the first line, which is a header. The rest of the lines are simply
+     # SYSCALL_NUM\tSYSCALL_NAME pairs.
+-    out = subprocess.check_output(['ausyscall', '--dump'], stderr=subprocess.STDOUT)
++    out = subprocess.check_output(['@ausyscall@', '--dump'], stderr=subprocess.STDOUT)
+     # remove the first line of expected output
+     out = out.split(b'\n',1)[1]
+     syscalls = dict(map(_parse_syscall, out.strip().split(b'\n')))
+-- 
+2.34.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/default.nix b/nixpkgs/pkgs/os-specific/linux/bcc/default.nix
new file mode 100644
index 000000000000..acdaa6796d65
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/default.nix
@@ -0,0 +1,122 @@
+{ audit
+, bash
+, bison
+, cmake
+, elfutils
+, fetchFromGitHub
+, flex
+, iperf
+, lib
+, libbpf
+, llvmPackages
+, luajit
+, makeWrapper
+, netperf
+, nixosTests
+, python3
+, stdenv
+, zip
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "bcc";
+  version = "0.28.0";
+
+  disabled = !stdenv.isLinux;
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "bcc";
+    rev = "v${version}";
+    sha256 = "sha256-+ecSaVroDC2bWbio4JsuwEvHQdCMpxLt7hIkeREMJs8=";
+  };
+  format = "other";
+
+  buildInputs = with llvmPackages; [
+    llvm llvm.dev libclang
+    elfutils luajit netperf iperf
+    flex bash libbpf
+  ];
+
+  patches = [
+    # This is needed until we fix
+    # https://github.com/NixOS/nixpkgs/issues/40427
+    ./fix-deadlock-detector-import.patch
+  ];
+
+  propagatedBuildInputs = [ python3.pkgs.netaddr ];
+  nativeBuildInputs = [
+    bison
+    cmake
+    flex
+    llvmPackages.llvm.dev
+    makeWrapper
+    python3.pkgs.setuptools
+    zip
+  ];
+
+  cmakeFlags = [
+    "-DBCC_KERNEL_MODULES_DIR=/run/booted-system/kernel-modules/lib/modules"
+    "-DREVISION=${version}"
+    "-DENABLE_USDT=ON"
+    "-DENABLE_CPP_API=ON"
+    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
+    "-DENABLE_LIBDEBUGINFOD=OFF"
+  ];
+
+  # to replace this executable path:
+  # https://github.com/iovisor/bcc/blob/master/src/python/bcc/syscall.py#L384
+  ausyscall = "${audit}/bin/ausyscall";
+
+  postPatch = ''
+    substituteAll ${./libbcc-path.patch} ./libbcc-path.patch
+    patch -p1 < libbcc-path.patch
+
+    substituteAll ${./absolute-ausyscall.patch} ./absolute-ausyscall.patch
+    patch -p1 < absolute-ausyscall.patch
+
+    # https://github.com/iovisor/bcc/issues/3996
+    substituteInPlace src/cc/libbcc.pc.in \
+      --replace '$'{exec_prefix}/@CMAKE_INSTALL_LIBDIR@ @CMAKE_INSTALL_FULL_LIBDIR@
+  '';
+
+  preInstall = ''
+    # required for setuptool during install
+    export PYTHONPATH=$out/${python3.sitePackages}:$PYTHONPATH
+  '';
+  postInstall = ''
+    mkdir -p $out/bin $out/share
+    rm -r $out/share/bcc/tools/old
+    mv $out/share/bcc/tools/doc $out/share
+    mv $out/share/bcc/man $out/share/
+
+    find $out/share/bcc/tools -type f -executable -print0 | \
+    while IFS= read -r -d ''$'\0' f; do
+      bin=$out/bin/$(basename $f)
+      if [ ! -e $bin ]; then
+        ln -s $f $bin
+      fi
+      substituteInPlace "$f" \
+        --replace '$(dirname $0)/lib' "$out/share/bcc/tools/lib"
+    done
+
+    sed -i -e "s!lib=.*!lib=$out/bin!" $out/bin/{java,ruby,node,python}gc
+  '';
+
+  postFixup = ''
+    wrapPythonProgramsIn "$out/share/bcc/tools" "$out $pythonPath"
+  '';
+
+  outputs = [ "out" "man" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  meta = with lib; {
+    description = "Dynamic Tracing Tools for Linux";
+    homepage    = "https://iovisor.github.io/bcc/";
+    license     = licenses.asl20;
+    maintainers = with maintainers; [ ragge mic92 thoughtpolice martinetd ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch b/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
new file mode 100644
index 000000000000..1c422635f4fe
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
@@ -0,0 +1,14 @@
+--- source.org/tools/deadlock.py	1980-01-02 00:00:00.000000000 +0000
++++ source/tools/deadlock.py	2018-05-29 13:57:11.807126673 +0100
+@@ -44,9 +44,8 @@
+ #
+ # 01-Feb-2017   Kenny Yu   Created this.
+ 
+-from __future__ import (
+-    absolute_import, division, unicode_literals, print_function
+-)
++from __future__ import absolute_import, division, unicode_literals, print_function
++
+ from bcc import BPF
+ from collections import defaultdict
+ import argparse
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch b/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch
new file mode 100644
index 000000000000..187bb3aadd00
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch
@@ -0,0 +1,11 @@
+--- source.org/src/python/bcc/libbcc.py	2018-05-13 08:35:06.850522883 +0100
++++ source/src/python/bcc/libbcc.py	2018-05-13 08:36:24.602733151 +0100
+@@ -14,7 +14,7 @@
+ 
+ import ctypes as ct
+ 
+-lib = ct.CDLL("libbcc.so.0", use_errno=True)
++lib = ct.CDLL("@out@/lib/libbcc.so.0", use_errno=True)
+ 
+ # keep in sync with bpf_common.h
+ lib.bpf_module_create_b.restype = ct.c_void_p
diff --git a/nixpkgs/pkgs/os-specific/linux/beefi/default.nix b/nixpkgs/pkgs/os-specific/linux/beefi/default.nix
new file mode 100644
index 000000000000..959a43faea91
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/beefi/default.nix
@@ -0,0 +1,44 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, installShellFiles
+, binutils-unwrapped
+, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "beefi";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "jfeick";
+    repo = "beefi";
+    rev = version;
+    sha256 = "1180avalbw414q1gnfqdgc9zg3k9y0401kw9qvcn51qph81d04v5";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = [
+    binutils-unwrapped
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace beefi \
+      --replace objcopy ${binutils-unwrapped}/bin/objcopy \
+      --replace /usr/lib/systemd ${systemd}/lib/systemd
+  '';
+
+  installPhase = ''
+    install -Dm755 beefi $out/bin/beefi
+    installManPage beefi.1
+  '';
+
+  meta = with lib; {
+    description = "A small script to create bootable EFISTUB kernel images";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ tu-maurice ];
+    homepage = "https://github.com/jfeick/beefi";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/below/default.nix b/nixpkgs/pkgs/os-specific/linux/below/default.nix
new file mode 100644
index 000000000000..0a91fd585906
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/below/default.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, rustPlatform
+, clang
+, pkg-config
+, elfutils
+, rustfmt
+, zlib
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "below";
+  version = "0.6.3";
+
+  src = fetchFromGitHub {
+    owner = "facebookincubator";
+    repo = "below";
+    rev = "v${version}";
+    sha256 = "sha256-d5a/M2XEw2E2iydopzedqZ/XfQU7KQyTC5NrPTeeNLg=";
+  };
+
+  cargoSha256 = "sha256-EoRCmEe9SAySZCm+QhaR4ngik4Arnm4SZjgDM5fSRmk=";
+
+  prePatch = ''sed -i "s,ExecStart=.*/bin,ExecStart=$out/bin," etc/below.service'';
+  postInstall = ''
+    install -d $out/lib/systemd/system
+    install -t $out/lib/systemd/system etc/below.service
+  '';
+
+  # bpf code compilation
+  hardeningDisable = [ "stackprotector" ];
+
+  nativeBuildInputs = [ clang pkg-config rustfmt ];
+  buildInputs = [ elfutils zlib ];
+
+  # needs /sys/fs/cgroup
+  doCheck = false;
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ globin ];
+    description = "A time traveling resource monitor for modern Linux systems";
+    license = licenses.asl20;
+    homepage = "https://github.com/facebookincubator/below";
+    mainProgram = "below";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix
new file mode 100644
index 000000000000..da5011e67373
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix
@@ -0,0 +1,148 @@
+{ stdenv, stdenvNoCC, lib, fetchzip, pkgs
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableShared ? !stdenv.hostPlatform.isStatic
+}:
+let
+
+  choosePlatform =
+    let pname = stdenv.targetPlatform.parsed.cpu.name; in
+    pset: pset.${pname} or (throw "bionic-prebuilt: unsupported platform ${pname}");
+
+  prebuilt_crt = choosePlatform {
+    aarch64 = fetchzip {
+      url =  "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/98dce673ad97a9640c5d90bbb1c718e75c21e071/lib/gcc/aarch64-linux-android/4.9.x.tar.gz";
+      sha256 = "sha256-LLD2OJi78sNN5NulOsJZl7Ei4F1EUYItGG6eUsKWULc=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/+archive/7e8507d2a2d4df3bced561b894576de70f065be4/lib/gcc/x86_64-linux-android/4.9.x.tar.gz";
+      sha256 = "sha256-y7CFLF76pTlj+oYev9taBnL2nlT3+Tx8c6wmicWmKEw=";
+      stripRoot = false;
+    };
+  };
+
+  prebuilt_libs = choosePlatform {
+    aarch64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-arm64/usr/lib.tar.gz";
+      sha256 = "sha256-TZBV7+D1QvKOCEi+VNGT5SStkgj0xRbyWoLH65zSrjw=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-x86_64/usr/lib64.tar.gz";
+      sha256 = "sha256-n2EuOKy3RGKmEYofNlm+vDDBuiQRuAJEJT6wq6NEJQs=";
+      stripRoot = false;
+    };
+  };
+
+  prebuilt_ndk_crt = choosePlatform {
+    aarch64 = fetchzip {
+      url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android/30.tar.gz";
+      sha256 = "sha256-KHw+cCwAwlm+5Nwp1o8WONqdi4BBDhFaVVr+7GxQ5uE=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/x86_64-linux-android/30.tar.gz";
+      sha256 = "sha256-XEd7L3cBzn+1pKfji40V92G/uZhHSMMuZcRZaiKkLnk=";
+      stripRoot = false;
+    };
+  };
+
+  ndk_support_headers = fetchzip {
+    url ="https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+archive/0e7f808fa26cce046f444c9616d9167dafbfb272/clang-r416183b/include/c++/v1/support.tar.gz";
+    sha256 = "sha256-NBv7Pk1CEaz8ns9moleEERr3x/rFmVmG33LgFSeO6fY=";
+    stripRoot = false;
+  };
+
+  kernelHeaders = pkgs.makeLinuxHeaders {
+    version = "android-common-11-5.4";
+    src = fetchzip {
+      url = "https://android.googlesource.com/kernel/common/+archive/48ffcbf0b9e7f0280bfb8c32c68da0aaf0fdfef6.tar.gz";
+      sha256 = "1y7cmlmcr5vdqydd9n785s139yc4aylc3zhqa59xsylmkaf5habk";
+      stripRoot = false;
+    };
+  };
+
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "bionic-prebuilt";
+  version = "ndk-release-r23";
+  name = "${stdenv.targetPlatform.parsed.cpu.name}-${pname}-${version}";
+
+  src = fetchzip {
+    url = "https://android.googlesource.com/platform/bionic/+archive/00e8ce1142d8823b0d2fc8a98b40119b0f1f02cd.tar.gz";
+    sha256 = "10z5mp4w0acvjvgxv7wlqa7m70hcyarmjdlfxbd9rwzf4mrsr8d1";
+    stripRoot = false;
+  };
+
+  NIX_DONT_SET_RPATH = true;
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  patches = [
+    ./ndk-version.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libc/include/sys/cdefs.h --replace \
+      "__has_builtin(__builtin_umul_overflow)" "1"
+    substituteInPlace libc/include/bits/ioctl.h --replace \
+      "!defined(BIONIC_IOCTL_NO_SIGNEDNESS_OVERLOAD)" "0"
+  '';
+
+  installPhase= ''
+    # copy the bionic headers
+    mkdir -p $out/include/support $out/include/android
+    cp -vr libc/include/* $out/include
+    # copy the kernel headers
+    cp -vr ${kernelHeaders}/include/*  $out/include/
+
+    chmod -R +w $out/include/linux
+
+    # fix a bunch of kernel headers so that things can actually be found
+    sed -i 's,struct epoll_event {,#include <bits/epoll_event.h>\nstruct Xepoll_event {,' $out/include/linux/eventpoll.h
+    sed -i 's,struct in_addr {,typedef unsigned int in_addr_t;\nstruct in_addr {,' $out/include/linux/in.h
+    sed -i 's,struct udphdr {,struct Xudphdr {,' $out/include/linux/udp.h
+    sed -i 's,union semun {,union Xsemun {,' $out/include/linux/sem.h
+    sed -i 's,struct __kernel_sockaddr_storage,#define sockaddr_storage __kernel_sockaddr_storage\nstruct __kernel_sockaddr_storage,' $out/include/linux/socket.h
+    sed -i 's,#ifndef __UAPI_DEF_.*$,#if 1,' $out/include/linux/libc-compat.h
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imr_" "struct in_addr		imr_"
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imsf_" "struct in_addr		imsf_"
+    substituteInPlace $out/include/linux/sysctl.h --replace "__unused" "_unused"
+
+    # what could possibly live in <linux/compiler.h>
+    touch $out/include/linux/compiler.h
+
+    # copy the support headers
+    cp -vr ${ndk_support_headers}* $out/include/support/
+
+    mkdir $out/lib
+    cp -v ${prebuilt_crt.out}/*.o $out/lib/
+    cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
+    cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+  '' + lib.optionalString enableShared ''
+    for i in libc.so libm.so libdl.so liblog.so; do
+      cp -v ${prebuilt_libs.out}/$i $out/lib/
+    done
+  '' + lib.optionalString enableStatic ''
+    # no liblog.a; while it's also part of the base libraries,
+    # it's only available as shared object in the prebuilts.
+    for i in libc.a libm.a libdl.a; do
+      cp -v ${prebuilt_ndk_crt.out}/$i $out/lib/
+    done
+  '' + ''
+    mkdir -p $dev/include
+    cp -v $out/include/*.h $dev/include/
+  '';
+
+  outputs = [ "out" "dev" ];
+  passthru.linuxHeaders = kernelHeaders;
+
+  meta = with lib; {
+    description = "The Android libc implementation";
+    homepage    = "https://android.googlesource.com/platform/bionic/";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
new file mode 100644
index 000000000000..a6842ed479ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
@@ -0,0 +1,42 @@
+--- a/libc/include/android/ndk-version.h	2021-04-01 16:08:03.109183965 +0300
++++ b/libc/include/android/ndk-version.h	2021-04-01 16:07:19.811424641 +0300
+@@ -0,0 +1,39 @@
++#pragma once
++
++/**
++ * Set to 1 if this is an NDK, unset otherwise. See
++ * https://android.googlesource.com/platform/bionic/+/master/docs/defines.md.
++ */
++#define __ANDROID_NDK__ 1
++
++/**
++ * Major version of this NDK.
++ *
++ * For example: 16 for r16.
++ */
++#define __NDK_MAJOR__ 22
++
++/**
++ * Minor version of this NDK.
++ *
++ * For example: 0 for r16 and 1 for r16b.
++ */
++#define __NDK_MINOR__ 0
++
++/**
++ * Set to 0 if this is a release build, or 1 for beta 1,
++ * 2 for beta 2, and so on.
++ */
++#define __NDK_BETA__ 0
++
++/**
++ * Build number for this NDK.
++ *
++ * For a local development build of the NDK, this is -1.
++ */
++#define __NDK_BUILD__ 7026061
++
++/**
++ * Set to 1 if this is a canary build, 0 if not.
++ */
++#define __NDK_CANARY__ 0
diff --git a/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix b/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix
new file mode 100644
index 000000000000..d1b2376e7bd2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl, libaio }:
+
+stdenv.mkDerivation rec {
+  pname = "blktrace";
+  version = "1.3.0";
+
+  # Official source
+  # "https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git"
+  src = fetchurl {
+    url = "https://brick.kernel.dk/snaps/blktrace-${version}.tar.bz2";
+    sha256 = "sha256-1t7aA4Yt4r0bG5+6cpu7hi2bynleaqf3yoa2VoEacNY=";
+  };
+
+  buildInputs = [ libaio ];
+
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+    "CC:=$(CC)"
+  ];
+
+  meta = with lib; {
+    description = "Block layer IO tracing mechanism";
+    maintainers = with maintainers; [ nickcao ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bluez/default.nix b/nixpkgs/pkgs/os-specific/linux/bluez/default.nix
new file mode 100644
index 000000000000..c6c7d9d0f509
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bluez/default.nix
@@ -0,0 +1,152 @@
+{ stdenv
+, lib
+, fetchurl
+, fetchpatch
+, alsa-lib
+, dbus
+, ell
+, glib
+, json_c
+, libical
+, docutils
+, pkg-config
+, python3
+, readline
+, systemdMinimal
+, udev
+, withExperimental ? false
+}: let
+  pythonPath = with python3.pkgs; [
+    dbus-python
+    pygobject3
+    recursivePthLoader
+  ];
+in stdenv.mkDerivation rec {
+  pname = "bluez";
+  version = "5.70";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/bluetooth/${pname}-${version}.tar.xz";
+    sha256 = "sha256-N+Ny6RaVXhRMuIL4iOS+QImPEK47fCE93N1V7pwAkng=";
+  };
+
+  patches = [
+    # replace use of a non-standard symbol to fix build with musl libc (pkgsMusl.bluez)
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/aports/plain/main/bluez/max-input.patch?id=32b31b484cb13009bd8081c4106e4cf064ec2f1f";
+      sha256 = "sha256-SczbXtsxBkCO+izH8XOBcrJEO2f7MdtYVT3+2fCV8wU=";
+    })
+  ];
+
+  buildInputs = [
+    alsa-lib
+    dbus
+    ell
+    glib
+    json_c
+    libical
+    python3
+    readline
+    udev
+  ];
+
+  nativeBuildInputs = [
+    docutils
+    pkg-config
+    python3.pkgs.wrapPython
+  ];
+
+  outputs = [ "out" "dev" "test" ];
+
+  postPatch = ''
+    substituteInPlace tools/hid2hci.rules \
+      --replace /sbin/udevadm ${systemdMinimal}/bin/udevadm \
+      --replace "hid2hci " "$out/lib/udev/hid2hci "
+    # Disable some tests:
+    # - test-mesh-crypto depends on the following kernel settings:
+    #   CONFIG_CRYPTO_[USER|USER_API|USER_API_AEAD|USER_API_HASH|AES|CCM|AEAD|CMAC]
+    if [[ ! -f unit/test-mesh-crypto.c ]]; then echo "unit/test-mesh-crypto.c no longer exists"; false; fi
+    echo 'int main() { return 77; }' > unit/test-mesh-crypto.c
+  '';
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--enable-library"
+    "--enable-cups"
+    "--enable-pie"
+    "--enable-external-ell"
+    "--with-dbusconfdir=${placeholder "out"}/share"
+    "--with-dbussystembusdir=${placeholder "out"}/share/dbus-1/system-services"
+    "--with-dbussessionbusdir=${placeholder "out"}/share/dbus-1/services"
+    "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "--with-systemduserunitdir=${placeholder "out"}/etc/systemd/user"
+    "--with-udevdir=${placeholder "out"}/lib/udev"
+    "--enable-health"
+    "--enable-mesh"
+    "--enable-midi"
+    "--enable-nfc"
+    "--enable-sixaxis"
+    "--enable-btpclient"
+    "--enable-hid2hci"
+    "--enable-logger"
+
+    # To provide ciptool, sdptool, and rfcomm (unmaintained)
+    # superseded by new D-Bus APIs
+    "--enable-deprecated"
+  ] ++ lib.optional withExperimental "--enable-experimental";
+
+
+  # Work around `make install' trying to create /var/lib/bluetooth.
+  installFlags = [ "statedir=$(TMPDIR)/var/lib/bluetooth" ];
+
+  makeFlags = [ "rulesdir=${placeholder "out"}/lib/udev/rules.d" ];
+
+  doCheck = stdenv.hostPlatform.isx86_64;
+
+  postInstall = ''
+    mkdir -p $test/{bin,test}
+    cp -a test $test
+    pushd $test/test
+    for a in \
+            simple-agent \
+            test-adapter \
+            test-device \
+            test-thermometer \
+            list-devices \
+            monitor-bluetooth \
+            ; do
+      ln -s ../test/$a $test/bin/bluez-$a
+    done
+    popd
+    wrapPythonProgramsIn $test/test "$test/test ${toString pythonPath}"
+  '' + ''
+    # for bluez4 compatibility for NixOS
+    mkdir $out/sbin
+    ln -s ../libexec/bluetooth/bluetoothd $out/sbin/bluetoothd
+    ln -s ../libexec/bluetooth/obexd $out/sbin/obexd
+
+    # Add extra configuration
+    mkdir $out/etc/bluetooth
+    ln -s /etc/bluetooth/main.conf $out/etc/bluetooth/main.conf
+
+    # https://github.com/NixOS/nixpkgs/issues/204418
+    ln -s /etc/bluetooth/input.conf $out/etc/bluetooth/input.conf
+    ln -s /etc/bluetooth/network.conf $out/etc/bluetooth/network.conf
+
+    # Add missing tools, ref https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bluez
+    for files in `find tools/ -type f -perm -755`; do
+      filename=$(basename $files)
+      install -Dm755 tools/$filename $out/bin/$filename
+    done
+    install -Dm755 attrib/gatttool $out/bin/gatttool
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Bluetooth support for Linux";
+    homepage = "http://www.bluez.org/";
+    license = with licenses; [ gpl2 lgpl21 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch b/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch
new file mode 100644
index 000000000000..0853bcea9167
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch
@@ -0,0 +1,12 @@
+diff --git a/scripts/meson-install.sh b/scripts/meson-install.sh
+index 859ae81..05a1c58 100644
+--- a/scripts/meson-install.sh
++++ b/scripts/meson-install.sh
+@@ -7,5 +7,5 @@ fi
+ 
+ BOLT_DBDIR=$1
+ 
+-echo "Creating database dir: ${BOLT_DBDIR}"
+-mkdir -p "${DESTDIR}/${BOLT_DBDIR}"
++# echo "Creating database dir: ${BOLT_DBDIR}"
++# mkdir -p "${DESTDIR}/${BOLT_DBDIR}"
diff --git a/nixpkgs/pkgs/os-specific/linux/bolt/default.nix b/nixpkgs/pkgs/os-specific/linux/bolt/default.nix
new file mode 100644
index 000000000000..df618cbff5a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bolt/default.nix
@@ -0,0 +1,101 @@
+{ stdenv
+, lib
+, meson
+, ninja
+, pkg-config
+, fetchFromGitLab
+, fetchpatch
+, python3
+, umockdev
+, gobject-introspection
+, dbus
+, asciidoc
+, libxml2
+, libxslt
+, docbook_xml_dtd_45
+, docbook-xsl-nons
+, glib
+, systemd
+, polkit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bolt";
+  version = "0.9.6";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "bolt";
+    repo = "bolt";
+    rev = version;
+    sha256 = "sha256-sJBY/pXUX5InLynsvAmapW54UF/WGn9eDlluWXjhubQ=";
+  };
+
+  patches = [
+    # meson install tries to create /var/lib/boltd
+    ./0001-skip-mkdir.patch
+
+    # Test does not work on ZFS with atime disabled.
+    # Upstream issue: https://gitlab.freedesktop.org/bolt/bolt/-/issues/167
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/bolt/bolt/-/commit/c2f1d5c40ad71b20507e02faa11037b395fac2f8.diff";
+      revert = true;
+      sha256 = "6w7ll65W/CydrWAVi/qgzhrQeDv1PWWShulLxoglF+I=";
+    })
+  ];
+
+  depsBuildBuild = [
+    pkg-config
+  ];
+
+  nativeBuildInputs = [
+    asciidoc
+    docbook_xml_dtd_45
+    docbook-xsl-nons
+    libxml2
+    libxslt
+    meson
+    ninja
+    pkg-config
+    glib
+  ] ++ lib.optional (!doCheck) python3;
+
+  buildInputs = [
+    polkit
+    systemd
+  ];
+
+  # https://gitlab.freedesktop.org/bolt/bolt/-/issues/181
+  doCheck = false;
+
+  preCheck = ''
+    export LD_LIBRARY_PATH=${umockdev.out}/lib/
+  '';
+
+  nativeCheckInputs = [
+    dbus
+    gobject-introspection
+    umockdev
+    (python3.pythonOnBuildForHost.withPackages
+      (p: [ p.pygobject3 p.dbus-python p.python-dbusmock ]))
+  ];
+
+  postPatch = ''
+    patchShebangs scripts tests
+  '';
+
+  mesonFlags = [
+    "-Dlocalstatedir=/var"
+  ];
+
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
+  PKG_CONFIG_UDEV_UDEVDIR = "${placeholder "out"}/lib/udev";
+
+  meta = with lib; {
+    description = "Thunderbolt 3 device management daemon";
+    homepage = "https://gitlab.freedesktop.org/bolt/bolt";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ callahad ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix b/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix
new file mode 100644
index 000000000000..f0815376c2a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix
@@ -0,0 +1,36 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, libpcap
+, yascreen
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bpfmon";
+  version = "2.52";
+
+  src = fetchFromGitHub {
+    owner = "bbonev";
+    repo = "bpfmon";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-W7OnrC+FCxMd4YbYiybjIvO0LT7Hr1/0Y3BQwItaTBs=";
+  };
+
+  buildInputs = [
+    libpcap
+    yascreen
+  ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "BPF based visual packet rate monitor";
+    homepage = "https://github.com/bbonev/bpfmon";
+    changelog = "https://github.com/bbonev/bpfmon/releases/tag/v${version}";
+    maintainers = with maintainers; [ arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix b/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix
new file mode 100644
index 000000000000..a23c4eb7b9e6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, linuxHeaders
+, libopcodes, libopcodes_2_38
+, libbfd, libbfd_2_38
+, elfutils, readline
+, zlib
+, python3, bison, flex
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bpftools";
+
+  inherit (linuxHeaders) version src;
+
+  separateDebugInfo = true;
+
+  patches = [
+    # fix unknown type name '__vector128' on ppc64le
+    ./include-asm-types-for-ppc64le.patch
+  ];
+
+  nativeBuildInputs = [ python3 bison flex ];
+  buildInputs = (if (lib.versionAtLeast version "5.20")
+                 then [ libopcodes libbfd ]
+                 else [ libopcodes_2_38 libbfd_2_38 ])
+    ++ [ elfutils zlib readline ];
+
+  preConfigure = ''
+    patchShebangs scripts/bpf_doc.py
+
+    cd tools/bpf
+    substituteInPlace ./bpftool/Makefile \
+      --replace '/usr/local' "$out" \
+      --replace '/usr'       "$out" \
+      --replace '/sbin'      '/bin'
+  '';
+
+  buildFlags = [ "bpftool" "bpf_asm" "bpf_dbg" ];
+
+  installPhase = ''
+    make -C bpftool install
+    install -Dm755 -t $out/bin bpf_asm
+    install -Dm755 -t $out/bin bpf_dbg
+  '';
+
+  meta = with lib; {
+    description = "Debugging/program analysis tools for the eBPF subsystem";
+    license     = [ licenses.gpl2 licenses.bsd2 ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftools/include-asm-types-for-ppc64le.patch b/nixpkgs/pkgs/os-specific/linux/bpftools/include-asm-types-for-ppc64le.patch
new file mode 100644
index 000000000000..47c8f8077a5a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftools/include-asm-types-for-ppc64le.patch
@@ -0,0 +1,13 @@
+diff --git a/tools/include/uapi/linux/types.h b/tools/include/uapi/linux/types.h
+index 91fa51a9c31d..bfbd9b47277f 100644
+--- a/tools/include/uapi/linux/types.h
++++ b/tools/include/uapi/linux/types.h
+@@ -2,7 +2,7 @@
+ #ifndef _UAPI_LINUX_TYPES_H
+ #define _UAPI_LINUX_TYPES_H
+ 
+-#include <asm-generic/int-ll64.h>
++#include <asm/types.h>
+ 
+ /* copied from linux:include/uapi/linux/types.h */
+ #define __bitwise
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix b/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix
new file mode 100644
index 000000000000..ecb34c373b74
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix
@@ -0,0 +1,71 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, llvmPackages, elfutils, bcc
+, libbpf, libbfd, libopcodes
+, cereal, asciidoctor
+, cmake, pkg-config, flex, bison
+, util-linux
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bpftrace";
+  version = "0.19.1";
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo  = "bpftrace";
+    rev   = "v${version}";
+    hash  = "sha256-JyMogqyntSm2IDXzsOIjcUkf2YwG2oXKpqPpdx/eMNI=";
+  };
+
+
+  buildInputs = with llvmPackages; [
+    llvm libclang
+    elfutils bcc
+    libbpf libbfd libopcodes
+    cereal asciidoctor
+  ];
+
+  nativeBuildInputs = [
+    cmake pkg-config flex bison
+    llvmPackages.llvm.dev
+    util-linux
+  ];
+
+  # tests aren't built, due to gtest shenanigans. see:
+  #
+  #     https://github.com/iovisor/bpftrace/issues/161#issuecomment-453606728
+  #     https://github.com/iovisor/bpftrace/pull/363
+  #
+  cmakeFlags = [
+    "-DBUILD_TESTING=FALSE"
+    "-DLIBBCC_INCLUDE_DIRS=${bcc}/include"
+    "-DINSTALL_TOOL_DOCS=OFF"
+    "-DUSE_SYSTEM_BPF_BCC=ON"
+  ];
+
+
+  # Pull BPF scripts into $PATH (next to their bcc program equivalents), but do
+  # not move them to keep `${pkgs.bpftrace}/share/bpftrace/tools/...` working.
+  postInstall = ''
+    ln -sr $out/share/bpftrace/tools/*.bt $out/bin/
+    # do not use /usr/bin/env for shipped tools
+    # If someone can get patchShebangs to work here please fix.
+    sed -i -e "1s:#!/usr/bin/env bpftrace:#!$out/bin/bpftrace:" $out/share/bpftrace/tools/*.bt
+  '';
+
+  outputs = [ "out" "man" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  meta = with lib; {
+    description = "High-level tracing language for Linux eBPF";
+    homepage    = "https://github.com/iovisor/bpftrace";
+    changelog   = "https://github.com/iovisor/bpftrace/releases/tag/v${version}";
+    mainProgram = "bpftrace";
+    license     = licenses.asl20;
+    maintainers = with maintainers; [ rvl thoughtpolice martinetd mfrw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftune/default.nix b/nixpkgs/pkgs/os-specific/linux/bpftune/default.nix
new file mode 100644
index 000000000000..c2fd9d3f6a5e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftune/default.nix
@@ -0,0 +1,77 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, clang
+, bpftools
+, docutils
+, libbpf
+, libcap
+, libnl
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bpftune";
+  version = "unstable-2023-09-11";
+
+  src = fetchFromGitHub {
+    owner = "oracle";
+    repo = "bpftune";
+    rev = "22926812a555eac910eac0699100bac0f8776f1b";
+    hash = "sha256-BflJc5lYWYFIo9LzKfb34F4V1qOI8ywVjnzOLz605DI=";
+  };
+
+  postPatch = ''
+    # otherwise shrink rpath would drop $out/lib from rpath
+    substituteInPlace src/Makefile \
+      --replace /lib64   /lib \
+      --replace /sbin    /bin \
+      --replace ldconfig true
+    substituteInPlace src/bpftune.service \
+      --replace /usr/sbin/bpftune "$out/bin/bpftune"
+    substituteInPlace include/bpftune/libbpftune.h \
+      --replace /usr/lib64/bpftune/       "$out/lib/bpftune/" \
+      --replace /usr/local/lib64/bpftune/ "$out/lib/bpftune/"
+    substituteInPlace src/libbpftune.c \
+      --replace /lib/modules /run/booted-system/kernel-modules/lib/modules
+
+    substituteInPlace src/Makefile sample_tuner/Makefile \
+      --replace 'BPF_INCLUDE := /usr/include' 'BPF_INCLUDE := ${lib.getDev libbpf}/include' \
+  '';
+
+  nativeBuildInputs = [
+    clang
+    bpftools
+    docutils # rst2man
+  ];
+
+  buildInputs = [
+    libbpf
+    libcap
+    libnl
+  ];
+
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+    "confprefix=${placeholder "out"}/etc"
+    "BPFTUNE_VERSION=${version}"
+    "NL_INCLUDE=${lib.getDev libnl}/include/libnl3"
+  ];
+
+  hardeningDisable = [
+    "stackprotector"
+  ];
+
+  passthru.tests = {
+    inherit (nixosTests) bpftune;
+  };
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "BPF-based auto-tuning of Linux system parameters";
+    homepage = "https://github.com/oracle-samples/bpftune";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ nickcao ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch b/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch
new file mode 100644
index 000000000000..21b089179ce1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch
@@ -0,0 +1,21 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -9,6 +9,7 @@ dnl Checks for programs.
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_RANLIB
++AC_CHECK_TOOL([AR], [ar])
+ 
+ dnl Checks for header files.
+ AC_HEADER_STDC
+--- a/libbridge/Makefile.in
++++ b/libbridge/Makefile.in
+@@ -1,7 +1,7 @@
+ 
+ KERNEL_HEADERS=-I@KERNEL_HEADERS@
+ 
+-AR=ar
++AR=@AR@
+ RANLIB=@RANLIB@
+ 
+ CC=@CC@
diff --git a/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix
new file mode 100644
index 000000000000..a03cb12727ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, autoreconfHook, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  pname = "bridge-utils";
+  version = "1.7.1";
+
+  src = fetchurl {
+    url = "https://kernel.org/pub/linux/utils/net/bridge-utils/bridge-utils-${version}.tar.xz";
+    sha256 = "sha256-ph2L5PGhQFxgyO841UTwwYwFszubB+W0sxAzU2Fl5g4=";
+  };
+
+  patches = [
+    ./autoconf-ar.patch
+
+    (fetchpatch {
+      name = "musl-includes.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/bridge-utils/fix-PATH_MAX-on-ppc64le.patch?id=12c9046eee3a0a35665dc4e280c1f5ae2af5845d";
+      sha256 = "sha256-uY1tgJhcm1DFctg9scmC8e+mgowgz4f/oF0+k+x+jqw=";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = {
+    description = "An userspace tool to configure linux bridges (deprecated in favour or iproute2).";
+    homepage = "https://wiki.linuxfoundation.org/networking/bridge";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/brillo/default.nix b/nixpkgs/pkgs/os-specific/linux/brillo/default.nix
new file mode 100644
index 000000000000..237b6db65b02
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/brillo/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
+
+stdenv.mkDerivation rec {
+  pname = "brillo";
+  version = "1.4.12";
+
+  src = fetchFromGitLab {
+    owner= "cameronnemo";
+    repo= "brillo";
+    rev= "v${version}";
+    sha256 = "sha256-dKGNioWGVAFuB4kySO+QGTnstyAD0bt4/6FBVwuRxJo=";
+  };
+
+  patches = [
+    (substituteAll {
+      src = ./udev-rule.patch;
+      inherit coreutils;
+    })
+  ];
+
+  nativeBuildInputs = [ go-md2man ];
+
+  makeFlags = [ "PREFIX=$(out)" "AADIR=$(out)/etc/apparmor.d" ];
+
+  installTargets = [ "install-dist" ];
+
+  meta = with lib; {
+    description = "Backlight and Keyboard LED control tool";
+    homepage = "https://gitlab.com/cameronnemo/brillo";
+    mainProgram = "brillo";
+    license = [ licenses.gpl3 licenses.bsd0 ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.alexarice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch b/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch
new file mode 100644
index 000000000000..7b1cf4840675
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch
@@ -0,0 +1,13 @@
+diff --git a/contrib/udev.in b/contrib/udev.in
+index 0625952..a6c940e 100644
+--- a/contrib/udev.in
++++ b/contrib/udev.in
+@@ -1,4 +1,4 @@
+-ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp @group@ /sys/class/backlight/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chmod g+w /sys/class/backlight/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="leds", RUN+="/bin/chgrp @group@ /sys/class/leds/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="leds", RUN+="/bin/chmod g+w /sys/class/leds/%k/brightness"
++ACTION=="add", SUBSYSTEM=="backlight", RUN+="@coreutils@/bin/chgrp @group@ /sys/class/backlight/%k/brightness"
++ACTION=="add", SUBSYSTEM=="backlight", RUN+="@coreutils@/bin/chmod g+w /sys/class/backlight/%k/brightness"
++ACTION=="add", SUBSYSTEM=="leds", RUN+="@coreutils@/bin/chgrp @group@ /sys/class/leds/%k/brightness"
++ACTION=="add", SUBSYSTEM=="leds", RUN+="@coreutils@/bin/chmod g+w /sys/class/leds/%k/brightness"
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix
new file mode 100644
index 000000000000..6b7d8b912fa2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+let
+  version = "6.30.223.271";
+  hashes = {
+    i686-linux   = "1kaqa2dw3nb8k23ffvx46g8jj3wdhz8xa6jp1v3wb35cjfr712sg";
+    x86_64-linux = "1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz";
+  };
+
+  arch = lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
+  tarballVersion = lib.replaceStrings ["."] ["_"] version;
+  tarball = "hybrid-v35${arch}-nodebug-pcoem-${tarballVersion}.tar.gz";
+in
+stdenv.mkDerivation {
+  name = "broadcom-sta-${version}-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://docs.broadcom.com/docs-and-downloads/docs/linux_sta/${tarball}";
+    sha256 = hashes.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  patches = [
+    ./i686-build-failure.patch
+    ./license.patch
+    ./linux-4.7.patch
+    # source: https://git.archlinux.org/svntogit/community.git/tree/trunk/004-linux48.patch?h=packages/broadcom-wl-dkms
+    ./linux-4.8.patch
+    # source: https://aur.archlinux.org/cgit/aur.git/tree/linux411.patch?h=broadcom-wl
+    ./linux-4.11.patch
+    # source: https://aur.archlinux.org/cgit/aur.git/tree/linux412.patch?h=broadcom-wl
+    ./linux-4.12.patch
+    ./linux-4.15.patch
+    ./linux-5.1.patch
+    # source: https://salsa.debian.org/Herrie82-guest/broadcom-sta/-/commit/247307926e5540ad574a17c062c8da76990d056f
+    ./linux-5.6.patch
+    # source: https://gist.github.com/joanbm/5c640ac074d27fd1d82c74a5b67a1290
+    ./linux-5.9.patch
+    # source: https://github.com/archlinux/svntogit-community/blob/33b4bd2b9e30679b03f5d7aa2741911d914dcf94/trunk/012-linux517.patch
+    ./linux-5.17.patch
+    # source: https://github.com/archlinux/svntogit-community/blob/2e1fd240f9ce06f500feeaa3e4a9675e65e6b967/trunk/013-linux518.patch
+    ./linux-5.18.patch
+    # source: https://gist.github.com/joanbm/207210d74637870c01ef5a3c262a597d
+    ./linux-6.0.patch
+    # source: https://gist.github.com/joanbm/94323ea99eff1e1d1c51241b5b651549
+    ./linux-6.1.patch
+    ./pedantic-fix.patch
+    ./null-pointer-fix.patch
+    ./gcc.patch
+  ];
+
+  makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" ];
+
+  unpackPhase = ''
+    sourceRoot=broadcom-sta
+    mkdir "$sourceRoot"
+    tar xvf "$src" -C "$sourceRoot"
+  '';
+
+  installPhase = ''
+    binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    docDir="$out/share/doc/broadcom-sta/"
+    mkdir -p "$binDir" "$docDir"
+    cp wl.ko "$binDir"
+    cp lib/LICENSE.txt "$docDir"
+  '';
+
+  meta = {
+    description = "Kernel module driver for some Broadcom's wireless cards";
+    homepage = "http://www.broadcom.com/support/802.11/linux_sta.php";
+    license = lib.licenses.unfreeRedistributable;
+    maintainers = with lib.maintainers; [ ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch
new file mode 100644
index 000000000000..f93e3f1d3a3f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch
@@ -0,0 +1,11 @@
+--- a/Makefile	2014-06-26 10:42:08.000000000 +0000
++++ b/Makefile	2014-07-17 22:44:01.662297228 +0000
+@@ -126,6 +126,8 @@
+ EXTRA_CFLAGS       += -I$(src)/src/shared/bcmwifi/include
+ #EXTRA_CFLAGS       += -DBCMDBG_ASSERT -DBCMDBG_ERR
+ 
++EXTRA_CFLAGS       += -Wno-date-time
++
+ EXTRA_LDFLAGS      := $(src)/lib/wlc_hybrid.o_shipped
+ 
+ KBASE              ?= /lib/modules/`uname -r`
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch
new file mode 100644
index 000000000000..9bb093ca49c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch
@@ -0,0 +1,18 @@
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=fe47ae6e1a5005b2e82f7eab57b5c3820453293a
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ea1636b04dbd66536fa387bae2eea463efc705b
+
+diff -ru a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+--- a/src/shared/linux_osl.c	2015-09-19 01:47:15.000000000 +0300
++++ b/src/shared/linux_osl.c	2015-11-21 15:20:30.585902518 +0200
+@@ -932,7 +932,11 @@
+ 	uint cycles;
+ 
+ #if defined(__i386__)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
++	cycles = (u32)rdtsc();
++#else
+ 	rdtscl(cycles);
++#endif
+ #else
+ 	cycles = 0;
+ #endif 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch
new file mode 100644
index 000000000000..aebb46365195
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch
@@ -0,0 +1,13 @@
+diff -Naur hybrid-portsrc-x86_32-v5_10_91_9.orig/src/wl/sys/wl_linux.c hybrid-portsrc-x86_32-v5_10_91_9/src/wl/sys/wl_linux.c
+--- hybrid-portsrc-x86_32-v5_10_91_9.orig/src/wl/sys/wl_linux.c	2009-04-23 02:48:59.000000000 +0900
++++ hybrid-portsrc-x86_32-v5_10_91_9/src/wl/sys/wl_linux.c	2009-05-08 00:48:20.000000000 +0900
+@@ -171,6 +171,8 @@
+ static void wl_free_if(wl_info_t *wl, wl_if_t *wlif);
+ static void wl_get_driver_info(struct net_device *dev, struct ethtool_drvinfo *info);
+ 
++MODULE_LICENSE("MIXED/Proprietary");
++
+ #if defined(WL_CONFIG_RFKILL)
+ #include <linux/rfkill.h>
+ static int wl_init_rfkill(wl_info_t *wl);
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch
new file mode 100644
index 000000000000..a779f8c84cfd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch
@@ -0,0 +1,52 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index a9671e2..da36405 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -30,6 +30,9 @@
+ #include <linux/kthread.h>
+ #include <linux/netdevice.h>
+ #include <linux/ieee80211.h>
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++#include <linux/sched/signal.h>
++#endif
+ #include <net/cfg80211.h>
+ #include <linux/nl80211.h>
+ #include <net/rtnetlink.h>
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index 489c9f5..f8278ad 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -117,6 +117,9 @@ int wl_found = 0;
+ 
+ typedef struct priv_link {
+ 	wl_if_t *wlif;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	unsigned long last_rx;
++#endif
+ } priv_link_t;
+ 
+ #define WL_DEV_IF(dev)          ((wl_if_t*)((priv_link_t*)DEV_PRIV(dev))->wlif)
+@@ -2450,6 +2453,9 @@ wl_monitor(wl_info_t *wl, wl_rxsts_t *rxsts, void *p)
+ {
+ 	struct sk_buff *oskb = (struct sk_buff *)p;
+ 	struct sk_buff *skb;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	priv_link_t *priv_link;
++#endif
+ 	uchar *pdata;
+ 	uint len;
+ 
+@@ -2916,7 +2922,13 @@ wl_monitor(wl_info_t *wl, wl_rxsts_t *rxsts, void *p)
+ 	if (skb == NULL) return;
+ 
+ 	skb->dev = wl->monitor_dev;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	priv_link = MALLOC(wl->osh, sizeof(priv_link_t));
++	priv_link = netdev_priv(skb->dev);
++	priv_link->last_rx = jiffies;
++#else
+ 	skb->dev->last_rx = jiffies;
++#endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ 	skb_reset_mac_header(skb);
+ #else
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch
new file mode 100644
index 000000000000..8abc73db4db1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch
@@ -0,0 +1,68 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index da36405..d3741eb 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -53,7 +53,11 @@ u32 wl_dbg_level = WL_DBG_ERR;
+ #endif
+ 
+ static s32 wl_cfg80211_change_iface(struct wiphy *wiphy, struct net_device *ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++           enum nl80211_iftype type, struct vif_params *params);
++#else
+            enum nl80211_iftype type, u32 *flags, struct vif_params *params);
++#endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
+ static s32
+ wl_cfg80211_scan(struct wiphy *wiphy,
+@@ -466,7 +470,11 @@ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ 
+ static s32
+ wl_cfg80211_change_iface(struct wiphy *wiphy, struct net_device *ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++                         enum nl80211_iftype type,
++#else
+                          enum nl80211_iftype type, u32 *flags,
++#endif
+    struct vif_params *params)
+ {
+ 	struct wl_cfg80211_priv *wl = wiphy_to_wl(wiphy);
+@@ -2361,6 +2369,20 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+                     const wl_event_msg_t *e, void *data)
+ {
+ 	struct wl_cfg80211_connect_info *conn_info = wl_to_conn(wl);
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++	struct cfg80211_bss *bss;
++	struct wlc_ssid *ssid;
++	ssid = &wl->profile->ssid;
++	bss = cfg80211_get_bss(wl_to_wiphy(wl), NULL, (s8 *)&wl->bssid,
++	ssid->SSID, ssid->SSID_len, WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
++	struct cfg80211_roam_info roam_info = {
++		.bss = bss,
++		.req_ie = conn_info->req_ie,
++		.req_ie_len = conn_info->req_ie_len,
++		.resp_ie = conn_info->resp_ie,
++		.resp_ie_len = conn_info->resp_ie_len,
++	};
++#endif
+ 	s32 err = 0;
+ 
+ 	wl_get_assoc_ies(wl);
+@@ -2368,12 +2390,17 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 	memcpy(&wl->bssid, &e->addr, ETHER_ADDR_LEN);
+ 	wl_update_bss_info(wl);
+ 	cfg80211_roamed(ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++			&roam_info,
++#else
+ #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 39)
+ 			&wl->conf->channel,	 
+ #endif
+ 			(u8 *)&wl->bssid,
+ 			conn_info->req_ie, conn_info->req_ie_len,
+-			conn_info->resp_ie, conn_info->resp_ie_len, GFP_KERNEL);
++			conn_info->resp_ie, conn_info->resp_ie_len,
++#endif
++			GFP_KERNEL);
+ 	WL_DBG(("Report roaming result\n"));
+ 
+ 	set_bit(WL_STATUS_CONNECTED, &wl->status);
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch
new file mode 100644
index 000000000000..523fa291d525
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch
@@ -0,0 +1,47 @@
+See: https://lkml.org/lkml/2017/11/25/90
+
+diff -urNZ a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+--- a/src/wl/sys/wl_linux.c	2015-09-18 22:47:30.000000000 +0000
++++ b/src/wl/sys/wl_linux.c	2018-01-31 22:52:10.859856221 +0000
+@@ -93,7 +93,11 @@
+
+ #include <wlc_wowl.h>
+
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++static void wl_timer(struct timer_list *tl);
++#else
+ static void wl_timer(ulong data);
++#endif
+ static void _wl_timer(wl_timer_t *t);
+ static struct net_device *wl_alloc_linux_if(wl_if_t *wlif);
+
+@@ -2298,9 +2302,15 @@
+ }
+
+ static void
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++wl_timer(struct timer_list *tl)
++{
++	wl_timer_t *t = from_timer(t, tl, timer);
++#else
+ wl_timer(ulong data)
+ {
+ 	wl_timer_t *t = (wl_timer_t *)data;
++#endif
+
+ 	if (!WL_ALL_PASSIVE_ENAB(t->wl))
+ 		_wl_timer(t);
+@@ -2352,9 +2362,13 @@
+
+ 	bzero(t, sizeof(wl_timer_t));
+
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++	timer_setup(&t->timer, wl_timer, 0);
++#else
+ 	init_timer(&t->timer);
+ 	t->timer.data = (ulong) t;
+ 	t->timer.function = wl_timer;
++#endif
+ 	t->wl = wl;
+ 	t->fn = fn;
+ 	t->arg = arg;
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch
new file mode 100644
index 000000000000..44222b3324bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch
@@ -0,0 +1,109 @@
+Since Linux 4.7, the enum ieee80211_band is no longer used
+
+This shall cause no problem's since both enums ieee80211_band
+and nl80211_band were added in the same commit:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=13ae75b103e07304a34ab40c9136e9f53e06475c
+
+This patch refactors the references of IEEE80211_BAND_* to NL80211_BAND_*
+
+Reference:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=57fbcce37be7c1d2622b56587c10ade00e96afa3
+
+--- a/src/wl/sys/wl_cfg80211_hybrid.c	2016-06-13 11:57:36.159340297 -0500
++++ b/src/wl/sys/wl_cfg80211_hybrid.c	2016-06-13 11:58:18.442323435 -0500
+@@ -236,7 +236,7 @@
+ #endif				
+ 
+ #define CHAN2G(_channel, _freq, _flags) {			\
+-	.band			= IEEE80211_BAND_2GHZ,		\
++	.band			= NL80211_BAND_2GHZ,		\
+ 	.center_freq		= (_freq),			\
+ 	.hw_value		= (_channel),			\
+ 	.flags			= (_flags),			\
+@@ -245,7 +245,7 @@
+ }
+ 
+ #define CHAN5G(_channel, _flags) {				\
+-	.band			= IEEE80211_BAND_5GHZ,		\
++	.band			= NL80211_BAND_5GHZ,		\
+ 	.center_freq		= 5000 + (5 * (_channel)),	\
+ 	.hw_value		= (_channel),			\
+ 	.flags			= (_flags),			\
+@@ -379,7 +379,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_2ghz = {
+-	.band = IEEE80211_BAND_2GHZ,
++	.band = NL80211_BAND_2GHZ,
+ 	.channels = __wl_2ghz_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_2ghz_channels),
+ 	.bitrates = wl_g_rates,
+@@ -387,7 +387,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_5ghz_a = {
+-	.band = IEEE80211_BAND_5GHZ,
++	.band = NL80211_BAND_5GHZ,
+ 	.channels = __wl_5ghz_a_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_5ghz_a_channels),
+ 	.bitrates = wl_a_rates,
+@@ -395,7 +395,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_5ghz_n = {
+-	.band = IEEE80211_BAND_5GHZ,
++	.band = NL80211_BAND_5GHZ,
+ 	.channels = __wl_5ghz_n_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_5ghz_n_channels),
+ 	.bitrates = wl_a_rates,
+@@ -1876,8 +1876,8 @@
+ 	wdev->wiphy->max_num_pmkids = WL_NUM_PMKIDS_MAX;
+ #endif
+ 	wdev->wiphy->interface_modes = BIT(NL80211_IFTYPE_STATION) | BIT(NL80211_IFTYPE_ADHOC);
+-	wdev->wiphy->bands[IEEE80211_BAND_2GHZ] = &__wl_band_2ghz;
+-	wdev->wiphy->bands[IEEE80211_BAND_5GHZ] = &__wl_band_5ghz_a; 
++	wdev->wiphy->bands[NL80211_BAND_2GHZ] = &__wl_band_2ghz;
++	wdev->wiphy->bands[NL80211_BAND_5GHZ] = &__wl_band_5ghz_a; 
+ 	wdev->wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM;
+ 	wdev->wiphy->cipher_suites = __wl_cipher_suites;
+ 	wdev->wiphy->n_cipher_suites = ARRAY_SIZE(__wl_cipher_suites);
+@@ -2000,7 +2000,7 @@
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 39)
+ 	freq = ieee80211_channel_to_frequency(notif_bss_info->channel,
+ 		(notif_bss_info->channel <= CH_MAX_2G_CHANNEL) ?
+-		IEEE80211_BAND_2GHZ : IEEE80211_BAND_5GHZ);
++		NL80211_BAND_2GHZ : NL80211_BAND_5GHZ);
+ #else
+ 	freq = ieee80211_channel_to_frequency(notif_bss_info->channel);
+ #endif
+@@ -2116,7 +2116,7 @@
+ 				return err;
+ 			}
+ 			chan = wf_chspec_ctlchan(chanspec);
+-			band = (chan <= CH_MAX_2G_CHANNEL) ? IEEE80211_BAND_2GHZ : IEEE80211_BAND_5GHZ;
++			band = (chan <= CH_MAX_2G_CHANNEL) ? NL80211_BAND_2GHZ : NL80211_BAND_5GHZ;
+ 			freq = ieee80211_channel_to_frequency(chan, band);
+ 			channel = ieee80211_get_channel(wiphy, freq);
+ 			cfg80211_ibss_joined(ndev, (u8 *)&wl->bssid, channel, GFP_KERNEL);
+@@ -2250,10 +2250,10 @@
+ 		join_params->params.chanspec_list[0] =
+ 		    ieee80211_frequency_to_channel(chan->center_freq);
+ 
+-		if (chan->band == IEEE80211_BAND_2GHZ) {
++		if (chan->band == NL80211_BAND_2GHZ) {
+ 			chanspec |= WL_CHANSPEC_BAND_2G;
+ 		}
+-		else if (chan->band == IEEE80211_BAND_5GHZ) {
++		else if (chan->band == NL80211_BAND_5GHZ) {
+ 			chanspec |= WL_CHANSPEC_BAND_5G;
+ 		}
+ 		else {
+@@ -2885,7 +2885,7 @@
+ 
+ 	if (phy == 'n' || phy == 'a' || phy == 'v') {
+ 		wiphy = wl_to_wiphy(wl);
+-		wiphy->bands[IEEE80211_BAND_5GHZ] = &__wl_band_5ghz_n;
++		wiphy->bands[NL80211_BAND_5GHZ] = &__wl_band_5ghz_n;
+ 	}
+ 
+ 	return err;
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch
new file mode 100644
index 000000000000..20e8a9ae49d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch
@@ -0,0 +1,64 @@
+From d3f93542326a06d920c6eb89b703384290d37b8b Mon Sep 17 00:00:00 2001
+From: Alberto Milone <alberto.milone@canonical.com>
+Date: Fri, 2 Sep 2016 17:35:34 +0200
+Subject: [PATCH 1/1] Add support for Linux 4.8
+
+Orginal author: Krzysztof Kolasa
+---
+ src/wl/sys/wl_cfg80211_hybrid.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 2fc71fe..ec5e472 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -2388,8 +2388,16 @@ wl_bss_connect_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 	s32 err = 0;
+ 
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = true,
++		};
++		WL_DBG(("%s: Aborting scan\n", __FUNCTION__));
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		WL_DBG(("%s: Aborting scan\n", __FUNCTION__));
+ 		cfg80211_scan_done(wl->scan_request, true);     
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 
+@@ -2490,7 +2498,14 @@ wl_notify_scan_status(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 
+ scan_done_out:
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = false,
++		};
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		cfg80211_scan_done(wl->scan_request, false);
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 	rtnl_unlock();
+@@ -2909,7 +2924,14 @@ s32 wl_cfg80211_down(struct net_device *ndev)
+ 	s32 err = 0;
+ 
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = true,
++		};
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		cfg80211_scan_done(wl->scan_request, true);	
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 
+-- 
+2.7.4
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch
new file mode 100644
index 000000000000..8f04a737cab8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch
@@ -0,0 +1,32 @@
+commit bcb06af629a36eb84f9a35ac599ec7e51e2d39fb
+Author: georgewhewell <georgerw@gmail.com>
+Date:   Sat May 18 21:22:37 2019 +0100
+
+    find src -type f -name \'*.c\' -exec sed -i "s/get_ds()/KERNEL_DS/g" {} \;
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 7b606e0..51c81bc 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -450,7 +450,7 @@ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ 	ifr.ifr_data = (caddr_t)&ioc;
+ 
+ 	fs = get_fs();
+-	set_fs(get_ds());
++	set_fs(KERNEL_DS);
+ #if defined(WL_USE_NETDEV_OPS)
+ 	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+ #else
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index c4c610b..9c3c74e 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -117,7 +117,7 @@ dev_wlc_ioctl(
+ 	ifr.ifr_data = (caddr_t) &ioc;
+ 
+ 	fs = get_fs();
+-	set_fs(get_ds());
++	set_fs(KERNEL_DS);
+ #if defined(WL_USE_NETDEV_OPS)
+ 	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+ #else
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch
new file mode 100644
index 000000000000..6f23316691c8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch
@@ -0,0 +1,80 @@
+From 31b7849092c43805c7fbaf7518b99874aa1b310c Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Wed, 12 Jan 2022 20:49:20 +0100
+Subject: [PATCH] Tentative fix for broadcom-wl 6.30.223.271 driver for Linux 5.17-rc1
+
+Set netdev->dev_addr through dev_addr_mod + PDE_DATA fix
+
+Since Linux 5.17 netdev->dev_addr is const and must be changed through
+dev_addr_mod, otherwise a warning is logged in dmesg and bad things may happen.
+
+NB: The #if is not wrong, dev_addr_mod is defined since Linux 5.15-rc1
+
+Plus a trivial fix for PDE_DATA.
+
+Applies on top of all the patches applied to broadcom-wl-dkms 6.30.223.271-28 on Arch Linux.
+
+See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=adeef3e32146a8d2a73c399dc6f5d76a449131b1
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=359745d78351c6f5442435f81549f0207ece28aa
+---
+ src/wl/sys/wl_linux.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index e491df7..e4614fb 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -93,6 +93,10 @@ struct iw_statistics *wl_get_wireless_stats(struct net_device *dev);
+ 
+ #include <wlc_wowl.h>
+ 
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 17, 0))
++#define PDE_DATA pde_data
++#endif
++
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
+ static void wl_timer(struct timer_list *tl);
+ #else
+@@ -490,6 +494,12 @@ wl_if_setup(struct net_device *dev)
+ #endif
+ }
+ 
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
++static inline void eth_hw_addr_set(struct net_device *dev, const void *addr) {
++	memcpy(dev->dev_addr, addr, ETHER_ADDR_LEN);
++}
++#endif
++
+ static wl_info_t *
+ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 	uint bustype, void *btparam, uint irq, uchar* bar1_addr, uint32 bar1_size)
+@@ -634,7 +644,7 @@ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 			WL_ERROR(("wl%d: Error setting MAC ADDRESS\n", unit));
+ 	}
+ #endif 
+-	bcopy(&wl->pub->cur_etheraddr, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, wl->pub->cur_etheraddr.octet);
+ 
+ 	online_cpus = 1;
+ 
+@@ -1835,7 +1845,7 @@ wl_set_mac_address(struct net_device *dev, void *addr)
+ 
+ 	WL_LOCK(wl);
+ 
+-	bcopy(sa->sa_data, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, sa->sa_data);
+ 	err = wlc_iovar_op(wl->wlc, "cur_etheraddr", NULL, 0, sa->sa_data, ETHER_ADDR_LEN,
+ 		IOV_SET, (WL_DEV_IF(dev))->wlcif);
+ 	WL_UNLOCK(wl);
+@@ -3010,7 +3020,7 @@ _wl_add_monitor_if(wl_task_t *task)
+ 	else
+ 		dev->type = ARPHRD_IEEE80211_RADIOTAP;
+ 
+-	bcopy(wl->dev->dev_addr, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, wl->dev->dev_addr);
+ 
+ #if defined(WL_USE_NETDEV_OPS)
+ 	dev->netdev_ops = &wl_netdev_monitor_ops;
+-- 
+2.35.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch
new file mode 100644
index 000000000000..d837429a6899
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch
@@ -0,0 +1,71 @@
+diff -u -r a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+--- a/src/shared/linux_osl.c	2022-05-24 20:51:15.662604980 +0000
++++ b/src/shared/linux_osl.c	2022-05-24 21:13:38.264472425 +0000
+@@ -599,6 +599,8 @@
+ 	va = kmalloc(size, GFP_ATOMIC | __GFP_ZERO);
+ 	if (va)
+ 		*pap = (ulong)__virt_to_phys(va);
++#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	va = dma_alloc_coherent(&((struct pci_dev *)osh->pdev)->dev, size, (dma_addr_t*)pap, GFP_ATOMIC);
+ #else
+ 	va = pci_alloc_consistent(osh->pdev, size, (dma_addr_t*)pap);
+ #endif
+@@ -612,6 +614,8 @@
+ 
+ #ifdef __ARM_ARCH_7A__
+ 	kfree(va);
++#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dma_free_coherent(&((struct pci_dev *)osh->pdev)->dev, size, va, (dma_addr_t)pa);
+ #else
+ 	pci_free_consistent(osh->pdev, size, va, (dma_addr_t)pa);
+ #endif
+@@ -623,7 +627,11 @@
+ 	int dir;
+ 
+ 	ASSERT((osh && (osh->magic == OS_HANDLE_MAGIC)));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dir = (direction == DMA_TX)? DMA_TO_DEVICE: DMA_FROM_DEVICE;
++#else
+ 	dir = (direction == DMA_TX)? PCI_DMA_TODEVICE: PCI_DMA_FROMDEVICE;
++#endif
+ 
+ #if defined(__ARM_ARCH_7A__) && defined(BCMDMASGLISTOSL)
+ 	if (dmah != NULL) {
+@@ -641,7 +649,11 @@
+ 				ASSERT(totsegs + nsegs <= MAX_DMA_SEGS);
+ 				sg->page_link = 0;
+ 				sg_set_buf(sg, PKTDATA(osh, skb), PKTLEN(osh, skb));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++				dma_map_single(&((struct pci_dev *)osh->pdev)->dev, PKTDATA(osh, skb), PKTLEN(osh, skb), dir);
++#else
+ 				pci_map_single(osh->pdev, PKTDATA(osh, skb), PKTLEN(osh, skb), dir);
++#endif
+ 			}
+ 			totsegs += nsegs;
+ 			totlen += PKTLEN(osh, skb);
+@@ -656,7 +668,11 @@
+ 	}
+ #endif 
+ 
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	return (dma_map_single(&((struct pci_dev *)osh->pdev)->dev, va, size, dir));
++#else
+ 	return (pci_map_single(osh->pdev, va, size, dir));
++#endif
+ }
+ 
+ void BCMFASTPATH
+@@ -665,8 +681,13 @@
+ 	int dir;
+ 
+ 	ASSERT((osh && (osh->magic == OS_HANDLE_MAGIC)));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dir = (direction == DMA_TX)? DMA_TO_DEVICE: DMA_FROM_DEVICE;
++	dma_unmap_single(&((struct pci_dev *)osh->pdev)->dev, (uint32)pa, size, dir);
++#else
+ 	dir = (direction == DMA_TX)? PCI_DMA_TODEVICE: PCI_DMA_FROMDEVICE;
+ 	pci_unmap_single(osh->pdev, (uint32)pa, size, dir);
++#endif
+ }
+ 
+ #if defined(BCMDBG_ASSERT)
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch
new file mode 100644
index 000000000000..df5af79f77c6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch
@@ -0,0 +1,87 @@
+From dd057e40a167f4febb1a7c77dd32b7d36056952c Mon Sep 17 00:00:00 2001
+From: Herman van Hazendonk <github.com@herrie.org>
+Date: Tue, 31 Mar 2020 17:09:55 +0200
+Subject: [PATCH] Add fixes for 5.6 kernel
+
+Use ioremap instead of ioremap_nocache and proc_ops instead of file_operations on Linux kernel 5.6 and above.
+
+Signed-off-by: Herman van Hazendonk <github.com@herrie.org>
+---
+ src/shared/linux_osl.c |  6 +++++-
+ src/wl/sys/wl_linux.c  | 21 ++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+index 6157d18..dcfc075 100644
+--- a/src/shared/linux_osl.c
++++ b/src/shared/linux_osl.c
+@@ -942,7 +942,11 @@ osl_getcycles(void)
+ void *
+ osl_reg_map(uint32 pa, uint size)
+ {
+-	return (ioremap_nocache((unsigned long)pa, (unsigned long)size));
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++		return (ioremap((unsigned long)pa, (unsigned long)size));
++	#else
++		return (ioremap_nocache((unsigned long)pa, (unsigned long)size));
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ }
+ 
+ void
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index 0d05100..6d9dd0d 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -582,10 +582,17 @@ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 	}
+ 	wl->bcm_bustype = bustype;
+ 
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++	if ((wl->regsva = ioremap(dev->base_addr, PCI_BAR0_WINSZ)) == NULL) {
++		WL_ERROR(("wl%d: ioremap() failed\n", unit));
++		goto fail;
++	}
++	#else 
+ 	if ((wl->regsva = ioremap_nocache(dev->base_addr, PCI_BAR0_WINSZ)) == NULL) {
+ 		WL_ERROR(("wl%d: ioremap() failed\n", unit));
+ 		goto fail;
+ 	}
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 
+ 	wl->bar1_addr = bar1_addr;
+ 	wl->bar1_size = bar1_size;
+@@ -772,8 +779,13 @@ wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if ((val & 0x0000ff00) != 0)
+ 		pci_write_config_dword(pdev, 0x40, val & 0xffff00ff);
+ 		bar1_size = pci_resource_len(pdev, 2);
++		#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++		bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
++			bar1_size);
++		#else
+ 		bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
+ 			bar1_size);
++		#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 	wl = wl_attach(pdev->vendor, pdev->device, pci_resource_start(pdev, 0), PCI_BUS, pdev,
+ 		pdev->irq, bar1_addr, bar1_size);
+ 
+@@ -3335,12 +3347,19 @@ wl_proc_write(struct file *filp, const char __user *buff, size_t length, loff_t
+ }
+ 
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++static const struct proc_ops wl_fops = {
++	.proc_read	= wl_proc_read,
++	.proc_write	= wl_proc_write,
++};
++#else
+ static const struct file_operations wl_fops = {
+ 	.owner	= THIS_MODULE,
+ 	.read	= wl_proc_read,
+ 	.write	= wl_proc_write,
+ };
+-#endif
++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0) */
+ 
+ static int
+ wl_reg_proc_entry(wl_info_t *wl)
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
new file mode 100644
index 000000000000..2a4e6fa89cc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
@@ -0,0 +1,184 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 4b3298f..c45ad48 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -41,6 +41,7 @@
+ #include <wlioctl.h>
+ #include <proto/802.11.h>
+ #include <wl_cfg80211_hybrid.h>
++#include <wl_linux.h>
+ 
+ #define EVENT_TYPE(e) dtoh32((e)->event_type)
+ #define EVENT_FLAGS(e) dtoh16((e)->flags)
+@@ -442,30 +443,7 @@ static void key_endian_to_host(struct wl_wsec_key *key)
+ static s32
+ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ {
+-	struct ifreq ifr;
+-	struct wl_ioctl ioc;
+-	mm_segment_t fs;
+-	s32 err = 0;
+-
+-	BUG_ON(len < sizeof(int));
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t)&ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	err = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return err;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static s32
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index 9c3c74e..e346b15 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -37,6 +37,7 @@ typedef const struct si_pub	si_t;
+ 
+ #include <wl_dbg.h>
+ #include <wl_iw.h>
++#include <wl_linux.h>
+ 
+ extern bool wl_iw_conn_status_str(uint32 event_type, uint32 status,
+ 	uint32 reason, char* stringBuf, uint buflen);
+@@ -103,29 +104,7 @@ dev_wlc_ioctl(
+ 	int len
+ )
+ {
+-	struct ifreq ifr;
+-	wl_ioctl_t ioc;
+-	mm_segment_t fs;
+-	int ret;
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t) &ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	ret = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return ret;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static int
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index c990c70..5bb9480 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -1664,10 +1664,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 		goto done2;
+ 	}
+ 
+-	if (segment_eq(get_fs(), KERNEL_DS))
+-		buf = ioc.buf;
+-
+-	else if (ioc.buf) {
++	if (ioc.buf) {
+ 		if (!(buf = (void *) MALLOC(wl->osh, MAX(ioc.len, WLC_IOCTL_MAXLEN)))) {
+ 			bcmerror = BCME_NORESOURCE;
+ 			goto done2;
+@@ -1688,7 +1685,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 	WL_UNLOCK(wl);
+ 
+ done1:
+-	if (ioc.buf && (ioc.buf != buf)) {
++	if (ioc.buf) {
+ 		if (copy_to_user(ioc.buf, buf, ioc.len))
+ 			bcmerror = BCME_BADADDR;
+ 		MFREE(wl->osh, buf, MAX(ioc.len, WLC_IOCTL_MAXLEN));
+@@ -1701,6 +1698,39 @@ done2:
+ 	return (OSL_ERROR(bcmerror));
+ }
+ 
++int
++wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len)
++{
++	wl_info_t *wl;
++	wl_if_t *wlif;
++	int bcmerror;
++
++	if (!dev)
++		return -ENETDOWN;
++
++	wl = WL_INFO(dev);
++	wlif = WL_DEV_IF(dev);
++	if (wlif == NULL || wl == NULL || wl->dev == NULL)
++		return -ENETDOWN;
++
++	bcmerror = 0;
++
++	WL_TRACE(("wl%d: wlc_ioctl_internal: cmd 0x%x\n", wl->pub->unit, cmd));
++
++	WL_LOCK(wl);
++	if (!capable(CAP_NET_ADMIN)) {
++		bcmerror = BCME_EPERM;
++	} else {
++		bcmerror = wlc_ioctl(wl->wlc, cmd, buf, len, wlif->wlcif);
++	}
++	WL_UNLOCK(wl);
++
++	ASSERT(VALID_BCMERROR(bcmerror));
++	if (bcmerror != 0)
++		wl->pub->bcmerror = bcmerror;
++	return (OSL_ERROR(bcmerror));
++}
++
+ static struct net_device_stats*
+ wl_get_stats(struct net_device *dev)
+ {
+diff --git a/src/wl/sys/wl_linux.h b/src/wl/sys/wl_linux.h
+index 5b1048e..c8c1f41 100644
+--- a/src/wl/sys/wl_linux.h
++++ b/src/wl/sys/wl_linux.h
+@@ -22,6 +22,7 @@
+ #define _wl_linux_h_
+ 
+ #include <wlc_types.h>
++#include <wlc_pub.h>
+ 
+ typedef struct wl_timer {
+ 	struct timer_list 	timer;
+@@ -187,6 +188,7 @@ extern irqreturn_t wl_isr(int irq, void *dev_id, struct pt_regs *ptregs);
+ extern int __devinit wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent);
+ extern void wl_free(wl_info_t *wl);
+ extern int  wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd);
++extern int wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len);
+ extern struct net_device * wl_netdev_get(wl_info_t *wl);
+ 
+ #endif 
+diff --git a/src/wl/sys/wlc_pub.h b/src/wl/sys/wlc_pub.h
+index 53a98b8..2b5a029 100644
+--- a/src/wl/sys/wlc_pub.h
++++ b/src/wl/sys/wlc_pub.h
+@@ -24,6 +24,7 @@
+ 
+ #include <wlc_types.h>
+ #include <wlc_utils.h>
++#include <siutils.h>
+ #include "proto/802.11.h"
+ #include "proto/bcmevent.h"
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.0.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.0.patch
new file mode 100644
index 000000000000..dcb5515264d3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.0.patch
@@ -0,0 +1,30 @@
+From dbee29df729e543a89b3f95c1436e982eb0047c1 Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Thu, 30 Jun 2022 02:15:35 +0200
+Subject: [PATCH] Tentative patch for broadcom-wl 6.30.223.271 driver for Linux 6.0-rc1
+
+Applies on top of all the patches applied to broadcom-wl-dkms 6.30.223.271-33 on Arch Linux.
+---
+ src/wl/sys/wl_cfg80211_hybrid.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index d815b33..7faa735 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -2381,7 +2381,12 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 	bss = cfg80211_get_bss(wl_to_wiphy(wl), NULL, (s8 *)&wl->bssid,
+ 	ssid->SSID, ssid->SSID_len, WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
+ 	struct cfg80211_roam_info roam_info = {
++// Rel. commit "cfg80211: Indicate MLO connection info in connect and roam callbacks" (Veerendranath Jakkam, Wed Jun 8)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
+ 		.bss = bss,
++#else
++		.links[0].bss = bss,
++#endif
+ 		.req_ie = conn_info->req_ie,
+ 		.req_ie_len = conn_info->req_ie_len,
+ 		.resp_ie = conn_info->resp_ie,
+-- 
+2.37.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.1.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.1.patch
new file mode 100644
index 000000000000..5ececd487d74
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-6.1.patch
@@ -0,0 +1,83 @@
+From a63a5f70e5cf05f6bce4cda2e0dd67462e1d76a5 Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Mon, 29 Aug 2022 00:06:53 +0200
+Subject: [PATCH] Tentative patch for broadcom-wl 6.30.223.271 driver for Linux 6.1-rc1
+
+Applies on top of all the patches applied to broadcom-wl-dkms 6.30.223.271-35 on Arch Linux
+---
+ src/wl/sys/wl_cfg80211_hybrid.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 4fef22a..50d1e34 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -105,20 +105,25 @@ static s32 wl_cfg80211_get_tx_power(struct wiphy *wiphy, struct wireless_dev *wd
+ static s32 wl_cfg80211_get_tx_power(struct wiphy *wiphy, s32 *dbm);
+ #endif
+ 
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
++#define MAYBE_INT_LINK_ID int link_id,
++#else
++#define MAYBE_INT_LINK_ID
++#endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+ static s32 wl_cfg80211_config_default_key(struct wiphy *wiphy,
+-           struct net_device *dev, u8 key_idx, bool unicast, bool multicast);
++           struct net_device *dev, MAYBE_INT_LINK_ID u8 key_idx, bool unicast, bool multicast);
+ #else
+ static s32 wl_cfg80211_config_default_key(struct wiphy *wiphy,
+            struct net_device *dev, u8 key_idx);
+ #endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37)
+ static s32 wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+-           u8 key_idx, bool pairwise, const u8 *mac_addr, struct key_params *params);
++           MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr, struct key_params *params);
+ static s32 wl_cfg80211_del_key(struct wiphy *wiphy, struct net_device *dev,
+-           u8 key_idx, bool pairwise, const u8 *mac_addr);
++           MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr);
+ static s32 wl_cfg80211_get_key(struct wiphy *wiphy, struct net_device *dev,
+-           u8 key_idx, bool pairwise, const u8 *mac_addr,
++           MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr,
+            void *cookie, void (*callback) (void *cookie, struct key_params *params));
+ #else
+ static s32 wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+@@ -1165,7 +1170,7 @@ static s32 wl_cfg80211_get_tx_power(struct wiphy *wiphy, s32 *dbm)
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+ static s32
+ wl_cfg80211_config_default_key(struct wiphy *wiphy,
+-	struct net_device *dev, u8 key_idx, bool unicast, bool multicast)
++	struct net_device *dev, MAYBE_INT_LINK_ID u8 key_idx, bool unicast, bool multicast)
+ #else
+ static s32
+ wl_cfg80211_config_default_key(struct wiphy *wiphy,
+@@ -1190,7 +1195,7 @@ wl_cfg80211_config_default_key(struct wiphy *wiphy,
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37)
+ static s32
+ wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+-                    u8 key_idx, bool pairwise, const u8 *mac_addr, struct key_params *params)
++                    MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr, struct key_params *params)
+ #else
+ static s32
+ wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+@@ -1311,7 +1316,7 @@ wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37)
+ static s32
+ wl_cfg80211_del_key(struct wiphy *wiphy, struct net_device *dev,
+-                    u8 key_idx, bool pairwise, const u8 *mac_addr)
++                    MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr)
+ #else
+ static s32
+ wl_cfg80211_del_key(struct wiphy *wiphy, struct net_device *dev,
+@@ -1354,7 +1359,7 @@ wl_cfg80211_del_key(struct wiphy *wiphy, struct net_device *dev,
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37)
+ static s32
+ wl_cfg80211_get_key(struct wiphy *wiphy, struct net_device *dev,
+-                    u8 key_idx, bool pairwise, const u8 *mac_addr, void *cookie,
++                    MAYBE_INT_LINK_ID u8 key_idx, bool pairwise, const u8 *mac_addr, void *cookie,
+                     void (*callback) (void *cookie, struct key_params * params))
+ #else
+ static s32
+-- 
+2.37.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch
new file mode 100644
index 000000000000..763797294307
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch
@@ -0,0 +1,13 @@
+diff -urN a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+--- a/src/wl/sys/wl_linux.c	2015-01-06 12:33:42.981659618 +0100
++++ b/src/wl/sys/wl_linux.c	2015-01-06 12:34:05.647395418 +0100
+@@ -2157,8 +2157,8 @@
+ 	wlif = WL_DEV_IF(dev);
+ 	wl = WL_INFO(dev);
+ 
++	skb->prev = NULL;
+ 	if (WL_ALL_PASSIVE_ENAB(wl) || (WL_RTR() && WL_CONFIG_SMP())) {
+-		skb->prev = NULL;
+ 
+ 		TXQ_LOCK(wl);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch
new file mode 100644
index 000000000000..3d190b9d1f82
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch
@@ -0,0 +1,99 @@
+diff --git a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+index 711b771..5a2636a 100644
+--- a/src/shared/linux_osl.c
++++ b/src/shared/linux_osl.c
+@@ -1105,7 +1105,7 @@ osl_os_get_image_block(char *buf, int len, void *image)
+ 	if (!image)
+ 		return 0;
+ 
+-	rdlen = kernel_read(fp, fp->f_pos, buf, len);
++	rdlen = kernel_read(fp, (void *)fp->f_pos, (size_t)len, (loff_t *)buf);
+ 	if (rdlen > 0)
+ 		fp->f_pos += rdlen;
+ 
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 2b3c290..093dce6 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -790,6 +790,7 @@ wl_set_auth_type(struct net_device *dev, struct cfg80211_connect_params *sme)
+ 		break;
+ 	case NL80211_AUTHTYPE_NETWORK_EAP:
+ 		WL_DBG(("network eap\n"));
++		break;
+ 	default:
+ 		val = 2;
+ 		WL_ERR(("invalid auth type (%d)\n", sme->auth_type));
+@@ -2347,26 +2348,24 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+                     const wl_event_msg_t *e, void *data)
+ {
+ 	struct wl_cfg80211_connect_info *conn_info = wl_to_conn(wl);
++	s32 err = 0;
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
+ 	struct cfg80211_bss *bss;
+ 	struct wlc_ssid *ssid;
++	struct cfg80211_roam_info roam_info;
+ 	ssid = &wl->profile->ssid;
+ 	bss = cfg80211_get_bss(wl_to_wiphy(wl), NULL, (s8 *)&wl->bssid,
+ 	ssid->SSID, ssid->SSID_len, WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
+-	struct cfg80211_roam_info roam_info = {
+ // Rel. commit "cfg80211: Indicate MLO connection info in connect and roam callbacks" (Veerendranath Jakkam, Wed Jun 8)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
+-		.bss = bss,
++	roam_info.bss = bss;
+ #else
+-		.links[0].bss = bss,
++	roam_info.links[0].bss = bss;
+ #endif
+-		.req_ie = conn_info->req_ie,
+-		.req_ie_len = conn_info->req_ie_len,
+-		.resp_ie = conn_info->resp_ie,
+-		.resp_ie_len = conn_info->resp_ie_len,
+-	};
++	roam_info.req_ie = conn_info->req_ie;
++	roam_info.req_ie_len = conn_info->req_ie_len;
++	roam_info.resp_ie = conn_info->resp_ie;
+ #endif
+-	s32 err = 0;
+ 
+ 	wl_get_assoc_ies(wl);
+ 	memcpy(wl->profile->bssid, &e->addr, ETHER_ADDR_LEN);
+diff --git a/src/wl/sys/wl_iw.h b/src/wl/sys/wl_iw.h
+index 3ab084f..471d11f 100644
+--- a/src/wl/sys/wl_iw.h
++++ b/src/wl/sys/wl_iw.h
+@@ -70,7 +70,6 @@ struct cntry_locales_custom {
+ #define	WL_IW_RSSI_EXCELLENT	-57	
+ #define	WL_IW_RSSI_INVALID	 0	
+ #define MAX_WX_STRING 80
+-#define isprint(c) bcm_isprint(c)
+ #define WL_IW_SET_ACTIVE_SCAN	(SIOCIWFIRSTPRIV+1)
+ #define WL_IW_GET_RSSI			(SIOCIWFIRSTPRIV+3)
+ #define WL_IW_SET_PASSIVE_SCAN	(SIOCIWFIRSTPRIV+5)
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index d13fb98..97ae2a6 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -797,14 +797,15 @@ wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	pci_read_config_dword(pdev, 0x40, &val);
+ 	if ((val & 0x0000ff00) != 0)
+ 		pci_write_config_dword(pdev, 0x40, val & 0xffff00ff);
+-		bar1_size = pci_resource_len(pdev, 2);
+-		#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
+-		bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
+-			bar1_size);
+-		#else
+-		bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
+-			bar1_size);
+-		#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
++
++	bar1_size = pci_resource_len(pdev, 2);
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++	bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
++		bar1_size);
++	#else
++	bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
++		bar1_size);
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 	wl = wl_attach(pdev->vendor, pdev->device, pci_resource_start(pdev, 0), PCI_BUS, pdev,
+ 		pdev->irq, bar1_addr, bar1_size);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/btfs/default.nix b/nixpkgs/pkgs/os-specific/linux/btfs/default.nix
new file mode 100644
index 000000000000..342272f42861
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/btfs/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
+, python3, boost, fuse, libtorrent-rasterbar, curl }:
+
+stdenv.mkDerivation rec {
+  pname = "btfs";
+  version = "2.24";
+
+  src = fetchFromGitHub {
+    owner  = "johang";
+    repo   = pname;
+    rev    = "v${version}";
+    sha256 = "sha256-fkS0U/MqFRQNi+n7NE4e1cnNICvfST2IQ9FMoJUyj6w=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [
+    boost fuse libtorrent-rasterbar curl python3
+  ];
+
+  meta = with lib; {
+    description = "A bittorrent filesystem based on FUSE";
+    homepage    = "https://github.com/johang/btfs";
+    license     = licenses.gpl3;
+    maintainers = with maintainers; [ rnhmjoj ];
+    platforms   = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch b/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch
new file mode 100644
index 000000000000..2d356b66b3ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch
@@ -0,0 +1,23 @@
+Allow BusyBox to be invoked as "<something>-busybox". This is
+necessary when it's run from the Nix store as <hash>-busybox during
+stdenv bootstrap.
+--- a/libbb/appletlib.c
++++ b/libbb/appletlib.c
+@@ -947,7 +947,7 @@ void FAST_FUNC run_applet_no_and_exit(int applet_no, const char *name, char **ar
+ static NORETURN void run_applet_and_exit(const char *name, char **argv)
+ {
+ #  if ENABLE_BUSYBOX
+-	if (is_prefixed_with(name, "busybox"))
++	if (strstr(name, "busybox") != 0)
+ 		exit(busybox_main(/*unused:*/ 0, argv));
+ #  endif
+ #  if NUM_APPLETS > 0
+@@ -1045,7 +1045,7 @@ int main(int argc UNUSED_PARAM, char **argv)
+
+ 	lbb_prepare("busybox" IF_FEATURE_INDIVIDUAL(, argv));
+ # if !ENABLE_BUSYBOX
+-	if (argv[1] && is_prefixed_with(bb_basename(argv[0]), "busybox"))
++	if (argv[1] && strstr(bb_basename(argv[0]), "busybox") != 0)
+ 		argv++;
+ # endif
+ 	applet_name = argv[0];
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch b/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch
new file mode 100644
index 000000000000..b2d696bfd73f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch
@@ -0,0 +1,37 @@
+diff --git a/Makefile b/Makefile
+index 6fedcffba..3385836c4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
+ # Look for make include files relative to root of kernel src
+ MAKEFLAGS += --include-dir=$(srctree)
+ 
+-HOSTCC  	= gcc
+-HOSTCXX  	= g++
++HOSTCC		= cc
++HOSTCXX	= c++
+ HOSTCFLAGS	:=
+ HOSTCXXFLAGS	:=
+ # We need some generic definitions
+@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
+ # Make variables (CC, etc...)
+ 
+ AS		= $(CROSS_COMPILE)as
+-CC		= $(CROSS_COMPILE)gcc
++CC		= $(CROSS_COMPILE)cc
+ LD		= $(CC) -nostdlib
+ CPP		= $(CC) -E
+ AR		= $(CROSS_COMPILE)ar
+diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
+index f155108d7..185257064 100644
+--- a/scripts/Makefile.IMA
++++ b/scripts/Makefile.IMA
+@@ -39,7 +39,7 @@ ifndef HOSTCC
+ HOSTCC = cc
+ endif
+ AS              = $(CROSS_COMPILE)as
+-CC              = $(CROSS_COMPILE)gcc
++CC              = $(CROSS_COMPILE)cc
+ LD              = $(CC) -nostdlib
+ CPP             = $(CC) -E
+ AR              = $(CROSS_COMPILE)ar
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/default.nix b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix
new file mode 100644
index 000000000000..c72be801aeea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix
@@ -0,0 +1,170 @@
+{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableMinimal ? false
+, enableAppletSymlinks ? true
+# Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
+# nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
+, useMusl ? stdenv.hostPlatform.libc == "musl", musl
+, extraConfig ? ""
+}:
+
+assert stdenv.hostPlatform.libc == "musl" -> useMusl;
+
+let
+  configParser = ''
+    function parseconfig {
+        while read LINE; do
+            NAME=`echo "$LINE" | cut -d \  -f 1`
+            OPTION=`echo "$LINE" | cut -d \  -f 2`
+
+            if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
+
+            echo "parseconfig: removing $NAME"
+            sed -i /$NAME'\(=\| \)'/d .config
+
+            echo "parseconfig: setting $NAME=$OPTION"
+            echo "$NAME=$OPTION" >> .config
+        done
+    }
+  '';
+
+  libcConfig = lib.optionalString useMusl ''
+    CONFIG_FEATURE_UTMP n
+    CONFIG_FEATURE_WTMP n
+  '';
+
+  # The debian version lags behind the upstream version and also contains
+  # a debian-specific suffix. We only fetch the debian repository to get the
+  # default.script
+  debianVersion = "1.30.1-6";
+  debianSource = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "installer-team";
+    repo = "busybox";
+    rev = "debian/1%${debianVersion}";
+    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
+  };
+  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
+  outDispatchPath = "$out/default.script";
+in
+
+stdenv.mkDerivation rec {
+  pname = "busybox";
+  version = "1.36.1";
+
+  # Note to whoever is updating busybox: please verify that:
+  # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
+  # still builds after the update.
+  src = fetchurl {
+    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
+  };
+
+  hardeningDisable = [ "format" "pie" ]
+    ++ lib.optionals enableStatic [ "fortify" ];
+
+  patches = [
+    ./busybox-in-store.patch
+    (fetchurl {
+      name = "CVE-2022-28391.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+      sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
+    })
+    (fetchurl {
+      name = "CVE-2022-28391.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+      sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
+    })
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+
+  separateDebugInfo = true;
+
+  postPatch = "patchShebangs .";
+
+  configurePhase = ''
+    export KCONFIG_NOTIMESTAMP=1
+    make ${if enableMinimal then "allnoconfig" else "defconfig"}
+
+    ${configParser}
+
+    cat << EOF | parseconfig
+
+    CONFIG_PREFIX "$out"
+    CONFIG_INSTALL_NO_USR y
+
+    CONFIG_LFS y
+
+    # More features for modprobe.
+    ${lib.optionalString (!enableMinimal) ''
+      CONFIG_FEATURE_MODPROBE_BLACKLIST y
+      CONFIG_FEATURE_MODUTILS_ALIAS y
+      CONFIG_FEATURE_MODUTILS_SYMBOLS y
+      CONFIG_MODPROBE_SMALL n
+    ''}
+
+    ${lib.optionalString enableStatic ''
+      CONFIG_STATIC y
+    ''}
+
+    ${lib.optionalString (!enableAppletSymlinks) ''
+      CONFIG_INSTALL_APPLET_DONT y
+      CONFIG_INSTALL_APPLET_SYMLINKS n
+    ''}
+
+    # Use the external mount.cifs program.
+    CONFIG_FEATURE_MOUNT_CIFS n
+    CONFIG_FEATURE_MOUNT_HELPERS y
+
+    # Set paths for console fonts.
+    CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
+
+    # Bump from 4KB, much faster I/O
+    CONFIG_FEATURE_COPYBUF_KB 64
+
+    # Set the path for the udhcpc script
+    CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}"
+
+    ${extraConfig}
+    CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
+    ${libcConfig}
+    EOF
+
+    make oldconfig
+
+    runHook postConfigure
+  '';
+
+  postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
+    makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
+  '';
+
+  makeFlags = [ "SKIP_STRIP=y" ];
+
+  postInstall = ''
+    sed -e '
+    1 a busybox() { '$out'/bin/busybox "$@"; }\
+    logger() { '$out'/bin/logger "$@"; }\
+    ' ${debianDispatcherScript} > ${outDispatchPath}
+    chmod 555 ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
+  '';
+
+  strictDeps = true;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
+
+  enableParallelBuilding = true;
+
+  doCheck = false; # tries to access the net
+
+  meta = with lib; {
+    description = "Tiny versions of common UNIX utilities in a single small executable";
+    homepage = "https://busybox.net/";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ TethysSvensson qyliss ];
+    platforms = platforms.linux;
+    priority = 10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix
new file mode 100644
index 000000000000..fa70e5f91d80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -0,0 +1,26 @@
+{ busybox}:
+
+# Minimal shell for use as basic /bin/sh in sandbox builds
+busybox.override {
+  enableStatic = true;
+  enableMinimal = true;
+  extraConfig = ''
+    CONFIG_FEATURE_FANCY_ECHO y
+    CONFIG_FEATURE_SH_MATH y
+    CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
+
+    CONFIG_ASH y
+    CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+
+    CONFIG_ASH_ALIAS y
+    CONFIG_ASH_BASH_COMPAT y
+    CONFIG_ASH_CMDCMD y
+    CONFIG_ASH_ECHO y
+    CONFIG_ASH_GETOPTS y
+    CONFIG_ASH_INTERNAL_GLOB y
+    CONFIG_ASH_JOB_CONTROL y
+    CONFIG_ASH_PRINTF y
+    CONFIG_ASH_TEST y
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix b/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix
new file mode 100644
index 000000000000..6c52eb4a7f60
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "cachefilesd";
+  version = "0.10.10";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/dhowells/fscache/${pname}-${version}.tar.bz2";
+    sha256 = "00hsw4cdlm13wijlygp8f0aq6gxdp0skbxs9r2vh5ggs3s2hj0qd";
+  };
+
+  installFlags = [
+    "ETCDIR=$(out)/etc"
+    "SBINDIR=$(out)/sbin"
+    "MANDIR=$(out)/share/man"
+  ];
+
+  meta = with lib; {
+    description = "Local network file caching management daemon";
+    homepage = "https://people.redhat.com/dhowells/fscache/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix b/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix
new file mode 100644
index 000000000000..7c20b74e54cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, kernel, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "can-isotp";
+  version = "20200910";
+
+  hardeningDisable = [ "pic" ];
+
+  src = fetchFromGitHub {
+    owner = "hartkopp";
+    repo = "can-isotp";
+    rev = "21a3a59e2bfad246782896841e7af042382fcae7";
+    sha256 = "1laax93czalclg7cy9iq1r7hfh9jigh7igj06y9lski75ap2vhfq";
+  };
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installTargets = [ "modules_install" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  meta = with lib; {
+    broken = kernel.kernelAtLeast "5.16";
+    description = "Kernel module for ISO-TP (ISO 15765-2)";
+    homepage = "https://github.com/hartkopp/can-isotp";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.evck ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix
new file mode 100644
index 000000000000..6d5b7e0d6506
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "can-utils";
+  version = "2023.03";
+
+  src = fetchFromGitHub {
+    owner = "linux-can";
+    repo = "can-utils";
+    rev = "v${version}";
+    hash = "sha256-FaopviBJOmO0lXoJcdKNdtsoaJ8JrFEJGyO1aNBv+Pg=";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "CAN userspace utilities and tools (for use with Linux SocketCAN)";
+    homepage = "https://github.com/linux-can/can-utils";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ bjornfor Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cannelloni/default.nix b/nixpkgs/pkgs/os-specific/linux/cannelloni/default.nix
new file mode 100644
index 000000000000..0a27c53eefc8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cannelloni/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, cmake, lksctp-tools, sctpSupport ? true }:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "cannelloni";
+  version = "1.1.0";
+  src = fetchFromGitHub {
+    owner = "mguentner";
+    repo = "cannelloni";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-pAXHo9NCXMFKYcIJogytBiPkQE0nK6chU5TKiDNCKA8=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  buildInputs = lib.optionals sctpSupport [ lksctp-tools ];
+
+  cmakeFlags = [
+    "-DSCTP_SUPPORT=${lib.boolToString sctpSupport}"
+  ];
+
+  meta = with lib; {
+    description = "A SocketCAN over Ethernet tunnel";
+    homepage = "https://github.com/mguentner/cannelloni";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.samw ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/catfs/Cargo.lock b/nixpkgs/pkgs/os-specific/linux/catfs/Cargo.lock
new file mode 100644
index 000000000000..d79e0a9e168d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/catfs/Cargo.lock
@@ -0,0 +1,651 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "addr2line"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+
+[[package]]
+name = "aho-corasick"
+version = "0.6.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81ce3d38065e618af2d7b77e10c5ad9a069859b4be3c2250f674af3840d9c8a5"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "ansi_term"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "atty"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "autocfg"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+
+[[package]]
+name = "backtrace"
+version = "0.3.51"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec1931848a574faa8f7c71a12ea00453ff5effbb5f51afe7f77d7a48cace6ac1"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+]
+
+[[package]]
+name = "bit-set"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9bf6104718e80d7b26a68fdbacff3481cfc05df670821affc7e9cbc1884400c"
+dependencies = [
+ "bit-vec",
+]
+
+[[package]]
+name = "bit-vec"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02b4ff8b16e6076c3e14220b39fbc1fabb6737522281a388998046859400895f"
+
+[[package]]
+name = "bitflags"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
+
+[[package]]
+name = "block-buffer"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1339a1042f5d9f295737ad4d9a6ab6bf81c84a933dba110b9200cd6d1448b814"
+dependencies = [
+ "byte-tools",
+ "generic-array",
+]
+
+[[package]]
+name = "byte-tools"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "560c32574a12a89ecd91f5e742165893f86e3ab98d21f8ea548658eb9eef5f40"
+
+[[package]]
+name = "catfs"
+version = "0.9.0"
+dependencies = [
+ "backtrace",
+ "chan-signal",
+ "clap",
+ "daemonize",
+ "env_logger",
+ "fd",
+ "fuse",
+ "generic-array",
+ "itertools",
+ "libc",
+ "log 0.3.9",
+ "rand 0.3.23",
+ "sha2",
+ "syslog",
+ "threadpool",
+ "time",
+ "twox-hash",
+ "xattr",
+]
+
+[[package]]
+name = "cfg-if"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
+
+[[package]]
+name = "chan"
+version = "0.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d14956a3dae065ffaa0d92ece848ab4ced88d32361e7fdfbfd653a5c454a1ed8"
+dependencies = [
+ "rand 0.3.23",
+]
+
+[[package]]
+name = "chan-signal"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f3bb6c3bc387004ad914f0c5b7f33ace8bf7604bbec35f228b1a017f52cd3a0"
+dependencies = [
+ "bit-set",
+ "chan",
+ "lazy_static 0.2.11",
+ "libc",
+]
+
+[[package]]
+name = "clap"
+version = "2.33.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+dependencies = [
+ "ansi_term",
+ "atty",
+ "bitflags",
+ "strsim",
+ "textwrap",
+ "unicode-width",
+ "vec_map",
+]
+
+[[package]]
+name = "daemonize"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0239832c1b4ca406d5ec73728cf4c7336d25cf85dd32db9e047e9e706ee0e935"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "digest"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5b29bf156f3f4b3c4f610a25ff69370616ae6e0657d416de22645483e72af0a"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "either"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
+
+[[package]]
+name = "env_logger"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ddf21e73e016298f5cb37d6ef8e8da8e39f91f9ec8b0df44b7deb16a9f8cd5b"
+dependencies = [
+ "log 0.3.9",
+ "regex",
+]
+
+[[package]]
+name = "fake-simd"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed"
+
+[[package]]
+name = "fd"
+version = "0.2.3"
+source = "git+https://github.com/stemjail/fd-rs.git?rev=3bc3e3587f8904cce8bf29163a2021c2f5906557#3bc3e3587f8904cce8bf29163a2021c2f5906557"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "fuchsia-cprng"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
+
+[[package]]
+name = "fuse"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "80e57070510966bfef93662a81cb8aa2b1c7db0964354fa9921434f04b9e8660"
+dependencies = [
+ "libc",
+ "log 0.3.9",
+ "pkg-config",
+ "thread-scoped",
+ "time",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fceb69994e330afed50c93524be68c42fa898c2d9fd4ee8da03bd7363acd26f2"
+dependencies = [
+ "nodrop",
+ "typenum",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.1.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc587bc0ec293155d5bfa6b9891ec18a1e330c234f896ea47fbada4cadbe47e6"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi 0.9.0+wasi-snapshot-preview1",
+]
+
+[[package]]
+name = "gimli"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+
+[[package]]
+name = "hermit-abi"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c30f6d0bc6b00693347368a67d41b58f2fb851215ff1da49e90fe2c5c667151"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "itertools"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3f2be4da1690a039e9ae5fd575f706a63ad5a2120f161b1d653c9da3930dd21"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "lazy_static"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76f033c7ad61445c5b347c7382dd1237847eb1bce590fe50365dcb33d546be73"
+
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
+[[package]]
+name = "libc"
+version = "0.2.78"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa7087f49d294270db4e1928fc110c976cd4b9e5a16348e0a1df09afa99e6c98"
+
+[[package]]
+name = "log"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b"
+dependencies = [
+ "log 0.4.11",
+]
+
+[[package]]
+name = "log"
+version = "0.4.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "memchr"
+version = "2.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c60c0dfe32c10b43a144bad8fc83538c52f58302c92300ea7ec7bf7b38d5a7b9"
+dependencies = [
+ "adler",
+ "autocfg",
+]
+
+[[package]]
+name = "nodrop"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72ef4a56884ca558e5ddb05a1d1e7e1bfd9a68d9ed024c21704cc98872dae1bb"
+
+[[package]]
+name = "num_cpus"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"
+dependencies = [
+ "hermit-abi",
+ "libc",
+]
+
+[[package]]
+name = "object"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+
+[[package]]
+name = "pkg-config"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c36fa947111f5c62a733b652544dd0016a43ce89619538a8ef92724a6f501a20"
+
+[[package]]
+name = "rand"
+version = "0.3.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ac302d8f83c0c1974bf758f6b041c6c8ada916fbb44a609158ca8b064cc76c"
+dependencies = [
+ "libc",
+ "rand 0.4.6",
+]
+
+[[package]]
+name = "rand"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293"
+dependencies = [
+ "fuchsia-cprng",
+ "libc",
+ "rand_core 0.3.1",
+ "rdrand",
+ "winapi",
+]
+
+[[package]]
+name = "rand"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
+dependencies = [
+ "getrandom",
+ "libc",
+ "rand_chacha",
+ "rand_core 0.5.1",
+ "rand_hc",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.5.1",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b"
+dependencies = [
+ "rand_core 0.4.2",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
+
+[[package]]
+name = "rand_core"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rand_hc"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
+dependencies = [
+ "rand_core 0.5.1",
+]
+
+[[package]]
+name = "rdrand"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
+dependencies = [
+ "rand_core 0.3.1",
+]
+
+[[package]]
+name = "regex"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9329abc99e39129fcceabd24cf5d85b4671ef7c29c50e972bc5afe32438ec384"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+ "thread_local",
+ "utf8-ranges",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d707a4fa2637f2dca2ef9fd02225ec7661fe01a53623c1e6515b6916511f7a7"
+dependencies = [
+ "ucd-util",
+]
+
+[[package]]
+name = "rustc-demangle"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
+
+[[package]]
+name = "sha2"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d963c78ce367df26d7ea8b8cc655c651b42e8a1e584e869c1e17dae3ccb116a"
+dependencies = [
+ "block-buffer",
+ "byte-tools",
+ "digest",
+ "fake-simd",
+ "generic-array",
+]
+
+[[package]]
+name = "strsim"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
+
+[[package]]
+name = "syslog"
+version = "3.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbc9b0acde4f7c05fdc1cfb05239b8a53a66815dd86c67fee5aa9bfac5b4ed42"
+dependencies = [
+ "libc",
+ "log 0.3.9",
+ "time",
+ "unix_socket",
+]
+
+[[package]]
+name = "textwrap"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+dependencies = [
+ "unicode-width",
+]
+
+[[package]]
+name = "thread-scoped"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bcbb6aa301e5d3b0b5ef639c9a9c7e2f1c944f177b460c04dc24c69b1fa2bd99"
+
+[[package]]
+name = "thread_local"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6b53e329000edc2b34dbe8545fd20e55a333362d0a321909685a19bd28c3f1b"
+dependencies = [
+ "lazy_static 1.4.0",
+]
+
+[[package]]
+name = "threadpool"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d050e60b33d41c19108b32cea32164033a9013fe3b46cbd4457559bfbf77afaa"
+dependencies = [
+ "num_cpus",
+]
+
+[[package]]
+name = "time"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
+dependencies = [
+ "libc",
+ "wasi 0.10.0+wasi-snapshot-preview1",
+ "winapi",
+]
+
+[[package]]
+name = "twox-hash"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3bfd5b7557925ce778ff9b9ef90e3ade34c524b5ff10e239c69a42d546d2af56"
+dependencies = [
+ "rand 0.7.3",
+]
+
+[[package]]
+name = "typenum"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "373c8a200f9e67a0c95e62a4f52fbf80c23b4381c05a17845531982fa99e6b33"
+
+[[package]]
+name = "ucd-util"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c85f514e095d348c279b1e5cd76795082cf15bd59b93207832abe0b1d8fed236"
+
+[[package]]
+name = "unicode-width"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
+
+[[package]]
+name = "unix_socket"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6aa2700417c405c38f5e6902d699345241c28c0b7ade4abaad71e35a87eb1564"
+dependencies = [
+ "cfg-if",
+ "libc",
+]
+
+[[package]]
+name = "utf8-ranges"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4ae116fef2b7fea257ed6440d3cfcff7f190865f170cdad00bb6465bf18ecba"
+
+[[package]]
+name = "vec_map"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
+
+[[package]]
+name = "wasi"
+version = "0.9.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
+
+[[package]]
+name = "wasi"
+version = "0.10.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "xattr"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "244c3741f4240ef46274860397c7c74e50eb23624996930e484c16679633a54c"
+dependencies = [
+ "libc",
+]
diff --git a/nixpkgs/pkgs/os-specific/linux/catfs/default.nix b/nixpkgs/pkgs/os-specific/linux/catfs/default.nix
new file mode 100644
index 000000000000..fb4d21820755
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/catfs/default.nix
@@ -0,0 +1,49 @@
+{ lib, rustPlatform, fetchFromGitHub
+, fetchpatch
+, fuse
+, pkg-config
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "catfs";
+  version = "0.9.0";
+
+  src = fetchFromGitHub {
+    owner = "kahing";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-OvmtU2jpewP5EqPwEFAf67t8UCI1WuzUO2QQj4cH1Ak=";
+  };
+
+  patches = [
+    # monitor https://github.com/kahing/catfs/issues/71
+    ./fix-for-rust-1.65.diff
+  ];
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "fd-0.2.3" = "sha256-Xps5s30urCZ8FZYce41nOZGUAk7eRyvObUS/mMx6Tfg=";
+    };
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ fuse ];
+
+  # require fuse module to be active to run tests
+  # instead, run command
+  doCheck = false;
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/catfs --help > /dev/null
+  '';
+
+  meta = with lib; {
+    description = "Caching filesystem written in Rust";
+    homepage = "https://github.com/kahing/catfs";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jonringer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/catfs/fix-for-rust-1.65.diff b/nixpkgs/pkgs/os-specific/linux/catfs/fix-for-rust-1.65.diff
new file mode 100644
index 000000000000..4208c362ebcd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/catfs/fix-for-rust-1.65.diff
@@ -0,0 +1,13 @@
+diff --git a/src/catfs/file.rs b/src/catfs/file.rs
+index 6e781eb..92fdd80 100644
+--- a/src/catfs/file.rs
++++ b/src/catfs/file.rs
+@@ -569,7 +569,7 @@ impl Handle {
+         path: &dyn AsRef<Path>,
+         create: bool,
+     ) -> error::Result<()> {
+-        let _ = self.page_in_res.0.lock().unwrap();
++        drop(self.page_in_res.0.lock().unwrap());
+ 
+         let mut buf = [0u8; 0];
+         let mut flags = rlibc::O_RDWR;
diff --git a/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix b/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix
new file mode 100644
index 000000000000..ef5dfe8e2e06
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, makeWrapper
+, gawk
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cfs-zen-tweaks";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "igo95862";
+    repo = "cfs-zen-tweaks";
+    rev = version;
+    sha256 = "HRR2tdjNmWyrpbcMlihSdb/7g/tHma3YyXogQpRCVyo=";
+  };
+
+  preConfigure = ''
+    substituteInPlace set-cfs-zen-tweaks.bash \
+      --replace '$(gawk' '$(${gawk}/bin/gawk'
+  '';
+
+  preFixup = ''
+    chmod +x $out/lib/cfs-zen-tweaks/set-cfs-zen-tweaks.bash
+  '';
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    description = "Tweak Linux CPU scheduler for desktop responsiveness";
+    homepage = "https://github.com/igo95862/cfs-zen-tweaks";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mkg20001 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ch9344/default.nix b/nixpkgs/pkgs/os-specific/linux/ch9344/default.nix
new file mode 100644
index 000000000000..e7da864b90c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ch9344/default.nix
@@ -0,0 +1,51 @@
+{ stdenv, lib, fetchzip, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "ch9344";
+  version = "1.9";
+
+  src = fetchzip {
+    name = "CH9344SER_LINUX.zip";
+    url = "https://www.wch.cn/downloads/file/386.html#CH9344SER_LINUX.zip";
+    hash = "sha256-g55ftAfjKKlUFzGhI1a/O7Eqbz6rkGf1vWuEJjBZxBE=";
+  };
+
+  patches = lib.optionals (lib.versionAtLeast kernel.modDirVersion "6.1") [
+    # https://github.com/torvalds/linux/commit/a8c11c1520347be74b02312d10ef686b01b525f1
+    ./fix-incompatible-pointer-types.patch
+  ] ++ lib.optionals (lib.versionAtLeast kernel.modDirVersion "6.3") [
+    # https://github.com/torvalds/linux/commit/5d420399073770134d2b03e004b2c0201c7fa26f
+    ./fix-incompatible-pointer-types_6_3.patch
+  ];
+
+  sourceRoot = "${src.name}/driver";
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "KERNELDIR :=" "KERNELDIR ?="
+  '';
+
+  makeFlags = [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D ch9344.ko $out/lib/modules/${kernel.modDirVersion}/usb/serial/ch9344.ko
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.wch-ic.com/";
+    downloadPage = "https://www.wch.cn/downloads/CH9344SER_LINUX_ZIP.html";
+    description = "WCH CH9344/CH348 UART driver";
+    longDescription = ''
+      A kernel module for WinChipHead CH9344/CH348 USB To Multi Serial Ports controller.
+    '';
+    # Archive contains no license.
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ MakiseKurisu ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types.patch b/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types.patch
new file mode 100644
index 000000000000..31088538733e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types.patch
@@ -0,0 +1,22 @@
+diff --git a/ch9344.c b/ch9344.c
+index 1e37293..a16af82 100644
+--- a/ch9344.c
++++ b/ch9344.c
+@@ -79,7 +79,7 @@ static DEFINE_IDR(ch9344_minors);
+ static DEFINE_MUTEX(ch9344_minors_lock);
+ 
+ static void ch9344_tty_set_termios(struct tty_struct *tty,
+-                                   struct ktermios *termios_old);
++                                   const struct ktermios *termios_old);
+ 
+ static int ch9344_get_portnum(int index);
+ 
+@@ -1597,7 +1597,7 @@ u8 cal_recv_tmt(__le32 bd)
+ }
+ 
+ static void ch9344_tty_set_termios(struct tty_struct *tty,
+-                                   struct ktermios *termios_old)
++                                   const struct ktermios *termios_old)
+ {
+     struct ch9344 *ch9344 = tty->driver_data;
+     struct ktermios *termios = &tty->termios;
diff --git a/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types_6_3.patch b/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types_6_3.patch
new file mode 100644
index 000000000000..b4cf265daac9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ch9344/fix-incompatible-pointer-types_6_3.patch
@@ -0,0 +1,13 @@
+diff --git a/ch9344.c b/ch9344.c
+index a16af82..8922ed9 100644
+--- a/ch9344.c
++++ b/ch9344.c
+@@ -774,7 +774,7 @@ static inline void *tty_get_portdata(struct ch9344_ttyport *port)
+     return (port->portdata);
+ }
+ 
+-static void ch9344_port_dtr_rts(struct tty_port *port, int raise)
++static void ch9344_port_dtr_rts(struct tty_port *port, bool raise)
+ {
+     struct ch9344_ttyport *ttyport = container_of(port, struct ch9344_ttyport, port);
+     struct ch9344 *ch9344 = tty_get_portdata(ttyport);
diff --git a/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix b/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix
new file mode 100644
index 000000000000..5b08739667d5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, bison, flex, libsepol }:
+
+stdenv.mkDerivation rec {
+  pname = "checkpolicy";
+  version = "3.5";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/checkpolicy-${version}.tar.gz";
+    sha256 = "sha256-eqSKsiIqC5iBER1tf3DDAU09kziCfZ4C3xBaaMDfXbw=";
+  };
+
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ libsepol ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "SELinux policy compiler";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
new file mode 100644
index 000000000000..2aabbc4d4c80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
@@ -0,0 +1,24 @@
+From 5cfb08effd21d9278e3eb8901c85112a331c3181 Mon Sep 17 00:00:00 2001
+From: Austin Seipp <aseipp@pobox.com>
+Date: Tue, 26 Oct 2021 09:23:07 +0000
+Subject: [PATCH] attempt to 'modprobe config' before checking kernel
+
+---
+ checksec | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/checksec b/checksec
+index 5536250..895073b 100755
+--- a/checksec
++++ b/checksec
+@@ -1059,6 +1059,7 @@ kernelcheck() {
+   echo_message "  options that harden the kernel itself against attack.\n\n" '' '' ''
+   echo_message "  Kernel config:\n" '' '' '{ "kernel": '
+
++  modprobe configs 2> /dev/null
+   if [[ ! "${1}" == "" ]]; then
+     kconfig="cat ${1}"
+     echo_message "  Warning: The config ${1} on disk may not represent running kernel config!\n\n" "${1}" "<kernel config=\"${1}\"" "{ \"KernelConfig\":\"${1}\""
+-- 
+2.33.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/default.nix b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix
new file mode 100644
index 000000000000..1bdd4cf5f677
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix
@@ -0,0 +1,59 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, makeWrapper
+, file
+, findutils
+, binutils-unwrapped
+, glibc
+, coreutils
+, sysctl
+, openssl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "checksec";
+  version = "2.6.0";
+
+  src = fetchFromGitHub {
+    owner = "slimm609";
+    repo = "checksec.sh";
+    rev = version;
+    hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo=";
+  };
+
+  patches = [
+    ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
+  ];
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+  installPhase =
+    let
+      path = lib.makeBinPath [
+        findutils
+        file
+        binutils-unwrapped
+        sysctl
+        openssl
+      ];
+    in
+    ''
+      mkdir -p $out/bin
+      install checksec $out/bin
+      substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6
+      substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
+      wrapProgram $out/bin/checksec \
+        --prefix PATH : ${path}
+    '';
+
+  meta = with lib; {
+    description = "Tool for checking security bits on executables";
+    homepage = "https://www.trapkit.de/tools/checksec/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice globin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix b/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix
new file mode 100644
index 000000000000..d9608650ed9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix
@@ -0,0 +1,8 @@
+{ fetchFromGitiles }:
+
+fetchFromGitiles {
+  name = "chromium-xorg-conf";
+  url = "https://chromium.googlesource.com/chromiumos/platform/xorg-conf";
+  rev = "26fb9d57e195c7e467616b35b17e2b5d279c1514";
+  sha256 = "0643y3l3hjk4mv4lm3h9z56h990q6k11hcr10lcqppgsii0d3zcf";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix
new file mode 100644
index 000000000000..cae7901386d1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
+, libkrb5, keyutils, pam, talloc, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "cifs-utils";
+  version = "7.0";
+
+  src = fetchurl {
+    url = "mirror://samba/pub/linux-cifs/cifs-utils/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-De+quFvT6kb/xFq0H7DQrVTQWuLPqn5QPehtTxK8gWE=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
+
+  buildInputs = [ libkrb5 keyutils pam talloc python3 ];
+
+  configureFlags = [ "ROOTSBINDIR=$(out)/sbin" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # AC_FUNC_MALLOC is broken on cross builds.
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
+
+  meta = with lib; {
+    homepage = "https://wiki.samba.org/index.php/LinuxCIFS_utils";
+    description = "Tools for managing Linux CIFS client filesystems";
+    platforms = platforms.linux;
+    license = licenses.lgpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/compsize/default.nix b/nixpkgs/pkgs/os-specific/linux/compsize/default.nix
new file mode 100644
index 000000000000..9d0dbeffaee3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/compsize/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, btrfs-progs }:
+
+stdenv.mkDerivation rec {
+  pname = "compsize";
+  version = "1.5";
+
+  src = fetchFromGitHub {
+    owner = "kilobyte";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-OX41ChtHX36lVRL7O2gH21Dfw6GPPEClD+yafR/PFm8=";
+  };
+
+  buildInputs = [ btrfs-progs ];
+
+  installFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  preInstall = ''
+    mkdir -p $out/share/man/man8
+  '';
+
+  meta = with lib; {
+    description = "btrfs: Find compression type/ratio on a file or set of files";
+    homepage = "https://github.com/kilobyte/compsize";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ CrazedProgrammer ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conky/default.nix b/nixpkgs/pkgs/os-specific/linux/conky/default.nix
new file mode 100644
index 000000000000..ab55839c3408
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conky/default.nix
@@ -0,0 +1,148 @@
+{ config, lib, stdenv, fetchFromGitHub, pkg-config, cmake
+
+# dependencies
+, glib, libXinerama, catch2
+
+# optional features without extra dependencies
+, mpdSupport          ? true
+, ibmSupport          ? true # IBM/Lenovo notebooks
+
+# optional features with extra dependencies
+
+# ouch, this is ugly, but this gives the man page
+, docsSupport         ? true, docbook2x, libxslt ? null
+                            , man ? null, less ? null
+                            , docbook_xsl ? null , docbook_xml_dtd_44 ? null
+
+, ncursesSupport      ? true      , ncurses       ? null
+, x11Support          ? true      , freetype, xorg
+, xdamageSupport      ? x11Support, libXdamage    ? null
+, doubleBufferSupport ? x11Support
+, imlib2Support       ? x11Support, imlib2        ? null
+
+, luaSupport          ? true      , lua           ? null
+, luaImlib2Support    ? luaSupport && imlib2Support
+, luaCairoSupport     ? luaSupport && x11Support, cairo ? null
+, toluapp ? null
+
+, wirelessSupport     ? true      , wirelesstools ? null
+, nvidiaSupport       ? false     , libXNVCtrl ? null
+, pulseSupport        ? config.pulseaudio or false, libpulseaudio ? null
+
+, curlSupport         ? true      , curl ? null
+, rssSupport          ? curlSupport
+, weatherMetarSupport ? curlSupport
+, weatherXoapSupport  ? curlSupport
+, journalSupport      ? true, systemd ? null
+, libxml2 ? null
+}:
+
+assert docsSupport         -> docbook2x != null && libxslt != null
+                           && man != null && less != null
+                           && docbook_xsl != null && docbook_xml_dtd_44 != null;
+
+assert ncursesSupport      -> ncurses != null;
+
+assert xdamageSupport      -> x11Support && libXdamage != null;
+assert imlib2Support       -> x11Support && imlib2     != null;
+assert luaSupport          -> lua != null;
+assert luaImlib2Support    -> luaSupport && imlib2Support
+                                         && toluapp != null;
+assert luaCairoSupport     -> luaSupport && toluapp != null
+                                         && cairo   != null;
+assert luaCairoSupport || luaImlib2Support
+                           -> lua.luaversion == "5.4";
+
+assert wirelessSupport     -> wirelesstools != null;
+assert nvidiaSupport       -> libXNVCtrl != null;
+assert pulseSupport        -> libpulseaudio != null;
+
+assert curlSupport         -> curl != null;
+assert rssSupport          -> curlSupport && libxml2 != null;
+assert weatherMetarSupport -> curlSupport;
+assert weatherXoapSupport  -> curlSupport && libxml2 != null;
+assert journalSupport      -> systemd != null;
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "conky";
+  version = "1.19.6";
+
+  src = fetchFromGitHub {
+    owner = "brndnmtthws";
+    repo = "conky";
+    rev = "v${version}";
+    hash = "sha256-L8YSbdk+qQl17L4IRajFD/AEWRXb2w7xH9sM9qPGrQo=";
+  };
+
+  postPatch = ''
+    sed -i -e '/include.*CheckIncludeFile)/i include(CheckIncludeFiles)' \
+      cmake/ConkyPlatformChecks.cmake
+  '' + optionalString docsSupport ''
+    substituteInPlace cmake/Conky.cmake --replace "# set(RELEASE true)" "set(RELEASE true)"
+
+    cp ${catch2}/include/catch2/catch.hpp tests/catch2/catch.hpp
+  '';
+
+  env = {
+    # For some reason -Werror is on by default, causing the project to fail compilation.
+    NIX_CFLAGS_COMPILE = "-Wno-error";
+    NIX_LDFLAGS = "-lgcc_s";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ glib libXinerama ]
+    ++ optionals docsSupport        [ docbook2x docbook_xsl docbook_xml_dtd_44 libxslt man less ]
+    ++ optional  ncursesSupport     ncurses
+    ++ optionals x11Support         [ freetype xorg.libICE xorg.libX11 xorg.libXext xorg.libXft xorg.libSM ]
+    ++ optional  xdamageSupport     libXdamage
+    ++ optional  imlib2Support      imlib2
+    ++ optional  luaSupport         lua
+    ++ optionals luaImlib2Support   [ toluapp imlib2 ]
+    ++ optionals luaCairoSupport    [ toluapp cairo ]
+    ++ optional  wirelessSupport    wirelesstools
+    ++ optional  curlSupport        curl
+    ++ optional  rssSupport         libxml2
+    ++ optional  weatherXoapSupport libxml2
+    ++ optional  nvidiaSupport      libXNVCtrl
+    ++ optional  pulseSupport       libpulseaudio
+    ++ optional  journalSupport     systemd
+    ;
+
+  cmakeFlags = []
+    ++ optional docsSupport         "-DMAINTAINER_MODE=ON"
+    ++ optional curlSupport         "-DBUILD_CURL=ON"
+    ++ optional (!ibmSupport)       "-DBUILD_IBM=OFF"
+    ++ optional imlib2Support       "-DBUILD_IMLIB2=ON"
+    ++ optional luaCairoSupport     "-DBUILD_LUA_CAIRO=ON"
+    ++ optional luaImlib2Support    "-DBUILD_LUA_IMLIB2=ON"
+    ++ optional (!mpdSupport)       "-DBUILD_MPD=OFF"
+    ++ optional (!ncursesSupport)   "-DBUILD_NCURSES=OFF"
+    ++ optional rssSupport          "-DBUILD_RSS=ON"
+    ++ optional (!x11Support)       "-DBUILD_X11=OFF"
+    ++ optional xdamageSupport      "-DBUILD_XDAMAGE=ON"
+    ++ optional doubleBufferSupport "-DBUILD_XDBE=ON"
+    ++ optional weatherMetarSupport "-DBUILD_WEATHER_METAR=ON"
+    ++ optional weatherXoapSupport  "-DBUILD_WEATHER_XOAP=ON"
+    ++ optional wirelessSupport     "-DBUILD_WLAN=ON"
+    ++ optional nvidiaSupport       "-DBUILD_NVIDIA=ON"
+    ++ optional pulseSupport        "-DBUILD_PULSEAUDIO=ON"
+    ++ optional journalSupport      "-DBUILD_JOURNAL=ON"
+    ;
+
+  # `make -f src/CMakeFiles/conky.dir/build.make src/CMakeFiles/conky.dir/conky.cc.o`:
+  # src/conky.cc:137:23: fatal error: defconfig.h: No such file or directory
+  enableParallelBuilding = false;
+
+  doCheck = true;
+
+  meta = with lib; {
+    homepage = "https://conky.cc";
+    changelog = "https://github.com/brndnmtthws/conky/releases/tag/v${version}";
+    description = "Advanced, highly configurable system monitor based on torsmo";
+    maintainers = [ maintainers.guibert ];
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix
new file mode 100644
index 000000000000..42741fae5b6c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix
@@ -0,0 +1,35 @@
+{ fetchurl, lib, stdenv, flex, bison, pkg-config, libmnl, libnfnetlink
+, libnetfilter_conntrack, libnetfilter_queue, libnetfilter_cttimeout
+, libnetfilter_cthelper, libtirpc
+, systemdSupport ? true, systemd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "conntrack-tools";
+  version = "1.4.8";
+
+  src = fetchurl {
+    url = "https://www.netfilter.org/projects/conntrack-tools/files/${pname}-${version}.tar.xz";
+    hash = "sha256-BnZ39MX2VkgZ547TqdSomAk16pJz86uyKkIOowq13tY=";
+  };
+
+  buildInputs = [
+    libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
+    libnetfilter_cttimeout libnetfilter_cthelper libtirpc
+  ] ++ lib.optionals systemdSupport [
+    systemd
+  ];
+  nativeBuildInputs = [ flex bison pkg-config ];
+
+  configureFlags = [
+    (lib.enableFeature systemdSupport "systemd")
+  ];
+
+  meta = with lib; {
+    homepage = "http://conntrack-tools.netfilter.org/";
+    description = "Connection tracking userspace tools";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix b/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix
new file mode 100644
index 000000000000..61ddd5203cdc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchurl, pkg-config, SDL, SDL2 }:
+
+stdenv.mkDerivation rec {
+  pname = "linuxconsoletools";
+  version = "1.8.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linuxconsole/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-TaKXRceCt9sY9fN8Sed78WMSHdN2Hi/HY2+gy/NcJFY=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ SDL SDL2 ];
+
+  makeFlags = [ "DESTDIR=$(out)"];
+
+  installFlags = [ "PREFIX=\"\"" ];
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/linuxconsole/";
+    description = "A set of tools for joysticks and serial peripherals";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ pSub ebzzry ];
+
+    longDescription = ''
+      The included tools are:
+
+      ffcfstress(1)  - force-feedback stress test
+      ffmvforce(1)   - force-feedback orientation test
+      ffset(1)       - force-feedback configuration tool
+      fftest(1)      - general force-feedback test
+      jstest(1)      - joystick test
+      jscal(1)       - joystick calibration tool
+      inputattach(1) - connects legacy serial devices to the input layer
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conspy/default.nix b/nixpkgs/pkgs/os-specific/linux/conspy/default.nix
new file mode 100644
index 000000000000..00e97855e261
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conspy/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl, autoconf, automake, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "conspy";
+  version = "1.16";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/conspy/conspy-${version}-1/conspy-${version}.tar.gz";
+    sha256 = "02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
+    curlOpts = " -A application/octet-stream ";
+  };
+
+  nativeBuildInputs = [ autoconf automake ];
+  buildInputs = [
+    ncurses
+  ];
+
+  preConfigure = ''
+    touch NEWS
+    echo "EPL 1.0" > COPYING
+    aclocal
+    automake --add-missing
+    autoconf
+  '';
+
+  meta = with lib; {
+    description = "Linux text console viewer";
+    license = licenses.epl10;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix
new file mode 100644
index 000000000000..f62d8463714e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl, libtool, gettext }:
+
+stdenv.mkDerivation rec {
+  pname = "cpufrequtils";
+  version = "008";
+
+  src = fetchurl {
+    url = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils-${version}.tar.gz";
+    hash = "sha256-AFOgcYPQaUg70GJhS8YcuAgMV32mHN9+ExsGThoa8Yg=";
+  };
+
+  patches = [
+    # I am not 100% sure that this is ok, but it breaks repeatable builds.
+    ./remove-pot-creation-date.patch
+  ];
+
+  patchPhase = ''
+    sed -e "s@= /usr/bin/@= @g" \
+      -e "s@/usr/@$out/@" \
+      -i Makefile
+  '';
+
+  buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ];
+
+  meta = with lib; {
+    description = "Tools to display or change the CPU governor settings";
+    homepage = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils.html";
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "cpufreq-set";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch
new file mode 100644
index 000000000000..0116ed9eab0c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch
@@ -0,0 +1,24 @@
+diff -u cpufrequtils-008/Makefile cpufrequtils-008.new/Makefile
+--- cpufrequtils-008/Makefile	2012-05-06 01:17:18.000000000 +0200
++++ cpufrequtils-008.new/Makefile	2013-08-16 20:52:29.961086536 +0200
+@@ -205,7 +205,8 @@
+ 	@xgettext --default-domain=$(PACKAGE) --add-comments \
+ 		--keyword=_ --keyword=N_ $(UTIL_SRC) && \
+ 	test -f $(PACKAGE).po && \
+-	mv -f $(PACKAGE).po po/$(PACKAGE).pot
++	mv -f $(PACKAGE).po po/$(PACKAGE).pot && \
++        sed -i -e'/POT-Creation/d' po/*.pot
+ 
+ update-gmo: po/$(PACKAGE).pot
+ 	 @for HLANG in $(LANGUAGES); do \
+@@ -217,6 +218,7 @@
+ 			echo "msgmerge for $$HLANG failed!"; \
+ 			rm -f po/$$HLANG.new.po; \
+ 		fi; \
++		sed -i -e'/POT-Creation/d' po/*.po; \
+ 		msgfmt --statistics -o po/$$HLANG.gmo po/$$HLANG.po; \
+ 	done;
+ 
+Common subdirectories: cpufrequtils-008/man and cpufrequtils-008.new/man
+Common subdirectories: cpufrequtils-008/po and cpufrequtils-008.new/po
+Common subdirectories: cpufrequtils-008/utils and cpufrequtils-008.new/utils
diff --git a/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix b/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix
new file mode 100644
index 000000000000..396baa4b98c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix
@@ -0,0 +1,55 @@
+{ lib
+, stdenv
+, fetchurl
+, perl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cpuid";
+  version = "20230614";
+
+  src = fetchurl {
+    url = "http://etallen.com/cpuid/${pname}-${version}.src.tar.gz";
+    sha256 = "sha256-scgwRe/CYHYwd1HgZi1YAnf1+b+JzwJyMaeBIAPDpOg=";
+  };
+
+  # For pod2man during the build process.
+  nativeBuildInputs = [
+    perl
+  ];
+
+  # As runtime dependency for cpuinfo2cpuid.
+  buildInputs = [
+    perl
+  ];
+
+  # The Makefile hardcodes $(BUILDROOT)/usr as installation
+  # destination. Just nuke all mentions of /usr to get the right
+  # installation location.
+  patchPhase = ''
+    sed -i -e 's,/usr/,/,' Makefile
+  '';
+
+  installPhase = ''
+    make install BUILDROOT=$out
+
+    if [ ! -x $out/bin/cpuid ]; then
+      echo Failed to properly patch Makefile.
+      exit 1
+    fi
+  '';
+
+  meta = with lib; {
+    description = "Linux tool to dump x86 CPUID information about the CPU";
+    longDescription = ''
+      cpuid dumps detailed information about the CPU(s) gathered from the CPUID
+      instruction, and also determines the exact model of CPU(s). It supports
+      Intel, AMD, VIA, Hygon, and Zhaoxin CPUs, as well as older Transmeta,
+      Cyrix, UMC, NexGen, Rise, and SiS CPUs.
+    '';
+    homepage = "http://etallen.com/cpuid.html";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ blitz ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix b/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix
new file mode 100644
index 000000000000..1f57bc9428f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix
@@ -0,0 +1,103 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, buildPythonApplication
+, appstream-glib
+, dbus-python
+, desktop-file-utils
+, gettext
+, glib
+, gobject-introspection
+, gtk3
+, hicolor-icon-theme
+, libappindicator
+, libhandy
+, meson
+, ninja
+, pkg-config
+, pygobject3
+, pyxdg
+, systemd
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "cpupower-gui";
+  version = "1.0.0";
+
+  # This packages doesn't have a setup.py
+  format = "other";
+
+  src = fetchFromGitHub {
+    owner = "vagnum08";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "05lvpi3wgyi741sd8lgcslj8i7yi3wz7jwl7ca3y539y50hwrdas";
+  };
+
+  patches = [
+    # Fix build with 0.61, can be removed on next update
+    # https://hydra.nixos.org/build/171052557/nixlog/1
+    (fetchpatch {
+      url = "https://github.com/vagnum08/cpupower-gui/commit/97f8ac02fe33e412b59d3f3968c16a217753e74b.patch";
+      sha256 = "XYnpm03kq8JLMjAT73BMCJWlzz40IAuHESm715VV6G0=";
+    })
+  ];
+
+  nativeBuildInputs = [
+    appstream-glib
+    desktop-file-utils # needed for update-desktop-database
+    gettext
+    glib # needed for glib-compile-schemas
+    gobject-introspection # need for gtk namespace to be available
+    hicolor-icon-theme # needed for postinstall script
+    meson
+    ninja
+    pkg-config
+    wrapGAppsHook
+
+    # Python packages
+    dbus-python
+    libappindicator
+    pygobject3
+    pyxdg
+  ];
+
+  buildInputs = [
+    glib
+    gtk3
+    libhandy
+  ];
+
+  propagatedBuildInputs = [
+    dbus-python
+    libappindicator
+    pygobject3
+    pyxdg
+  ];
+
+  mesonFlags = [
+    "-Dsystemddir=${placeholder "out"}/lib/systemd"
+  ];
+
+  preConfigure = ''
+    patchShebangs build-aux/meson/postinstall.py
+  '';
+
+  strictDeps = false;
+  dontWrapGApps = true;
+
+  makeWrapperArgs = [ "\${gappsWrapperArgs[@]}" ];
+
+  postFixup = ''
+    wrapPythonProgramsIn $out/lib "$out $propagatedBuildInputs"
+  '';
+
+  meta = with lib; {
+    description = "Change the frequency limits of your cpu and its governor";
+    homepage = "https://github.com/vagnum08/cpupower-gui/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ unode ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix b/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix
new file mode 100644
index 000000000000..13e2fc78b821
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, buildPackages, kernel, pciutils, gettext }:
+
+stdenv.mkDerivation {
+  pname = "cpupower";
+  inherit (kernel) version src patches;
+
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ pciutils ];
+
+  postPatch = ''
+    cd tools/power/cpupower
+    sed -i 's,/bin/true,${buildPackages.coreutils}/bin/true,' Makefile
+    sed -i 's,/bin/pwd,${buildPackages.coreutils}/bin/pwd,' Makefile
+    sed -i 's,/usr/bin/install,${buildPackages.coreutils}/bin/install,' Makefile
+  '';
+
+  makeFlags = [
+    "CROSS=${stdenv.cc.targetPrefix}"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "LD=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installFlags = lib.mapAttrsToList
+    (n: v: "${n}dir=${placeholder "out"}/${v}") {
+    bin = "bin";
+    sbin = "sbin";
+    man = "share/man";
+    include = "include";
+    lib = "lib";
+    locale = "share/locale";
+    doc = "share/doc/cpupower";
+    conf = "etc";
+    bash_completion_ = "share/bash-completion/completions";
+  };
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Tool to examine and tune power saving features";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix b/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix
new file mode 100644
index 000000000000..bb7a953c1195
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix
@@ -0,0 +1,45 @@
+{ lib
+, fetchFromGitHub
+, fetchpatch
+, pythonPackages
+}:
+
+pythonPackages.buildPythonApplication rec {
+  pname = "cpuset";
+  version = "1.6";
+
+  propagatedBuildInputs = with pythonPackages; [
+    configparser
+    future
+  ];
+
+  # https://github.com/lpechacek/cpuset/pull/36
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/MawKKe/cpuset/commit/a4b6b275d0a43d2794ab9e82922d3431aeea9903.patch";
+      sha256 = "1mi1xrql81iczl67s4dk2rm9r1mk36qhsa19wn7zgryf95krsix2";
+    })
+  ];
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  src = fetchFromGitHub {
+    owner = "lpechacek";
+    repo = "cpuset";
+    rev = "v${version}";
+    sha256 = "0ig0ml2zd5542d0989872vmy7cs3qg7nxwa93k42bdkm50amhar4";
+  };
+
+  checkPhase = ''
+    cd t
+    make
+  '';
+
+  meta = with lib; {
+    description = "Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier";
+    homepage    = "https://github.com/lpechacek/cpuset";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ thiagokokada wykurz ];
+    mainProgram = "cset";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix b/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix
new file mode 100644
index 000000000000..e5bbd388081e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "cpustat";
+  version = "0.02.19";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-MujdgA+rFLrRc/N9yN7udnarA1TCzX//95hoXTUHG8Q=";
+  };
+
+  buildInputs = [ ncurses ];
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "CPU usage monitoring tool";
+    homepage = "https://github.com/ColinIanKing/cpustat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix
new file mode 100644
index 000000000000..59fbfed1b728
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv
+, fetchurl
+, zlib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cramfsprogs";
+  version = "1.1";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/c/cramfs/cramfs_${version}.orig.tar.gz";
+    sha256 = "0s13sabykbkbp0pcw8clxddwzxckyq7ywm2ial343ip7qjiaqg0k";
+  };
+
+  # CramFs is unmaintained upstream: https://tracker.debian.org/pkg/cramfs.
+  # So patch the "missing include" bug ourselves.
+  patches = [ ./include-sysmacros.patch ];
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installPhase = ''
+    install --target $out/bin -D cramfsck mkcramfs
+  '';
+
+  buildInputs = [ zlib ];
+
+  meta = with lib; {
+    description = "Tools to create, check, and extract content of CramFs images";
+    homepage = "https://packages.debian.org/jessie/cramfsprogs";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ pamplemousse ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch
new file mode 100644
index 000000000000..7c115a66ac90
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch
@@ -0,0 +1,12 @@
+diff --git a/mkcramfs.c b/mkcramfs.c
+index a2ef018959d..bec83c112d1 100644
+--- a/mkcramfs.c
++++ b/mkcramfs.c
+@@ -22,6 +22,7 @@
+  * If you change the disk format of cramfs, please update fs/cramfs/README.
+  */
+ 
++#include <sys/sysmacros.h>
+ #include <sys/types.h>
+ #include <stdio.h>
+ #include <sys/stat.h>
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix b/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix
new file mode 100644
index 000000000000..f79921186388
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix
@@ -0,0 +1,31 @@
+{lib, stdenv, fetchurl, zlib}:
+
+stdenv.mkDerivation rec {
+  pname = "cramfsswap";
+  version = "1.4.2";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/c/cramfsswap/${pname}_${version}.tar.xz";
+    sha256 = "10mj45zx71inaa3l1d81g64f7yn1xcprvq4v4yzpdwbxqmqaikw1";
+  };
+  #  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996964
+  patches = [ ./parallel-make.patch ];
+
+  # Needed for cross-compilation
+  postPatch = ''
+    substituteInPlace Makefile --replace 'strip ' '$(STRIP) '
+  '';
+
+  buildInputs = [zlib];
+
+  installPhase = ''
+    install --target $out/bin -D cramfsswap
+  '';
+
+  meta = with lib; {
+    description = "Swap endianess of a cram filesystem (cramfs)";
+    homepage = "https://packages.debian.org/sid/utils/cramfsswap";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch b/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch
new file mode 100644
index 000000000000..280c5286b79a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch
@@ -0,0 +1,14 @@
+Fix parallel build failure bya dding the dependency.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996964
+--- a/Makefile
++++ b/Makefile
+@@ -6,7 +6,7 @@ debian: cramfsswap
+ cramfsswap: cramfsswap.c
+ 	$(CC) -Wall -g -O $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o cramfsswap cramfsswap.c -lz
+ 
+-strip:
++strip: cramfsswap
+ 	strip cramfsswap
+ 
+ install: cramfsswap
diff --git a/nixpkgs/pkgs/os-specific/linux/crda/default.nix b/nixpkgs/pkgs/os-specific/linux/crda/default.nix
new file mode 100644
index 000000000000..ffed5fc36a78
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/crda/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkg-config, python3Packages, wireless-regdb }:
+
+stdenv.mkDerivation rec {
+  pname = "crda";
+  version = "4.14";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snapshot/crda-${version}.tar.gz";
+    sha256 = "sha256-Wo81u4snR09Gaw511FG6kXQz2KqxiJZ4pk2cTnKouMI=";
+  };
+
+  patches = [
+    # Fix python 3 build: except ImportError, e: SyntaxError: invalid syntax
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/d234fddf451fab0f4fc412e2769f54e11f10d7d8/trunk/crda-4.14-python-3.patch";
+      sha256 = "sha256-KEezEKrfizq9k4ZiE2mf3Nl4JiBayhXeVnFl7wYh28Y=";
+    })
+
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/d48ec843222b0d74c85bce86fa6f087c7dfdf952/trunk/0001-Makefile-Link-libreg.so-against-the-crypto-library.patch";
+      sha256 = "sha256-j93oydi209f22OF8aXZ/NczuUOnlhkdSeYvy2WRRvm0=";
+    })
+  ];
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    pkg-config
+    python3Packages.m2crypto # only used for a build time script
+  ];
+
+  buildInputs = [
+    libgcrypt
+    libnl
+  ];
+
+  postPatch = ''
+    patchShebangs utils/
+    substituteInPlace Makefile \
+      --replace 'gzip' 'gzip -n' \
+      --replace ldconfig true \
+      --replace pkg-config $PKG_CONFIG
+    sed -i crda.c \
+      -e "/\/usr\/.*\/regulatory.bin/d" \
+      -e "s|/lib/crda|${wireless-regdb}/lib/crda|g"
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/bin/"
+    "UDEV_RULE_DIR=$(out)/lib/udev/rules.d/"
+    "REG_BIN=${wireless-regdb}/lib/crda/regulatory.bin"
+  ];
+
+  buildFlags = [ "all_noverify" ];
+  enableParallelBuilding = true;
+
+  doCheck = true;
+  checkTarget = "verify";
+
+  meta = with lib; {
+    description = "Linux wireless Central Regulatory Domain Agent";
+    longDescription = ''
+      CRDA acts as the udev helper for communication between the kernel and
+      userspace for regulatory compliance. It relies on nl80211 for communication.
+
+      CRDA is intended to be run only through udev communication from the kernel.
+      To use it under NixOS, add
+
+        services.udev.packages = [ pkgs.crda ];
+
+      to the system configuration.
+    '';
+    homepage = "https://wireless.wiki.kernel.org/en/developers/regulatory/crda";
+    license = licenses.free; # "copyleft-next 0.3.0", as yet without a web site
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/criu/default.nix b/nixpkgs/pkgs/os-specific/linux/criu/default.nix
new file mode 100644
index 000000000000..7940ce060e4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/criu/default.nix
@@ -0,0 +1,122 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, protobuf, protobufc, asciidoc, iptables
+, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkg-config, iproute2, gzip
+, which, python3, makeWrapper, docbook_xml_dtd_45, perl, nftables, libbsd, gnutar
+, buildPackages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "criu";
+  version = "3.17.1";
+
+  src = fetchFromGitHub {
+    owner = "checkpoint-restore";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-0B0cdX5bemy4glF9iWjrQIXIqilyYcCcAN9x4Jjrwzk=";
+  };
+
+  patches = [
+    # Fixes redefinition of rseq headers
+    (fetchpatch {
+      url = "https://github.com/checkpoint-restore/criu/commit/1e6e826ffb7ac05f33fa123051c2fc2ddf0f68ea.patch";
+      hash = "sha256-LJjk0jQ5v5wqeprvBMpxhjLXn7v+lSPldEGgazGUM44=";
+    })
+
+    # compat fixes for glibc-2.36
+    (fetchpatch {
+      url = "https://github.com/checkpoint-restore/criu/commit/8cd5fccd6cf3d03afb5abe463134d31f54d42258.patch";
+      sha256 = "sha256-b65DdLmyIuZik0dNRuWJKUPcDFA6CKq0bi4Vd26zgS4=";
+    })
+    (fetchpatch {
+      url = "https://github.com/checkpoint-restore/criu/commit/517c0947050e63aac72f63a3bf373d76264723b9.patch";
+      sha256 = "sha256-MPZ6oILVoZ7BQEZFjUlp3RuMC7iKTKXAtrUDFqbN4T8=";
+    })
+  ];
+
+  enableParallelBuilding = true;
+  depsBuildBuild = [ protobufc buildPackages.stdenv.cc ];
+  nativeBuildInputs = [
+    pkg-config
+    asciidoc
+    xmlto
+    libpaper
+    docbook_xsl
+    which
+    makeWrapper
+    docbook_xml_dtd_45
+    python3
+    python3.pkgs.wrapPython
+    perl
+  ];
+  buildInputs = [
+    protobuf
+    libnl
+    libcap
+    libnet
+    nftables
+    libbsd
+  ];
+  propagatedBuildInputs = [
+    protobufc
+  ] ++ (with python3.pkgs; [
+    python
+    python3.pkgs.protobuf
+  ]);
+
+  postPatch = ''
+    substituteInPlace ./Documentation/Makefile \
+      --replace "2>/dev/null" "" \
+      --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
+    substituteInPlace ./Makefile --replace "head-name := \$(shell git tag -l v\$(CRIU_VERSION))" "head-name = ${version}.0"
+    ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
+  '';
+
+  makeFlags = let
+    # criu's Makefile infrastructure expects to be passed a target architecture
+    # which neither matches the config-tuple's first part, nor the
+    # targetPlatform.linuxArch attribute. Thus we take the latter and map it
+    # onto the expected string:
+    linuxArchMapping = {
+      "x86_64" = "x86";
+      "arm" = "arm";
+      "arm64" = "aarch64";
+      "powerpc" = "ppc64";
+      "s390" = "s390";
+      "mips" = "mips";
+    };
+  in [
+    "PREFIX=$(out)"
+    "ASCIIDOC=${buildPackages.asciidoc}/bin/asciidoc"
+    "XMLTO=${buildPackages.xmlto}/bin/xmlto"
+  ] ++ (lib.optionals (stdenv.buildPlatform != stdenv.targetPlatform) [
+    "ARCH=${linuxArchMapping."${stdenv.targetPlatform.linuxArch}"}"
+    "CROSS_COMPILE=${stdenv.targetPlatform.config}-"
+  ]);
+
+  outputs = [ "out" "dev" "man" ];
+
+  preBuild = ''
+    # No idea why but configure scripts break otherwise.
+    export SHELL=""
+  '';
+
+  hardeningDisable = [ "stackprotector" "fortify" ];
+  # dropping fortify here as well as package uses it by default:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+
+  postFixup = ''
+    wrapProgram $out/bin/criu \
+      --set-default CR_IPTABLES ${iptables}/bin/iptables \
+      --set-default CR_IP_TOOL ${iproute2}/bin/ip \
+      --prefix PATH : ${lib.makeBinPath [ gnutar gzip ]}
+    wrapPythonPrograms
+  '';
+
+  meta = with lib; {
+    description = "Userspace checkpoint/restore for Linux";
+    homepage    = "https://criu.org";
+    license     = licenses.gpl2;
+    platforms   = [ "x86_64-linux" "aarch64-linux" "armv7l-linux" ];
+    maintainers = [ maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix b/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix
new file mode 100644
index 000000000000..296e4b79b3e0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix
@@ -0,0 +1,30 @@
+{ fetchFromGitHub, lib, stdenv, kernel ? false }:
+
+stdenv.mkDerivation rec {
+  pname = "cryptodev-linux-1.13";
+  name = "${pname}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "cryptodev-linux";
+    repo = "cryptodev-linux";
+    rev = pname;
+    hash = "sha256-EzTPoKYa+XWOAa/Dk7ru02JmlymHeXVX7RMmEoJ1OT0=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+    "prefix=$(out)"
+  ];
+
+  meta = {
+    description = "Device that allows access to Linux kernel cryptographic drivers";
+    homepage = "http://cryptodev-linux.org/";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix b/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix
new file mode 100644
index 000000000000..fbff9a3363de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -0,0 +1,88 @@
+{ lib, stdenv, fetchurl, lvm2, json_c, asciidoctor
+, openssl, libuuid, pkg-config, popt, nixosTests
+, libargon2, withInternalArgon2 ? false
+
+  # Programs enabled by default upstream are implicitly enabled unless
+  # manually set to false.
+, programs ? {}
+  # The release tarballs contain precomputed manpage files, so we don't need
+  # to run asciidoctor on the man sources. By avoiding asciidoctor, we make
+  # the bare NixOS build hash independent of changes to the ruby ecosystem,
+  # saving mass-rebuilds.
+, rebuildMan ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cryptsetup";
+  version = "2.6.1";
+
+  outputs = [ "bin" "out" "dev" "man" ];
+  separateDebugInfo = true;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
+    hash = "sha256-QQ3tZaEHKrnI5Brd7Te5cpwIf+9NLbArtO9SmtbaRpM=";
+  };
+
+  patches = [
+    # Allow reading tokens from a relative path, see #167994
+    ./relative-token-path.patch
+  ];
+
+  postPatch = ''
+    patchShebangs tests
+
+    # O_DIRECT is filesystem dependent and fails in a sandbox (on tmpfs)
+    # and on several filesystem types (btrfs, zfs) without sandboxing.
+    # Remove it, see discussion in #46151
+    substituteInPlace tests/unit-utils-io.c --replace "| O_DIRECT" ""
+  '';
+
+  NIX_LDFLAGS = lib.optionalString (stdenv.cc.isGNU && !stdenv.hostPlatform.isStatic) "-lgcc_s";
+
+  configureFlags = [
+    "--with-crypto_backend=openssl"
+    "--disable-ssh-token"
+  ] ++ lib.optionals (!rebuildMan) [
+    "--disable-asciidoc"
+  ] ++ lib.optionals (!withInternalArgon2) [
+    "--enable-libargon2"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "--disable-external-tokens"
+    # We have to override this even though we're removing token
+    # support, because the path still gets included in the binary even
+    # though it isn't used.
+    "--with-luks2-external-tokens-path=/"
+  ] ++ (with lib; mapAttrsToList (flip enableFeature)) programs;
+
+  nativeBuildInputs = [ pkg-config ] ++ lib.optionals rebuildMan [ asciidoctor ];
+  buildInputs = [ lvm2 json_c openssl libuuid popt ] ++ lib.optional (!withInternalArgon2) libargon2;
+
+  # The test [7] header backup in compat-test fails with a mysterious
+  # "out of memory" error, even though tons of memory is available.
+  # Issue filed upstream: https://gitlab.com/cryptsetup/cryptsetup/-/issues/763
+  doCheck = !stdenv.hostPlatform.isMusl;
+
+  passthru = {
+    tests = {
+      nixos =
+        lib.optionalAttrs stdenv.hostPlatform.isLinux (
+          lib.recurseIntoAttrs (
+            lib.filterAttrs
+              (name: _value: lib.hasPrefix "luks" name)
+              nixosTests.installer
+          )
+        );
+    };
+  };
+
+  meta = {
+    homepage = "https://gitlab.com/cryptsetup/cryptsetup/";
+    description = "LUKS for dm-crypt";
+    changelog = "https://gitlab.com/cryptsetup/cryptsetup/-/raw/v${version}/docs/v${version}-ReleaseNotes";
+    license = lib.licenses.gpl2;
+    mainProgram = "cryptsetup";
+    maintainers = with lib.maintainers; [ raitobezarius ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch b/nixpkgs/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch
new file mode 100644
index 000000000000..dffd0ba3bb52
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch
@@ -0,0 +1,50 @@
+From 4f95ab1f8110a8ab9d7b0e192731ce467f6e5c26 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
+Date: Sun, 4 Sep 2022 11:15:02 -0600
+Subject: [PATCH] Allow loading token handlers from the default search path
+
+Since [1] landed in cryptsetup, token handlers (libcryptsetup-token-*.so)
+are loaded from a fixed path defined at compile-time. This is
+problematic with NixOS since it introduces a dependency cycle
+between cryptsetup and systemd.
+
+This downstream patch [2] allows loading token plugins from the
+default library search path. This approach is not accepted upstream [3]
+due to security concerns, but the potential attack vectors require
+root access and they are sufficiently addressed:
+
+* cryptsetup could be used as a setuid binary (not used in NixOS).
+  In this case, LD_LIBRARY_PATH is ignored because of secure-execution
+  mode.
+* cryptsetup running as root could lead to a malicious token handler
+  being loaded through LD_LIBRARY_PATH. However, fixing the path
+  doesn't prevent the same malicious .so being loaded through LD_PRELOAD.
+
+[1] https://gitlab.com/cryptsetup/cryptsetup/-/commit/5b9e98f94178d3cd179d9f6e2a0a68c7d9eb6507
+[2] https://github.com/NixOS/nixpkgs/issues/167994#issuecomment-1094249369
+[3] https://gitlab.com/cryptsetup/cryptsetup/-/issues/733
+---
+ lib/luks2/luks2_token.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
+index 26467253..6f8329f0 100644
+--- a/lib/luks2/luks2_token.c
++++ b/lib/luks2/luks2_token.c
+@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
+ 
+ 	token = &ret->u.v2;
+ 
+-	r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name);
++	r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
+ 	if (r < 0 || (size_t)r >= sizeof(buf))
+ 		return -EINVAL;
+ 
+-	assert(*buf == '/');
+-
+ 	log_dbg(cd, "Trying to load %s.", buf);
+ 
+ 	h = dlopen(buf, RTLD_LAZY);
+-- 
+2.37.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix b/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix
new file mode 100644
index 000000000000..84de0c5dd11d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix
@@ -0,0 +1,29 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "cshatag";
+  version = "2.1.0";
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-Ez8zGVX10A7xuggkh3n7w/qzda8f4t6EgSc9l6SPEZQ=";
+  };
+
+  vendorHash = "sha256-QTnwltsoyUbH4vob5go1KBrb9gwxaaPNW3S4sxVls3k=";
+
+  ldflags = [ "-s" "-w" ];
+
+  postInstall = ''
+    # Install man page
+    install -D -m755 -t $out/share/man/man1/ cshatag.1
+  '';
+
+  meta = with lib; {
+    description = "A tool to detect silent data corruption";
+    homepage = "https://github.com/rfjakob/cshatag";
+    license = licenses.mit;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix b/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix
new file mode 100644
index 000000000000..847f76a528ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -0,0 +1,96 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, docutils
+, meson
+, ninja
+, pkg-config
+, dbus
+, linuxHeaders
+, systemd
+}:
+
+let
+
+  dep = { pname, version, hash, rev ? "v${version}", buildInputs ? [ ] }:
+    stdenv.mkDerivation {
+      inherit pname version;
+      src = fetchFromGitHub {
+        owner = "c-util";
+        repo = pname;
+        inherit hash rev;
+      };
+      nativeBuildInputs = [ meson ninja pkg-config ];
+      inherit buildInputs;
+    };
+
+  # These libraries are not used outside of dbus-broker.
+  #
+  # If that changes, we can always break them out, but they are essentially
+  # part of the dbus-broker project, just in separate repositories.
+  c-dvar = dep { pname = "c-dvar"; version = "1.0.0"; hash = "sha256-P7y7gUHXQn2eyS6IcV7m7yGy4VGtQ2orgBkS7Y729ZY="; buildInputs = [ c-stdaux c-utf8 ]; };
+  c-ini = dep { pname = "c-ini"; version = "1.0.0"; hash = "sha256-VKxoGexMcquakMmiH5IJt0382TjkV1FLncTSyEqf4X0="; buildInputs = [ c-list c-rbtree c-stdaux c-utf8 ]; };
+  c-list = dep { pname = "c-list"; version = "3.1.0"; hash = "sha256-fp3EAqcbFCLaT2EstLSzwP2X13pi2EFpFAullhoCtpw="; };
+  c-rbtree = dep { pname = "c-rbtree"; version = "3.1.0"; hash = "sha256-ozVzL6FllAn8eHbso0RZc/+PGWwEp6r/R1MR+r4Bi/4="; buildInputs = [ c-stdaux ]; };
+  c-shquote = dep { pname = "c-shquote"; version = "1.0.0"; hash = "sha256-Ze1enX0VJ6Xi5e4EhWzaiHc7PnuaifrUP+JuJnauv5c="; buildInputs = [ c-stdaux ]; };
+  c-stdaux = dep { pname = "c-stdaux"; version = "1.4.0"; hash = "sha256-gEqXVBAUE0dHD03ina9QbEP26NU12cHKRpuD7GoPmDs="; };
+  c-utf8 = dep { pname = "c-utf8"; version = "1.0.0"; hash = "sha256-QEnjmfQ6kxJdsHfyRgXAlP+oGrKLYQ0m9r+D2L+pizI="; buildInputs = [ c-stdaux ]; };
+
+in
+
+stdenv.mkDerivation ( finalAttrs: {
+  pname = "dbus-broker";
+  version = "33";
+
+  src = fetchFromGitHub {
+    owner = "bus1";
+    repo = "dbus-broker";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-c5kEUB2k9CCuno9d4QOUUp1wbQfsvraGDLN6Yaa7T2w=";
+  };
+
+  patches = [ ./paths.patch ];
+
+  nativeBuildInputs = [ docutils meson ninja pkg-config ];
+
+  buildInputs = [
+    c-dvar
+    c-ini
+    c-list
+    c-rbtree
+    c-shquote
+    c-stdaux
+    c-utf8
+    dbus
+    linuxHeaders
+    systemd
+  ];
+
+  mesonFlags = [
+    # while we technically support 4.9 and 4.14, the NixOS module will throw an
+    # error when using a kernel that's too old
+    "-D=linux-4-17=true"
+    "-D=system-console-users=gdm,sddm,lightdm"
+  ];
+
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
+  PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
+  PKG_CONFIG_SYSTEMD_CATALOGDIR = "${placeholder "out"}/lib/systemd/catalog";
+
+  postInstall = ''
+    install -Dm444 $src/README.md $out/share/doc/dbus-broker/README
+
+    sed -i $out/lib/systemd/{system,user}/dbus-broker.service \
+      -e 's,^ExecReload.*busctl,ExecReload=${systemd}/bin/busctl,'
+  '';
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Linux D-Bus Message Broker";
+    homepage = "https://github.com/bus1/dbus-broker/wiki";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = platforms.linux;
+  };
+} )
diff --git a/nixpkgs/pkgs/os-specific/linux/dbus-broker/paths.patch b/nixpkgs/pkgs/os-specific/linux/dbus-broker/paths.patch
new file mode 100644
index 000000000000..577270d30dce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dbus-broker/paths.patch
@@ -0,0 +1,27 @@
+diff --git a/src/launch/launcher.c b/src/launch/launcher.c
+index 5bf5cf5..06ce7f4 100644
+--- a/src/launch/launcher.c
++++ b/src/launch/launcher.c
+@@ -924,9 +924,7 @@ static int launcher_load_standard_session_services(Launcher *launcher, NSSCache
+ 
+ static int launcher_load_standard_system_services(Launcher *launcher, NSSCache *nss_cache) {
+         static const char *default_data_dirs[] = {
+-                "/usr/local/share",
+-                "/usr/share",
+-                "/lib",
++                "/run/current-system/sw/share",
+                 NULL,
+         };
+         const char *suffix = "dbus-1/system-services";
+@@ -1012,9 +1010,9 @@ static int launcher_parse_config(Launcher *launcher, ConfigRoot **rootp, NSSCach
+         if (launcher->configfile)
+                 configfile = launcher->configfile;
+         else if (launcher->user_scope)
+-                configfile = "/usr/share/dbus-1/session.conf";
++                configfile = "/etc/dbus-1/session.conf";
+         else
+-                configfile = "/usr/share/dbus-1/system.conf";
++                configfile = "/etc/dbus-1/system.conf";
+ 
+         config_parser_init(&parser);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/dcgm/default.nix b/nixpkgs/pkgs/os-specific/linux/dcgm/default.nix
new file mode 100644
index 000000000000..f3ebdf1427eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dcgm/default.nix
@@ -0,0 +1,139 @@
+{ lib
+, gcc11Stdenv
+, fetchFromGitHub
+, catch2
+, cmake
+, cudaPackages_10_2
+, cudaPackages_11_8
+, cudaPackages_12
+, fmt_9
+, git
+, jsoncpp
+, libevent
+, plog
+, python3
+, symlinkJoin
+, tclap_1_4
+, yaml-cpp
+}:
+let
+  # Flags copied from DCGM's libevent build script
+  libevent-nossl = libevent.override { sslSupport = false; };
+  libevent-nossl-static = libevent-nossl.overrideAttrs (super: {
+    CFLAGS = "-Wno-cast-function-type -Wno-implicit-fallthrough -fPIC";
+    CXXFLAGS = "-Wno-cast-function-type -Wno-implicit-fallthrough -fPIC";
+    configureFlags = super.configureFlags ++ [ "--disable-shared" "--with-pic" ];
+  });
+
+  jsoncpp-static = jsoncpp.override { enableStatic = true; };
+
+  # DCGM depends on 3 different versions of CUDA at the same time.
+  # The runtime closure, thankfully, is quite small because most things
+  # are statically linked.
+  cudaPackageSetByVersion = [
+    {
+      version = "10";
+      # Nixpkgs cudaPackages_10 doesn't have redist packages broken out.
+      pkgSet = [
+        cudaPackages_10_2.cudatoolkit
+        cudaPackages_10_2.cudatoolkit.lib
+      ];
+    }
+    {
+      version = "11";
+      pkgSet = getCudaPackages cudaPackages_11_8;
+    }
+    {
+      version = "12";
+      pkgSet = getCudaPackages cudaPackages_12;
+    }
+  ];
+
+  # Select needed redist packages from cudaPackages
+  # C.f. https://github.com/NVIDIA/DCGM/blob/7e1012302679e4bb7496483b32dcffb56e528c92/dcgmbuild/scripts/0080_cuda.sh#L24-L39
+  getCudaPackages = p: with p; [
+    cuda_cccl
+    cuda_cudart
+    cuda_nvcc
+    cuda_nvml_dev
+    libcublas
+    libcufft
+    libcurand
+  ];
+
+  # Builds CMake code to add CUDA paths for include and lib.
+  mkAppendCudaPaths = { version, pkgSet }:
+    let
+      # The DCGM CMake assumes that the folder containing cuda.h contains all headers, so we must
+      # combine everything together for headers to work.
+      # It would be more convenient to use symlinkJoin on *just* the include subdirectories
+      # of each package, but not all of them have an include directory and making that work
+      # is more effort than it's worth for this temporary, build-time package.
+      combined = symlinkJoin {
+        name = "cuda-combined-${version}";
+        paths = pkgSet;
+      };
+      # The combined package above breaks the build for some reason so we just configure
+      # each package's library path.
+      libs = lib.concatMapStringsSep " " (x: ''"${x}/lib"'') pkgSet;
+    in ''
+      list(APPEND Cuda${version}_INCLUDE_PATHS "${combined}/include")
+      list(APPEND Cuda${version}_LIB_PATHS ${libs})
+    '';
+
+# gcc11 is required by DCGM's very particular build system
+# C.f. https://github.com/NVIDIA/DCGM/blob/7e1012302679e4bb7496483b32dcffb56e528c92/dcgmbuild/build.sh#L22
+in gcc11Stdenv.mkDerivation rec {
+  pname = "dcgm";
+  version = "3.2.5"; # N.B: If you change this, be sure prometheus-dcgm-exporter supports this version.
+
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "DCGM";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-iMyYOr3dSpdRV2S/TlB/tEOAWYhK09373ZRbd5vzogQ=";
+  };
+
+  # Add our paths to the CUDA paths so FindCuda.cmake can find them.
+  EXTRA_CUDA_PATHS = lib.concatMapStringsSep "\n" mkAppendCudaPaths cudaPackageSetByVersion;
+  prePatch = ''
+    echo "$EXTRA_CUDA_PATHS"$'\n'"$(cat cmake/FindCuda.cmake)" > cmake/FindCuda.cmake
+  '';
+
+  hardeningDisable = [ "all" ];
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    # autoAddOpenGLRunpathHook does not actually depend on or incur any dependency
+    # of cudaPackages. It merely adds an impure, non-Nix PATH to the RPATHs of
+    # executables that need to use cuda at runtime.
+    cudaPackages_12.autoAddOpenGLRunpathHook
+
+    cmake
+    git
+    python3
+  ];
+
+  buildInputs = [
+    plog.dev # header-only
+    tclap_1_4 # header-only
+
+    catch2
+    fmt_9
+    jsoncpp-static
+    libevent-nossl-static
+    yaml-cpp
+  ];
+
+  disallowedReferences = lib.concatMap (x: x.pkgSet) cudaPackageSetByVersion;
+
+  meta = with lib; {
+    description = "Data Center GPU Manager (DCGM) is a daemon that allows users to monitor NVIDIA data-center GPUs.";
+    homepage = "https://developer.nvidia.com/dcgm";
+    license = licenses.asl20;
+    maintainers = teams.deshaw.members;
+    mainProgram = "dcgmi";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix b/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix
new file mode 100644
index 000000000000..ce435b3874f3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchFromGitLab, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "ddcci-driver";
+  version = "0.4.4";
+  name = "${pname}-${kernel.version}-${version}";
+
+  src = fetchFromGitLab {
+    owner = "${pname}-linux";
+    repo = "${pname}-linux";
+    rev = "v${version}";
+    hash = "sha256-4pCfXJcteWwU6cK8OOSph4XlhKTk289QqLxsSWY7cac=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  prePatch = ''
+    substituteInPlace ./ddcci/Makefile \
+      --replace '"$(src)"' '$(PWD)' \
+      --replace depmod \#
+    substituteInPlace ./ddcci-backlight/Makefile \
+      --replace '"$(src)"' '$(PWD)' \
+      --replace depmod \#
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "KVER=${kernel.modDirVersion}"
+    "KERNEL_MODLIB=$(out)/lib/modules/${kernel.modDirVersion}"
+    "INCLUDEDIR=$(out)/include"
+  ];
+
+  meta = with lib; {
+    description = "Kernel module driver for DDC/CI monitors";
+    homepage = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.1";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix b/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix
new file mode 100644
index 000000000000..809010be2a72
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix
@@ -0,0 +1,49 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, kernel
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dddvb";
+  version = "0.9.38-pre.6";
+
+  src = fetchFromGitHub {
+    owner = "DigitalDevices";
+    repo = "dddvb";
+    rev = "refs/tags/${version}";
+    hash = "sha256-bt/vMnqRWDDChZ6R4JbCr77cz3nlSPkx6siC9KLSEqs=";
+  };
+
+  patches = [
+    (fetchpatch {
+      # pci_*_dma_mask no longer exists in 5.18
+      url = "https://github.com/DigitalDevices/dddvb/commit/871821d6a0be147313bb52570591ce3853b3d370.patch";
+      hash = "sha256-wY05HrsduvsIdp/KpS9NWfL3hR9IvGjuNCDljFn7dd0=";
+    })
+  ];
+
+  postPatch = ''
+    sed -i '/depmod/d' Makefile
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  INSTALL_MOD_PATH = placeholder "out";
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/DigitalDevices/dddvb";
+    description = "ddbridge linux driver";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ hexa ];
+    platforms = platforms.linux;
+    broken = lib.versionAtLeast kernel.version "6.2";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/decklink/default.nix b/nixpkgs/pkgs/os-specific/linux/decklink/default.nix
new file mode 100644
index 000000000000..63bfe4a63af2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/decklink/default.nix
@@ -0,0 +1,52 @@
+{ stdenv
+, lib
+, blackmagic-desktop-video
+, kernel
+}:
+
+stdenv.mkDerivation rec {
+  pname = "decklink";
+
+  # the download is a horrible curl mess. we reuse it between the kernel module
+  # and desktop service, since the version of the two have to match anyways.
+  # See pkgs/tools/video/blackmagic-desktop-video/default.nix for more.
+  inherit (blackmagic-desktop-video) src version;
+
+  KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+  INSTALL_MOD_PATH = placeholder "out";
+
+  nativeBuildInputs =  kernel.moduleBuildDependencies;
+
+  postUnpack = ''
+    tar xf Blackmagic_Desktop_Video_Linux_${lib.versions.majorMinor version}/other/${stdenv.hostPlatform.uname.processor}/desktopvideo-${version}-${stdenv.hostPlatform.uname.processor}.tar.gz
+    moduleRoot=$NIX_BUILD_TOP/desktopvideo-${version}-${stdenv.hostPlatform.uname.processor}/usr/src
+  '';
+
+
+  buildPhase = ''
+    runHook preBuild
+
+    make -C $moduleRoot/blackmagic-${version} -j$NIX_BUILD_CORES
+    make -C $moduleRoot/blackmagic-io-${version} -j$NIX_BUILD_CORES
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    make -C $KERNELDIR M=$moduleRoot/blackmagic-${version} modules_install
+    make -C $KERNELDIR M=$moduleRoot/blackmagic-io-${version} modules_install
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.blackmagicdesign.com/support/family/capture-and-playback";
+    maintainers = [ maintainers.hexchen ];
+    license = licenses.unfree;
+    description = "Kernel module for the Blackmagic Design Decklink cards";
+    sourceProvenance = with lib.sourceTypes; [ binaryFirmware ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix b/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix
new file mode 100644
index 000000000000..1a50d799b4b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenv, stdenvNoCC, dtc }:
+
+with lib; {
+  # Compile single Device Tree overlay source
+  # file (.dts) into its compiled variant (.dtb)
+  compileDTS = ({
+    name,
+    dtsFile,
+    includePaths ? [],
+    extraPreprocessorFlags ? []
+  }: stdenv.mkDerivation {
+    inherit name;
+
+    nativeBuildInputs = [ dtc ];
+
+    buildCommand =
+      let
+        includeFlagsStr = lib.concatMapStringsSep " " (includePath: "-I${includePath}") includePaths;
+        extraPreprocessorFlagsStr = lib.concatStringsSep " " extraPreprocessorFlags;
+      in
+      ''
+        $CC -E -nostdinc ${includeFlagsStr} -undef -D__DTS__ -x assembler-with-cpp ${extraPreprocessorFlagsStr} ${dtsFile} | \
+        dtc -I dts -O dtb -@ -o $out
+      '';
+  });
+
+  applyOverlays = (base: overlays': stdenvNoCC.mkDerivation {
+    name = "device-tree-overlays";
+    nativeBuildInputs = [ dtc ];
+    buildCommand = let
+      overlays = toList overlays';
+    in ''
+      mkdir -p $out
+      cd "${base}"
+      find . -type f -name '*.dtb' -print0 \
+        | xargs -0 cp -v --no-preserve=mode --target-directory "$out" --parents
+
+      for dtb in $(find "$out" -type f -name '*.dtb'); do
+        dtbCompat=$(fdtget -t s "$dtb" / compatible 2>/dev/null || true)
+        # skip files without `compatible` string
+        test -z "$dtbCompat" && continue
+
+        ${flip (concatMapStringsSep "\n") overlays (o: ''
+        overlayCompat="$(fdtget -t s "${o.dtboFile}" / compatible)"
+
+        # skip incompatible and non-matching overlays
+        if [[ ! "$dtbCompat" =~ "$overlayCompat" ]]; then
+          echo "Skipping overlay ${o.name}: incompatible with $(basename "$dtb")"
+        elif ${if (o.filter == null) then "false" else ''
+          [[ "''${dtb//${o.filter}/}" ==  "$dtb" ]]
+        ''}
+        then
+          echo "Skipping overlay ${o.name}: filter does not match $(basename "$dtb")"
+        else
+          echo -n "Applying overlay ${o.name} to $(basename "$dtb")... "
+          mv "$dtb"{,.in}
+          fdtoverlay -o "$dtb" -i "$dtb.in" "${o.dtboFile}"
+          echo "ok"
+          rm "$dtb.in"
+        fi
+        '')}
+
+      done
+    '';
+  });
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix b/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix
new file mode 100644
index 000000000000..d9ccb70f1f03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix
@@ -0,0 +1,38 @@
+{ lib, stdenvNoCC, raspberrypifw }:
+
+stdenvNoCC.mkDerivation {
+  pname = "raspberrypi-dtbs";
+  version = raspberrypifw.version;
+  nativeBuildInputs = [ raspberrypifw ];
+
+  # Rename DTBs so u-boot finds them, like linux-rpi.nix
+  buildCommand = ''
+    mkdir -p $out/broadcom/
+    cd $out/broadcom/
+
+    cp ${raspberrypifw}/share/raspberrypi/boot/bcm*.dtb .
+
+    cp bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero-w.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-b.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-b-rev2.dtb
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-a-plus
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb
+    cp bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb
+    cp bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb
+    cp bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb
+    cp bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb
+    cp bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb
+    cp bcm2711-rpi-4-b.dtb bcm2838-rpi-4-b.dtb
+  '';
+
+  passthru = {
+    # Compatible overlays that may be used
+    overlays = "${raspberrypifw}/share/raspberrypi/boot/overlays";
+  };
+  meta = with lib; {
+    inherit (raspberrypifw.meta) homepage license;
+    description = "DTBs for the Raspberry Pi";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix b/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix
new file mode 100644
index 000000000000..fbf47204b3e6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation {
+  pname = "devmem2";
+  version = "unstable-2004-08-05";
+
+  src = fetchurl {
+    urls = [
+      "http://lartmaker.nl/lartware/port/devmem2.c"
+      "https://raw.githubusercontent.com/hackndev/tools/7ed212230f8fbb1da3424a15ee88de3279bf96ec/devmem2.c"
+    ];
+    sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
+  };
+
+  hardeningDisable = [ "format" ];  # fix compile error
+
+  buildCommand = ''
+    $CC "$src" -o devmem2
+    install -D devmem2 "$out/bin/devmem2"
+  '';
+
+  meta = with lib; {
+    description = "Simple program to read/write from/to any location in memory";
+    homepage = "http://lartmaker.nl/lartware/port/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ bjornfor ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/digimend/default.nix b/nixpkgs/pkgs/os-specific/linux/digimend/default.nix
new file mode 100644
index 000000000000..11756dcbe85c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/digimend/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "digimend";
+  version = "unstable-2023-05-03";
+
+  src = fetchFromGitHub {
+    owner = "digimend";
+    repo = "digimend-kernel-drivers";
+    rev = "eca6e1b701bffb80a293234a485ebf6b4bc85562";
+    hash = "sha256-0mjIUgHvbNcVQVzU3xzaloe5R41a4eknDhdhruJH+6c=";
+  };
+
+  postPatch = ''
+    sed 's/udevadm /true /' -i Makefile
+    sed 's/depmod /true /' -i Makefile
+  '';
+
+  # Fix build on Linux kernel >= 5.18
+  env.NIX_CFLAGS_COMPILE = toString [ "-Wno-error=implicit-fallthrough" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  postInstall = ''
+    # Remove module reload hack.
+    # The hid-rebind unloads and then reloads the hid-* module to ensure that
+    # the extra/ module is loaded.
+    rm -r $out/lib/udev
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KVERSION=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "DESTDIR=${placeholder "out"}"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    description = "DIGImend graphics tablet drivers for the Linux kernel";
+    homepage = "https://digimend.github.io/";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ gebner ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix b/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix
new file mode 100644
index 000000000000..78ccb6772571
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, directfb, zlib, libjpeg, xorgproto }:
+
+stdenv.mkDerivation {
+  pname = "directvnc";
+  version = "0.7.7.2015-04-16";
+
+  src = fetchFromGitHub {
+    owner = "drinkmilk";
+    repo = "directvnc";
+    rev = "d336f586c5865da68873960092b7b5fbc9f8617a";
+    sha256 = "16x7mr7x728qw7nbi6rqhrwsy73zsbpiz8pbgfzfl2aqhfdiz88b";
+  };
+
+  patches = [
+    # Pull fix pending upstream inclusion for -fno-common toolchain
+    # support:
+    #   https://github.com/drinkmilk/directvnc/pull/7
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/drinkmilk/directvnc/commit/e9c23d049bcf31d0097348d44391fe5fd9aad12b.patch";
+      sha256 = "1dnzr0dnx20w80r73j4a9n6mhbazjzlr5ps9xjj898924cg140zx";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  buildInputs = [ directfb zlib libjpeg xorgproto ];
+
+  meta = with lib; {
+    description = "DirectFB VNC client";
+    homepage = "http://drinkmilk.github.io/directvnc/";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix b/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix
new file mode 100644
index 000000000000..f5c7f3bc774e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, libX11 }:
+
+stdenv.mkDerivation {
+  pname = "disk-indicator";
+  version = "unstable-2018-12-18";
+
+  src = fetchFromGitHub {
+    owner = "MeanEYE";
+    repo = "Disk-Indicator";
+    rev = "ec2d2f6833f038f07a72d15e2d52625c23e10b12";
+    sha256 = "sha256-cRqgIxF6H1WyJs5hhaAXVdWAlv6t22BZLp3p/qRlCSM=";
+  };
+
+  buildInputs = [ libX11 ];
+
+  postPatch = ''
+    # avoid -Werror
+    substituteInPlace Makefile --replace "-Werror" ""
+    # avoid host-specific options
+    substituteInPlace Makefile --replace "-march=native" ""
+  '';
+
+  postConfigure = ''
+    patchShebangs ./configure.sh
+    ./configure.sh --all
+  '';
+
+  makeFlags = [
+    "COMPILER=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    cp ./disk_indicator "$out/bin/"
+
+    runHook postInstall
+  '';
+
+  meta = {
+    homepage = "https://github.com/MeanEYE/Disk-Indicator";
+    description = "A program that will turn a LED into a hard disk indicator";
+    longDescription = ''
+      Small program for Linux that will turn your Scroll, Caps or Num Lock LED
+      or LED on your ThinkPad laptop into a hard disk activity indicator.
+    '';
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules b/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules
new file mode 100644
index 000000000000..ceeb658a415a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules
@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="17e9", ATTR{bInterfaceClass}=="ff", ATTR{bInterfaceProtocol}=="03", TAG+="systemd", ENV{SYSTEMD_WANTS}="dlm.service"
diff --git a/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix b/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix
new file mode 100644
index 000000000000..e71062e8ac47
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix
@@ -0,0 +1,87 @@
+{ stdenv
+, lib
+, unzip
+, util-linux
+, libusb1
+, evdi
+, systemd
+, makeWrapper
+, requireFile
+, substituteAll
+, nixosTests
+}:
+
+let
+  bins =
+    if stdenv.hostPlatform.system == "x86_64-linux" then "x64-ubuntu-1604"
+    else if stdenv.hostPlatform.system == "i686-linux" then "x86-ubuntu-1604"
+    else if stdenv.hostPlatform.system == "aarch64-linux" then "aarch64-linux-gnu"
+    else throw "Unsupported architecture";
+  libPath = lib.makeLibraryPath [ stdenv.cc.cc util-linux libusb1 evdi ];
+
+in
+stdenv.mkDerivation rec {
+  pname = "displaylink";
+  version = "5.8.0-63.33";
+
+  src = requireFile rec {
+    name = "displaylink-580.zip";
+    sha256 = "05m8vm6i9pc9pmvar021lw3ls60inlmq92nling0vj28skm55i92";
+    message = ''
+      In order to install the DisplayLink drivers, you must first
+      comply with DisplayLink's EULA and download the binaries and
+      sources from here:
+
+      https://www.synaptics.com/products/displaylink-graphics/downloads/ubuntu-5.8
+
+      Once you have downloaded the file, please use the following
+      commands and re-run the installation:
+
+      mv \$PWD/"DisplayLink USB Graphics Software for Ubuntu5.8-EXE.zip" \$PWD/${name}
+      nix-prefetch-url file://\$PWD/${name}
+    '';
+  };
+
+  nativeBuildInputs = [ unzip makeWrapper ];
+
+  unpackPhase = ''
+    unzip $src
+    chmod +x displaylink-driver-${version}.run
+    ./displaylink-driver-${version}.run --target . --noexec --nodiskspace
+  '';
+
+  installPhase = ''
+    install -Dt $out/lib/displaylink *.spkg
+    install -Dm755 ${bins}/DisplayLinkManager $out/bin/DisplayLinkManager
+    mkdir -p $out/lib/udev/rules.d $out/share
+    cp ${./99-displaylink.rules} $out/lib/udev/rules.d/99-displaylink.rules
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath ${libPath} \
+      $out/bin/DisplayLinkManager
+    wrapProgram $out/bin/DisplayLinkManager \
+      --chdir "$out/lib/displaylink"
+
+    # We introduce a dependency on the source file so that it need not be redownloaded everytime
+    echo $src >> "$out/share/workspace_dependencies.pin"
+  '';
+
+  dontStrip = true;
+  dontPatchELF = true;
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) displaylink;
+    };
+  };
+
+  meta = with lib; {
+    description = "DisplayLink DL-5xxx, DL-41xx and DL-3x00 Driver for Linux";
+    homepage = "https://www.displaylink.com/";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ abbradar ];
+    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+    hydraPlatforms = [];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix b/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix
new file mode 100644
index 000000000000..f09dec758f74
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "dmidecode";
+  version = "3.5";
+
+  src = fetchurl {
+    url = "mirror://savannah/dmidecode/dmidecode-${version}.tar.xz";
+    sha256 = "sha256-eddnNe6OJRluKnIpZM+Wg/WglYFQNTeISyVrATicwHM=";
+  };
+
+  makeFlags = [
+    "prefix=$(out)"
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  meta = with lib; {
+    homepage = "https://www.nongnu.org/dmidecode/";
+    description = "A tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ delroth ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix b/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix
new file mode 100644
index 000000000000..fa26f38941b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchurl, fetchpatch, lvm2 }:
+
+stdenv.mkDerivation rec {
+  pname = "dmraid";
+  version = "1.0.0.rc16";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/~heinzm/sw/dmraid/src/old/dmraid-${version}.tar.bz2";
+    sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq";
+  };
+
+  patches = [ ./hardening-format.patch ]
+    ++ lib.optionals stdenv.hostPlatform.isMusl [
+      (fetchpatch {
+        url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/006-musl-libc.patch";
+        sha256 = "1j8xda0fpz8lxjxnqdidy7qb866qrzwpbca56yjdg6vf4x21hx6w";
+        stripLen = 2;
+        extraPrefix = "1.0.0.rc16/";
+      })
+      (fetchpatch {
+        url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/007-fix-loff_t-musl.patch";
+        sha256 = "0msnq39qnzg3b1pdksnz1dgqwa3ak03g41pqh0lw3h7w5rjc016k";
+        stripLen = 2;
+        extraPrefix = "1.0.0.rc16/";
+      })
+    ];
+
+  postPatch = ''
+    sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in
+  '' + lib.optionalString stdenv.hostPlatform.isMusl ''
+    NIX_CFLAGS_COMPILE+=" -D_GNU_SOURCE"
+  '';
+
+  preConfigure = "cd */";
+
+  buildInputs = [ lvm2 ];
+
+  # Hand-written Makefile does not have full dependencies to survive
+  # parallel build:
+  #   tools/dmraid.c:12:10: fatal error: dmraid/dmraid.h: No such file
+  enableParallelBuilding = false;
+
+  meta = {
+    description = "Old-style RAID configuration utility";
+    longDescription = ''
+      Old RAID configuration utility (still under development, though).
+      It is fully compatible with modern kernels and mdadm recognizes
+      its volumes. May be needed for rescuing an older system or nuking
+      the metadata when reformatting.
+    '';
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch b/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch
new file mode 100644
index 000000000000..f91a7fb18aa0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch
@@ -0,0 +1,18 @@
+--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:16:57.455425454 +0000
++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:17:55.520564013 +0000
+@@ -838,13 +838,13 @@
+ 
+ 	sz = _log_all_devs(log_type, rs, NULL, 0);
+ 	if (!sz) {
+-		syslog(LOG_ERR, msg[0]);
++		syslog(LOG_ERR, "%s", msg[0]);
+ 		return;
+ 	}
+ 
+ 	str = dm_malloc(++sz);
+ 	if (!str) {
+-		syslog(LOG_ERR, msg[1]);
++		syslog(LOG_ERR, "%s", msg[1]);
+ 		return;
+ 	}
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix b/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix
new file mode 100644
index 000000000000..6315d361ed68
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, bash, perl, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "dmtcp";
+  version = "unstable-2022-02-28";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "133687764c6742906006a1d247e3b83cd860fa1d";
+    hash = "sha256-9Vr8IhoeATCfyt7Lp7kYe/7e87mFX9KMNGTqxJgIztE=";
+  };
+
+  dontDisableStatic = true;
+
+  patches = [ ./ld-linux-so-buffer-size.patch ];
+
+  postPatch = ''
+    patchShebangs .
+
+    substituteInPlace configure \
+      --replace '#define ELF_INTERPRETER "$interp"' \
+                "#define ELF_INTERPRETER \"$(cat $NIX_CC/nix-support/dynamic-linker)\""
+    substituteInPlace src/restartscript.cpp \
+      --replace /bin/bash ${stdenv.shell}
+    substituteInPlace util/dmtcp_restart_wrapper.sh \
+      --replace /bin/bash ${stdenv.shell}
+    substituteInPlace test/autotest.py \
+      --replace /bin/bash ${bash}/bin/bash \
+      --replace /usr/bin/perl ${perl}/bin/perl \
+      --replace /usr/bin/python ${python3.interpreter} \
+      --replace "os.environ['USER']" "\"nixbld1\"" \
+      --replace "os.getenv('USER')" "\"nixbld1\""
+  '';
+
+  meta = with lib; {
+    description = "Distributed MultiThreaded Checkpointing";
+    longDescription = ''
+      DMTCP (Distributed MultiThreaded Checkpointing) is a tool to
+      transparently checkpointing the state of an arbitrary group of
+      programs spread across many machines and connected by sockets. It does
+      not modify the user's program or the operating system.
+    '';
+    homepage = "http://dmtcp.sourceforge.net/";
+    license = licenses.lgpl3Plus; # most files seem this or LGPL-2.1+
+    platforms = intersectLists platforms.linux platforms.x86; # broken on ARM and Darwin
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch b/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
new file mode 100644
index 000000000000..118e52b8e626
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
@@ -0,0 +1,13 @@
+diff --git a/src/util_exec.cpp b/src/util_exec.cpp
+index 0e8a13c1..0cc99c1e 100644
+--- a/src/util_exec.cpp
++++ b/src/util_exec.cpp
+@@ -300,7 +300,7 @@ Util::elfType(const char *pathname, bool *isElf, bool *is32bitElf)
+ static string
+ ld_linux_so_path(int version, bool is32bitElf = false)
+ {
+-  char buf[80];
++  char buf[128];
+ 
+ #if (defined(__x86_64__) || defined(__aarch64__)) && !defined(CONFIG_M32)
+   if (is32bitElf) {
diff --git a/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix b/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix
new file mode 100644
index 000000000000..a3e4f6663860
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchzip, fetchpatch, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "dpdk-kmods";
+  version = "2022-08-29";
+
+  src = fetchzip {
+    url = "https://git.dpdk.org/dpdk-kmods/snapshot/dpdk-kmods-4a589f7bed00fc7009c93d430bd214ac7ad2bb6b.tar.xz";
+    sha256 = "sha256-l9asJuw2nl63I1BxK6udy2pNunRiMJxyoXeg9V5+WgI=";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://git.launchpad.net/ubuntu/+source/dpdk-kmods/plain/debian/patches/0001-support-linux-5.18.patch?id=9d628c02c169d8190bc2cb6afd81e4d364c382cd";
+      sha256 = "sha256-j4kpx1DOnmf5lFxOhaVFNT7prEy1jrJERX2NFaybTPU=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = "cd linux/igb_uio";
+
+  installPhase = ''
+    make -C ${KSRC} M=$(pwd) modules_install $makeFlags
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Kernel modules for DPDK";
+    homepage = "https://git.dpdk.org/dpdk-kmods/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix b/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix
new file mode 100644
index 000000000000..c92f40e3935f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix
@@ -0,0 +1,101 @@
+{ stdenv, lib
+, kernel
+, fetchurl
+, pkg-config, meson, ninja, makeWrapper
+, libbsd, numactl, libbpf, zlib, libelf, jansson, openssl, libpcap, rdma-core
+, doxygen, python3, pciutils
+, withExamples ? []
+, shared ? false
+, machine ? (
+    if stdenv.isx86_64 then "nehalem"
+    else if stdenv.isAarch64 then "generic"
+    else null
+  )
+}:
+
+let
+  mod = kernel != null;
+  dpdkVersion = "23.07";
+in stdenv.mkDerivation {
+  pname = "dpdk";
+  version = "${dpdkVersion}" + lib.optionalString mod "-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://fast.dpdk.org/rel/dpdk-${dpdkVersion}.tar.xz";
+    sha256 = "sha256-4IYU6K65KUB9c9cWmZKJpE70A0NSJx8JOX7vkysjs9Y=";
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    doxygen
+    meson
+    ninja
+    pkg-config
+    python3
+    python3.pkgs.sphinx
+    python3.pkgs.pyelftools
+  ];
+  buildInputs = [
+    jansson
+    libbpf
+    libelf
+    libpcap
+    numactl
+    openssl.dev
+    zlib
+    python3
+  ] ++ lib.optionals mod kernel.moduleBuildDependencies;
+
+  propagatedBuildInputs = [
+    # Propagated to support current DPDK users in nixpkgs which statically link
+    # with the framework (e.g. odp-dpdk).
+    rdma-core
+    # Requested by pkg-config.
+    libbsd
+  ];
+
+  postPatch = ''
+    patchShebangs config/arm buildtools
+  '' + lib.optionalString mod ''
+    # kernel_install_dir is hardcoded to `/lib/modules`; patch that.
+    sed -i "s,kernel_install_dir *= *['\"].*,kernel_install_dir = '$kmod/lib/modules/${kernel.modDirVersion}'," kernel/linux/meson.build
+  '';
+
+  mesonFlags = [
+    "-Dtests=false"
+    "-Denable_docs=true"
+    "-Denable_kmods=${lib.boolToString mod}"
+  ]
+  # kni kernel driver is currently not compatble with 5.11
+  ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni"
+  ++ [(if shared then "-Ddefault_library=shared" else "-Ddefault_library=static")]
+  ++ lib.optional (machine != null) "-Dmachine=${machine}"
+  ++ lib.optional mod "-Dkernel_dir=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
+
+  postInstall = ''
+    # Remove Sphinx cache files. Not only are they not useful, but they also
+    # contain store paths causing spurious dependencies.
+    rm -rf $out/share/doc/dpdk/html/.doctrees
+
+    wrapProgram $out/bin/dpdk-devbind.py \
+      --prefix PATH : "${lib.makeBinPath [ pciutils ]}"
+  '' + lib.optionalString (withExamples != []) ''
+    mkdir -p $examples/bin
+    find examples -type f -executable -exec install {} $examples/bin \;
+  '';
+
+  outputs =
+    [ "out" "doc" ]
+    ++ lib.optional mod "kmod"
+    ++ lib.optional (withExamples != []) "examples";
+
+  meta = with lib; {
+    description = "Set of libraries and drivers for fast packet processing";
+    homepage = "http://dpdk.org/";
+    license = with licenses; [ lgpl21 gpl2 bsd2 ];
+    platforms =  platforms.linux;
+    maintainers = with maintainers; [ magenbluten orivej mic92 zhaofengli ];
+    broken = mod && kernel.isHardened;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dracut/default.nix b/nixpkgs/pkgs/os-specific/linux/dracut/default.nix
new file mode 100644
index 000000000000..c6bf684f7fc8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dracut/default.nix
@@ -0,0 +1,114 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gitUpdater
+, makeBinaryWrapper
+, pkg-config
+, asciidoc
+, libxslt
+, docbook_xsl
+, bash
+, kmod
+, binutils
+, bzip2
+, coreutils
+, cpio
+, findutils
+, gnugrep
+, gnused
+, gnutar
+, gzip
+, lz4
+, lzop
+, squashfsTools
+, util-linux
+, xz
+, zstd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dracut";
+  version = "059";
+
+  src = fetchFromGitHub {
+    owner = "dracutdevs";
+    repo = "dracut";
+    rev = version;
+    hash = "sha256-zSyC2SnSQkmS/mDpBXG2DtVVanRRI9COKQJqYZZCPJM=";
+  };
+
+  strictDeps = true;
+
+  buildInputs = [
+    bash
+    kmod
+  ];
+
+  nativeBuildInputs = [
+    makeBinaryWrapper
+    pkg-config
+    asciidoc
+    libxslt
+    docbook_xsl
+  ];
+
+  postPatch = ''
+    substituteInPlace dracut.sh \
+      --replace 'dracutbasedir="$dracutsysrootdir"/usr/lib/dracut' 'dracutbasedir="$dracutsysrootdir"'"$out/lib/dracut"
+    substituteInPlace lsinitrd.sh \
+      --replace 'dracutbasedir=/usr/lib/dracut' "dracutbasedir=$out/lib/dracut"
+
+    echo 'DRACUT_VERSION=${version}' >dracut-version.sh
+  '';
+
+  preConfigure = ''
+    patchShebangs ./configure
+  '';
+
+  postFixup = ''
+    wrapProgram $out/bin/dracut --prefix PATH : ${lib.makeBinPath [
+      coreutils
+      util-linux
+    ]} --suffix DRACUT_PATH : ${lib.makeBinPath [
+      bash
+      binutils
+      coreutils
+      findutils
+      gnugrep
+      gnused
+      gnutar
+      stdenv.cc.libc  # for ldd command
+      util-linux
+    ]}
+    wrapProgram $out/bin/dracut-catimages --set PATH ${lib.makeBinPath [
+      coreutils
+      cpio
+      findutils
+      gzip
+    ]}
+    wrapProgram $out/bin/lsinitrd --set PATH ${lib.makeBinPath [
+      binutils
+      bzip2
+      coreutils
+      cpio
+      gnused
+      gzip
+      lz4
+      lzop
+      squashfsTools
+      util-linux
+      xz
+      zstd
+    ]}
+  '';
+
+  passthru.updateScript = gitUpdater { };
+
+  meta = with lib; {
+    homepage = "https://github.com/dracutdevs/dracut/wiki";
+    description = "An event driven initramfs infrastructure";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ lilyinstarlight ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/drbd/default.nix b/nixpkgs/pkgs/os-specific/linux/drbd/default.nix
new file mode 100644
index 000000000000..0c5acd0ac064
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/drbd/default.nix
@@ -0,0 +1,128 @@
+{ lib
+, stdenv
+, docbook_xml_dtd_44
+, docbook_xml_dtd_45
+, docbook_xsl
+, asciidoctor
+, fetchurl
+, flex
+, kmod
+, libxslt
+, nixosTests
+, perl
+, systemd
+
+# drbd-utils are compiled twice, once with forOCF = true to extract
+# its OCF definitions for use in the ocf-resource-agents derivation,
+# then again with forOCF = false, where the ocf-resource-agents is
+# provided as the OCF_ROOT.
+, forOCF ? false
+, ocf-resource-agents
+}:
+
+stdenv.mkDerivation rec {
+  pname = "drbd";
+  version = "9.19.1";
+
+  src = fetchurl {
+    url = "https://pkg.linbit.com/downloads/drbd/utils/${pname}-utils-${version}.tar.gz";
+    sha256 = "1l99kcrb0j85wxxmrdihpx9bk1a4sdi7wlp5m1x5l24k8ck1m5cf";
+  };
+
+  nativeBuildInputs = [
+    flex
+    libxslt
+    docbook_xsl
+    asciidoctor
+  ];
+
+  buildInputs = [
+    perl
+    # perlPackages.Po4a used by ja documentation
+  ];
+
+  configureFlags = [
+    "--libdir=${placeholder "out"}/lib"
+    "--sbindir=${placeholder "out"}/bin"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--without-distro"
+  ];
+
+  makeFlags = [
+    "SOURCE_DATE_EPOCH=1"
+    "WANT_DRBD_REPRODUCIBLE_BUILD=1"
+  ] ++ lib.optional (!forOCF) "OCF_ROOT=${ocf-resource-agents}/usr/lib/ocf}";
+
+  installFlags = [
+    "prefix="
+    "DESTDIR=${placeholder "out"}"
+    "localstatedir=/var"
+    "DRBD_LIB_DIR=/var/lib"
+    "INITDIR=/etc/init.d"
+    "udevrulesdir=/etc/udev/rules.d"
+    "sysconfdir=/etc"
+    "sbindir=/bin"
+    "datadir="
+    "LIBDIR=/lib/drbd"
+    "mandir=/share/man"
+  ];
+
+  postPatch = ''
+    patchShebangs .
+    substituteInPlace user/v84/drbdadm_usage_cnt.c \
+      --replace '"/lib/drbd");' \
+                '"${placeholder "out"}/lib/drbd");'
+    substituteInPlace user/v9/drbdsetup_linux.c \
+      --replace 'ret = system("/sbin/modprobe drbd");' \
+                'ret = system("${kmod}/bin/modprobe drbd");'
+    substituteInPlace user/v84/drbdsetup.c \
+      --replace 'system("/sbin/modprobe drbd")' \
+                'system("${kmod}/bin/modprobe drbd")'
+    substituteInPlace documentation/ra2refentry.xsl \
+      --replace "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" \
+                "${docbook_xml_dtd_44}/xml/dtd/docbook/docbookx.dtd"
+    function patch_docbook45() {
+      substituteInPlace $1 \
+        --replace "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" \
+                  "${docbook_xml_dtd_45}/xml/dtd/docbook/docbookx.dtd"
+    }
+    patch_docbook45 documentation/v9/drbd.conf.xml.in
+    patch_docbook45 documentation/v9/drbdsetup.xml.in
+    patch_docbook45 documentation/v84/drbdsetup.xml
+    patch_docbook45 documentation/v84/drbd.conf.xml
+    # The ja documentation is disabled because:
+    # make[1]: Entering directory '/build/drbd-utils-9.16.0/documentation/ja/v84'
+    # /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/bin/po4a-translate -f docbook -M utf-8 -L utf-8 -keep 0 -m ../../v84/drbdsetup.xml -p drbdsetup.xml.po -l drbdsetup.xml
+    # Use of uninitialized value $args[1] in sprintf at /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/lib/perl5/site_perl/Locale/Po4a/Common.pm line 134.
+    # Invalid po file drbdsetup.xml.po:
+    substituteInPlace Makefile.in \
+      --replace 'DOC_DIRS    := documentation/v9 documentation/ja/v9' \
+                'DOC_DIRS    := documentation/v9' \
+      --replace 'DOC_DIRS    += documentation/v84 documentation/ja/v84' \
+                'DOC_DIRS    += documentation/v84' \
+      --replace '$(MAKE) -C documentation/ja/v9 doc' \
+                "" \
+      --replace '$(MAKE) -C documentation/ja/v84 doc' \
+                ""
+    substituteInPlace user/v9/drbdtool_common.c \
+      --replace 'add_component_to_path("/lib/drbd");' \
+                'add_component_to_path("${placeholder "out"}/lib/drbd");'
+  '';
+
+  preConfigure = ''
+    export PATH=${systemd}/sbin:$PATH
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.tests.drbd = nixosTests.drbd;
+
+  meta = with lib; {
+    homepage = "https://linbit.com/drbd/";
+    description = "Distributed Replicated Block Device, a distributed storage system for Linux (userspace utilities)";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ryantm astro ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix b/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix
new file mode 100644
index 000000000000..470b59018704
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, libbfd
+, libnl
+, libpcap
+, ncurses
+, readline
+, zlib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dropwatch";
+  version = "1.5.4";
+
+  src = fetchFromGitHub {
+    owner = "nhorman";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-TbhgcX5WzuigP5/Mj5JuK7O/UKcu70D7dcOcvo4fxeQ=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    libbfd
+    libnl
+    libpcap
+    ncurses
+    readline
+    zlib
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel dropped packet monitor";
+    homepage = "https://github.com/nhorman/dropwatch";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ c0bw3b ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dstat/default.nix b/nixpkgs/pkgs/os-specific/linux/dstat/default.nix
new file mode 100644
index 000000000000..d79f9f4c61bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dstat/default.nix
@@ -0,0 +1,42 @@
+{ lib, fetchFromGitHub, fetchpatch, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "dstat";
+  format = "other";
+  version = "0.7.4";
+
+  src = fetchFromGitHub {
+    owner = "dstat-real";
+    repo = "dstat";
+    rev = "v${version}";
+    sha256 = "1qnmkhqmjd1m3if05jj29dvr5hn6kayq9bkkkh881w472c0zhp8v";
+  };
+
+  propagatedBuildInputs = with python3Packages; [ six ];
+
+  patches = [
+    ./fix_pluginpath.patch
+    # this fixes another bug with python3
+    (fetchpatch {
+      url = "https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch";
+      sha256 = "08kcz3yxvl35m55y7g1pr73x3bjcqnv0qlswxqyq8cqxg9zd64cn";
+    })
+  ];
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  # remove deprecation warnings
+  preFixup = ''
+    sed -i "s/import collections/import collections.abc/g" $out/share/dstat/dstat.py $out/bin/dstat
+    sed -i "s/collections.Sequence/collections.abc.Sequence/g" "$out"/bin/dstat
+  '';
+
+  meta = with lib; {
+    homepage = "http://dag.wieers.com/home-made/dstat/";
+    description = "Versatile resource statistics tool";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+    changelog = "https://github.com/dstat-real/dstat/blob/v${version}/ChangeLog";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch b/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
new file mode 100644
index 000000000000..06d7793da47e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
@@ -0,0 +1,15 @@
+diff --git a/dstat b/dstat
+index 3ac7087..c5f089d 100755
+--- a/dstat
++++ b/dstat
+@@ -66,9 +66,7 @@ if sys.version_info < (2, 3):
+ 
+ pluginpath = [
+     os.path.expanduser('~/.dstat/'),                                # home + /.dstat/
+-    os.path.abspath(os.path.dirname(sys.argv[0])) + '/plugins/',    # binary path + /plugins/
+-    '/usr/share/dstat/',
+-    '/usr/local/share/dstat/',
++    os.path.abspath(os.path.dirname(sys.argv[0])) + '/../share/dstat/', # binary path + /../share/dstat/
+ ]
+ 
+ class Options:
diff --git a/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix b/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix
new file mode 100644
index 000000000000..51bc6ada07de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+assert lib.versionOlder kernel.version "4.10";
+
+stdenv.mkDerivation rec {
+  name = "e1000e-${version}-${kernel.version}";
+  version = "3.8.4";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/e1000/e1000e-${version}.tar.gz";
+    sha256 = "1q8dbqh14c7r15q6k6iv5k0d6xpi74i71d5r54py60gr099m2ha4";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  configurePhase = ''
+    cd src
+    kernel_version=${kernel.modDirVersion}
+    substituteInPlace common.mk \
+      --replace "/lib/modules" "${kernel.dev}/lib/modules"
+    export makeFlags="BUILD_KERNEL=$kernel_version"
+  '';
+
+  installPhase = ''
+    install -v -D -m 644 e1000e.ko "$out/lib/modules/$kernel_version/kernel/drivers/net/e1000e/e1000e.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Linux kernel drivers for Intel Ethernet adapters and LOMs (LAN On Motherboard)";
+    homepage = "http://e1000.sf.net/";
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix b/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix
new file mode 100644
index 000000000000..ad7468bac0f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "earlyoom";
+  version = "1.7";
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = "earlyoom";
+    rev = "v${version}";
+    sha256 = "sha256-8YcT1TTlAet7F1U9Ginda4IApNqkudegOXqm8rnRGfc=";
+  };
+
+  nativeBuildInputs = lib.optionals withManpage [ pandoc installShellFiles ];
+
+  patches = [ ./fix-dbus-path.patch ];
+
+  makeFlags = [ "VERSION=${version}" ];
+
+  installPhase = ''
+    install -D earlyoom $out/bin/earlyoom
+  '' + lib.optionalString withManpage ''
+    installManPage earlyoom.1
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) earlyoom;
+  };
+
+  meta = with lib; {
+    description = "Early OOM Daemon for Linux";
+    homepage = "https://github.com/rfjakob/earlyoom";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch b/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
new file mode 100644
index 000000000000..e1c10cf82f96
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
@@ -0,0 +1,11 @@
+--- a/kill.c
++++ b/kill.c
+@@ -55,7 +55,7 @@ static void notify(const char* summary, const char* body)
+     }
+     // Complete command line looks like this:
+     // dbus-send --system / net.nuetzlich.SystemNotifications.Notify 'string:summary text' 'string:and body text'
+-    execl("/usr/bin/dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
++    execlp("dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
+         summary2, body2, NULL);
+     warn("notify: exec failed: %s\n", strerror(errno));
+     exit(1);
diff --git a/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix b/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix
new file mode 100644
index 000000000000..31a5dbd68f9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ebtables";
+  version = "2.0.11";
+
+  src = fetchurl {
+    url = "http://ftp.netfilter.org/pub/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "0apxgmkhsk3vxn9q3libxn3dgrdljrxyy4mli2gk49m7hi3na7xp";
+  };
+
+  makeFlags = [
+    "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
+    "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
+    "LOCALSTATEDIR=/var"
+  ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  preInstall = "mkdir -p $out/etc/sysconfig";
+
+  postInstall = ''
+    ln -s $out/sbin/ebtables-legacy          $out/sbin/ebtables
+    ln -s $out/sbin/ebtables-legacy-restore  $out/sbin/ebtables-restore
+    ln -s $out/sbin/ebtables-legacy-save     $out/sbin/ebtables-save
+  '';
+
+  meta = with lib; {
+    description = "A filtering tool for Linux-based bridging firewalls";
+    homepage = "http://ebtables.sourceforge.net/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix
new file mode 100644
index 000000000000..6171f8ed3073
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, perl, makeWrapper
+, sysfsutils, dmidecode, kmod }:
+
+stdenv.mkDerivation {
+  pname = "edac-utils";
+  version = "unstable-2015-01-07";
+
+  src = fetchFromGitHub {
+    owner = "grondo";
+    repo = "edac-utils";
+    rev = "f9aa96205f610de39a79ff43c7478b7ef02e3138";
+    sha256 = "1dmfqb15ffldl5zirbmwiqzpxbcc2ny9rpfvxcfvpmh5b69knvdg";
+  };
+
+  nativeBuildInputs = [ perl makeWrapper ];
+  buildInputs = [ sysfsutils ];
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+  ];
+
+  postInstall = ''
+    wrapProgram "$out/sbin/edac-ctl" \
+      --set PATH ${lib.makeBinPath [ dmidecode kmod ]}
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/grondo/edac-utils";
+    description = "Handles the reporting of hardware-related memory errors";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ell/default.nix b/nixpkgs/pkgs/os-specific/linux/ell/default.nix
new file mode 100644
index 000000000000..789a59f751f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ell/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv
+, fetchgit
+, autoreconfHook
+, pkg-config
+, dbus
+, sysctl
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ell";
+  version = "0.59";
+
+  outputs = [ "out" "dev" ];
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
+    rev = version;
+    hash = "sha256-uJcGYT+JSdz/XTyJb/VUyedmSKJW/4BbTM3fw3ebtIc=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+  ];
+
+  nativeCheckInputs = [
+    dbus
+    # required as the sysctl test works on some machines
+    sysctl
+  ];
+
+  enableParallelBuilding = true;
+
+  # tests sporadically fail on musl
+  doCheck = !stdenv.hostPlatform.isMusl;
+
+  passthru = {
+    updateScript = gitUpdater {
+      url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
+    description = "Embedded Linux Library";
+    longDescription = ''
+      The Embedded Linux* Library (ELL) provides core, low-level functionality for system daemons. It typically has no dependencies other than the Linux kernel, C standard library, and libdl (for dynamic linking). While ELL is designed to be efficient and compact enough for use on embedded Linux platforms, it is not limited to resource-constrained systems.
+    '';
+    changelog = "https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=${version}";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 dtzWill amaxine ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ena/default.nix b/nixpkgs/pkgs/os-specific/linux/ena/default.nix
new file mode 100644
index 000000000000..b6ed869a71f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ena/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  version = "2.8.9";
+  name = "ena-${version}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "amzn";
+    repo = "amzn-drivers";
+    rev = "ena_linux_${version}";
+    hash = "sha256-9Csrq9wM7Q99qPj7+NlnQgP6KcciNHMbAAb+Wg7eYAU=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  # linux 3.12
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
+
+  configurePhase = ''
+    runHook preConfigure
+    cd kernel/linux/ena
+    export ENA_PHC_INCLUDE=1
+    substituteInPlace Makefile --replace '/lib/modules/$(BUILD_KERNEL)' ${kernel.dev}/lib/modules/${kernel.modDirVersion}
+    runHook postConfigure
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    $STRIP -S ena.ko
+    dest=$out/lib/modules/${kernel.modDirVersion}/misc
+    mkdir -p $dest
+    cp ena.ko $dest/
+    xz $dest/ena.ko
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Amazon Elastic Network Adapter (ENA) driver for Linux";
+    homepage = "https://github.com/amzn/amzn-drivers";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ eelco sielicki ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix b/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix
new file mode 100644
index 000000000000..f4a544172176
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix
@@ -0,0 +1,68 @@
+{ lib, stdenv, fetchgit
+, bison, flex, rasdaemon
+}:
+
+{
+  edac-inject = rasdaemon.inject;
+
+  mce-inject = stdenv.mkDerivation rec {
+    pname = "mce-inject";
+    version = "4cbe46321b4a81365ff3aafafe63967264dbfec5";
+
+    src = fetchgit {
+      url = "https://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git";
+      rev = version;
+      sha256 = "0gjapg2hrlxp8ssrnhvc19i3r1xpcnql7xv0zjgbv09zyha08g6z";
+    };
+
+    nativeBuildInputs = [ bison flex ];
+
+    makeFlags = [ "destdir=${placeholder "out"}" ];
+
+    postInstall = ''
+      mkdir $out/sbin
+      mv $out/usr/sbin/mce-inject $out/sbin/mce-inject
+
+      mkdir $out/test
+      cp test/* $out/test/.
+    '';
+
+    meta = with lib; {
+      description = "MCE error injection tool";
+      license = licenses.gpl2Only;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.evils ];
+    };
+  };
+
+  aer-inject = stdenv.mkDerivation rec {
+    pname = "aer-inject";
+    version = "9bd5e2c7886fca72f139cd8402488a2235957d41";
+
+    src = fetchgit {
+      url = "https://git.kernel.org/pub/scm/linux/kernel/git/gong.chen/aer-inject.git";
+      rev = version;
+      sha256 = "0bh6mzpk2mr4xidkammmkfk21b4dbq793qjg25ryyxd1qv0c6cg4";
+    };
+
+    nativeBuildInputs = [ bison flex ];
+
+    # how is this necessary?
+    makeFlags = [ "DESTDIR=${placeholder "out"}" ];
+
+    postInstall = ''
+      mkdir $out/bin
+      mv $out/usr/local/aer-inject $out/bin/aer-inject
+
+      mkdir -p $out/examples
+      cp examples/* $out/examples/.
+    '';
+
+    meta = with lib; {
+      description = "PCIE AER error injection tool";
+      license = licenses.gpl2Only;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.evils ];
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/esdm/default.nix b/nixpkgs/pkgs/os-specific/linux/esdm/default.nix
new file mode 100644
index 000000000000..150e3b95b4f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/esdm/default.nix
@@ -0,0 +1,129 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, protobufc
+, pkg-config
+, fuse3
+, meson
+, ninja
+, libselinux
+, jitterentropy
+, botan3
+, openssl
+, libkcapi
+
+# A more detailed explaination of the following meson build options can be found
+# in the source code of esdm.
+# A brief explanation is given.
+
+# general options
+, selinux ? false # enable selinux support
+, drngHashDrbg ? true  # set the default drng callback
+, drngChaCha20 ? false # set the default drng callback
+, ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31
+, sp80090c ? false # set compliance with NIST SP800-90C
+, cryptoBackend ? "botan" # set backend for hash and drbg operations
+, linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support
+, linuxGetRandom ? true # enable linux getrandom support
+, hashSha512 ? false # set the conditioning hash: SHA2-512
+, hashSha3_512 ? true # set the conditioning hash: SHA3-512
+, openSSLRandProvider ? true # build ESDM provider for OpenSSL 3.x
+, botanRng ? true # build ESDM class for Botan 3.x
+
+# client-related options (handle with care, consult source code and meson options)
+# leave as is if in doubt
+, connectTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds)
+, rxTxTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds)
+, reconnectAttempts ? 10 # how often to attempt unix socket connection before giving up
+
+# entropy sources
+, esJitterRng ? true # enable support for the entropy source: jitter rng (running in user space)
+, esJitterRngEntropyRate ? 256 # amount of entropy to account for jitter rng source
+, esJitterRngKernel ? true # enable support for the entropy source: jitter rng (running in kernel space)
+, esJitterRngKernelEntropyRate ? 256 # amount of entropy to account for kernel jitter rng source
+, esCPU ? true # enable support for the entropy source: cpu-based entropy
+, esCPUEntropyRate ? 8 # amount of entropy to account for cpu rng source
+, esKernel ? true # enable support for the entropy source: kernel-based entropy
+, esKernelEntropyRate ? 128 # amount of entropy to account for kernel-based source
+, esIRQ ? false # enable support for the entropy source: interrupt-based entropy
+, esIRQEntropyRate ? 256 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)
+, esSched ? false # enable support for the entropy source: scheduler-based entropy
+, esSchedEntropyRate ? 0 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)
+, esHwrand ? true # enable support for the entropy source: /dev/hwrng
+, esHwrandEntropyRate ? 128 # amount of entropy to account for /dev/hwrng-based sources
+}:
+
+assert drngHashDrbg != drngChaCha20;
+assert hashSha512 != hashSha3_512;
+assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin" "Unsupported ESDM crypto backend";
+
+stdenv.mkDerivation rec {
+  pname = "esdm";
+  version = "1.0.0";
+
+  src = fetchFromGitHub {
+    owner = "smuellerDD";
+    repo = "esdm";
+    rev = "v${version}";
+    sha256 = "sha256-q6TGL1agltV9CFfcA6hZszVwGIBBngs22ZqhQgc9FeM=";
+  };
+
+  nativeBuildInputs = [ meson pkg-config ninja ];
+  buildInputs = [ protobufc ]
+    ++ lib.optional (cryptoBackend == "botan" || botanRng) botan3
+    ++ lib.optional (cryptoBackend == "openssl" || openSSLRandProvider) openssl
+    ++ lib.optional selinux libselinux
+    ++ lib.optional esJitterRng jitterentropy
+    ++ lib.optional linuxDevFiles fuse3
+    ++ lib.optional esJitterRngKernel libkcapi;
+
+  mesonFlags = [
+    (lib.mesonBool "b_lto" false)
+    (lib.mesonBool "fips140" false)
+    (lib.mesonBool "ais2031" ais2031)
+    (lib.mesonBool "sp80090c" sp80090c)
+    (lib.mesonEnable "node" true) # multiple DRNGs
+    (lib.mesonOption "threading_max_threads" (toString 64))
+    (lib.mesonOption "crypto_backend" cryptoBackend)
+    (lib.mesonEnable "linux-devfiles" linuxDevFiles)
+    (lib.mesonEnable "linux-getrandom" linuxGetRandom)
+    (lib.mesonOption "client-connect-timeout-exponent" (toString connectTimeoutExponent))
+    (lib.mesonOption "client-rx-tx-timeout-exponent" (toString rxTxTimeoutExponent))
+    (lib.mesonOption "client-reconnect-attempts" (toString reconnectAttempts))
+    (lib.mesonEnable "es_jent" esJitterRng)
+    (lib.mesonOption "es_jent_entropy_rate" (toString esJitterRngEntropyRate))
+    (lib.mesonEnable "es_jent_kernel" esJitterRngKernel)
+    (lib.mesonOption "es_jent_kernel_entropy_rate" (toString esJitterRngKernelEntropyRate))
+    (lib.mesonEnable "es_cpu" esCPU)
+    (lib.mesonOption "es_cpu_entropy_rate" (toString esCPUEntropyRate))
+    (lib.mesonEnable "es_kernel" esKernel)
+    (lib.mesonOption "es_kernel_entropy_rate" (toString esKernelEntropyRate))
+    (lib.mesonEnable "es_irq" esIRQ)
+    (lib.mesonOption "es_irq_entropy_rate" (toString esIRQEntropyRate))
+    (lib.mesonEnable "es_sched" esSched)
+    (lib.mesonOption "es_sched_entropy_rate" (toString esSchedEntropyRate))
+    (lib.mesonEnable "es_hwrand" esHwrand)
+    (lib.mesonOption "es_hwrand_entropy_rate" (toString esHwrandEntropyRate))
+    (lib.mesonEnable "hash_sha512" hashSha512)
+    (lib.mesonEnable "hash_sha3_512" hashSha3_512)
+    (lib.mesonEnable "selinux" selinux)
+    (lib.mesonEnable "drng_hash_drbg" drngHashDrbg)
+    (lib.mesonEnable "drng_chacha20" drngChaCha20)
+    (lib.mesonEnable "openssl-rand-provider" openSSLRandProvider)
+    (lib.mesonEnable "botan-rng" botanRng)
+  ];
+
+  doCheck = true;
+
+  strictDeps = true;
+  mesonBuildType = "release";
+
+  meta = {
+    homepage = "https://www.chronox.de/esdm.html";
+    description = "Entropy Source and DRNG Manager in user space";
+    license = with lib.licenses; [ gpl2Only bsd3 ];
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ orichter thillux ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ethq/default.nix b/nixpkgs/pkgs/os-specific/linux/ethq/default.nix
new file mode 100644
index 000000000000..f966e285471e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ethq/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "ethq";
+  version = "0.6.2";
+
+  src = fetchFromGitHub {
+    owner = "isc-projects";
+    repo = "ethq";
+    rev = "refs/tags/v${builtins.replaceStrings ["."] ["_"] version}";
+    hash = "sha256-luvvNdH4kERAMy242kLCqlnGmfPjSjvoHa6J2J7BFi4=";
+  };
+
+  buildInputs = [ ncurses ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    install -m0755 ethq $out/bin/ethq
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Ethernet NIC Queue stats viewer";
+    homepage = "https://github.com/isc-projects/ethq";
+    license = licenses.mpl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ delroth ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/evdi/default.nix b/nixpkgs/pkgs/os-specific/linux/evdi/default.nix
new file mode 100644
index 000000000000..bd34ac0db4d3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/evdi/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchFromGitHub, kernel, libdrm, python3 }:
+
+let
+  python3WithLibs = python3.withPackages (ps: with ps; [
+    pybind11
+  ]);
+in
+stdenv.mkDerivation rec {
+  pname = "evdi";
+  version = "1.14.1";
+
+  src = fetchFromGitHub {
+    owner = "DisplayLink";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-em3Y56saB7K3Wr31Y0boc38xGb57gdveN0Cstgy8y20=";
+  };
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-Wno-error"
+    "-Wno-error=discarded-qualifiers" # for Linux 4.19 compatibility
+    "-Wno-error=sign-compare"
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel libdrm python3WithLibs ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  hardeningDisable = [ "format" "pic" "fortify" ];
+
+  installPhase = ''
+    install -Dm755 module/evdi.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/gpu/drm/evdi/evdi.ko
+    install -Dm755 library/libevdi.so $out/lib/libevdi.so
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    changelog = "https://github.com/DisplayLink/evdi/releases/tag/v${version}";
+    description = "Extensible Virtual Display Interface";
+    maintainers = with maintainers; [ ];
+    platforms = platforms.linux;
+    license = with licenses; [ lgpl21Only gpl2Only ];
+    homepage = "https://www.displaylink.com/";
+    broken = kernel.kernelOlder "4.19" || kernel.kernelAtLeast "6.6";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix b/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix
new file mode 100644
index 000000000000..2c139cd3c865
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "eventstat";
+  version = "0.05.01";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-raODDA1EKtZThFg0NV6EfrWj5mSQNaiekywfOfAvYXI=";
+  };
+
+  buildInputs = [ ncurses ];
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Simple monitoring of system events";
+    homepage = "https://github.com/ColinIanKing/eventstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/exfat/default.nix b/nixpkgs/pkgs/os-specific/linux/exfat/default.nix
new file mode 100644
index 000000000000..3d2445df4980
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/exfat/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "exfat-nofuse-${version}-${kernel.version}";
+  version = "2020-04-15";
+
+  src = fetchFromGitHub {
+    owner = "barrybingo";
+    repo = "exfat-nofuse";
+    rev = "297a5739cd4a942a1d814d05a9cd9b542e7b8fc8";
+    sha256 = "14jahy7n6pr482fjfrlf9ck3f2rkr5ds0n5r85xdfsla37ria26d";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D exfat.ko $out/lib/modules/${kernel.modDirVersion}/kernel/fs/exfat/exfat.ko
+  '';
+
+  meta = {
+    description = "exfat kernel module";
+    inherit (src.meta) homepage;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ makefu ];
+    platforms = lib.platforms.linux;
+    broken = true;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/extrace/default.nix b/nixpkgs/pkgs/os-specific/linux/extrace/default.nix
new file mode 100644
index 000000000000..e4afe6f85039
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/extrace/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "extrace";
+  version = "0.9";
+
+  src = fetchFromGitHub {
+    owner = "leahneukirchen";
+    repo = "extrace";
+    rev = "v${version}";
+    hash = "sha256-Jy/Ac3NcqBkW0kHyypMAVUGAQ41qWM96BbLAym06ogM=";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
+    install -dm755 "$out/share/licenses/extrace/"
+    install -m644 LICENSE "$out/share/licenses/extrace/LICENSE"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/leahneukirchen/extrace";
+    description = "Trace exec() calls system-wide";
+    license = with licenses; [ gpl2Plus bsd2 ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.leahneukirchen ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix b/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix
new file mode 100644
index 000000000000..3bb656e8cb09
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "facetimehd-${version}-${kernel.version}";
+  version = "0.5.18";
+
+  # Note: When updating this revision:
+  # 1. Also update pkgs/os-specific/linux/firmware/facetimehd-firmware/
+  # 2. Test the module and firmware change via:
+  #    a. Give some applications a try (Skype, Hangouts, Cheese, etc.)
+  #    b. Run: journalctl -f
+  #    c. Then close the lid
+  #    d. Then open the lid (and maybe press a key to wake it up)
+  #    e. see if the module loads back (apps using the camera won't
+  #       recover and will have to be restarted) and the camera
+  #       still works.
+  src = fetchFromGitHub {
+    owner = "patjak";
+    repo = "facetimehd";
+    rev = version;
+    sha256 = "sha256-UO8t2zrfdJlu4uzhhyWOuHIjJNVezIq3nUPGZeW/KJU=";
+  };
+
+  preConfigure = ''
+    export INSTALL_MOD_PATH="$out"
+  '';
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/patjak/bcwc_pcie";
+    description = "Linux driver for the Facetime HD (Broadcom 1570) PCIe webcam";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ womfoo grahamc kraem ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fan2go/default.nix b/nixpkgs/pkgs/os-specific/linux/fan2go/default.nix
new file mode 100644
index 000000000000..c7176183018a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fan2go/default.nix
@@ -0,0 +1,31 @@
+{ buildGoModule, fetchFromGitHub, lib, lm_sensors }:
+
+buildGoModule rec {
+  pname = "fan2go";
+  version = "0.8.1";
+
+  src = fetchFromGitHub {
+    owner = "markusressel";
+    repo = pname;
+    rev = version;
+    hash = "sha256-w2Qwu3ZmBkoA86xa7V6pnIBAbfG9mtkAHePkQjefRW8=";
+  };
+
+  vendorHash = "sha256-6OEdl7ie0dTjXrG//Fvcg4ZyTW/mhrUievDljY2zi/4=";
+
+  postConfigure = ''
+    substituteInPlace vendor/github.com/md14454/gosensors/gosensors.go \
+      --replace '"/etc/sensors3.conf"' '"${lm_sensors}/etc/sensors3.conf"'
+  '';
+
+  CGO_CFLAGS = "-I ${lm_sensors}/include";
+  CGO_LDFLAGS = "-L ${lm_sensors}/lib";
+
+  meta = with lib; {
+    description = "A simple daemon providing dynamic fan speed control based on temperature sensors";
+    homepage = "https://github.com/markusressel/fan2go";
+    license = licenses.agpl3Plus;
+    maintainers = with maintainers; [ mtoohey ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fanctl/default.nix b/nixpkgs/pkgs/os-specific/linux/fanctl/default.nix
new file mode 100644
index 000000000000..d8769b0f04de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fanctl/default.nix
@@ -0,0 +1,23 @@
+{ lib, fetchFromGitLab, rustPlatform }:
+
+rustPlatform.buildRustPackage rec {
+  version = "0.6.4";
+  pname = "fanctl";
+
+  src = fetchFromGitLab {
+    owner = "mcoffin";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-XmawybmqRJ9Lj6ii8TZBFwqdQZVp0pOLN4xiSLkU/bw=";
+  };
+
+  cargoSha256 = "sha256-tj00DXQEqC/8+3uzTMWcph+1fNTTVZLSJbV/5lLFkFs=";
+
+  meta = with lib; {
+    description = "Replacement for fancontrol with more fine-grained control interface in its config file";
+    homepage = "https://gitlab.com/mcoffin/fanctl";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ icewind1991 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fanout/default.nix b/nixpkgs/pkgs/os-specific/linux/fanout/default.nix
new file mode 100644
index 000000000000..3352f59a05f7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fanout/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  pname = "fanout";
+  version = "unstable-2022-10-17-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "bob-linuxtoys";
+    repo = "fanout";
+    rev = "69b1cc69bf425d1a5f83b4e84d41272f1caa0144";
+    hash = "sha256-Q19c88KDFu0A6MejZgKYei9J2693EjRkKtR9hcRcHa0=";
+  };
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+  '';
+
+  patches = [
+    ./remove_auto_mknod.patch
+  ];
+
+  hardeningDisable = [ "format" "pic" ];
+
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "Kernel-based publish-subscribe system";
+    homepage = "https://github.com/bob-linuxtoys/fanout";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ therishidesai ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fanout/remove_auto_mknod.patch b/nixpkgs/pkgs/os-specific/linux/fanout/remove_auto_mknod.patch
new file mode 100644
index 000000000000..1f62e2b4633b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fanout/remove_auto_mknod.patch
@@ -0,0 +1,13 @@
+diff --git a/fanout.c b/fanout.c
+index f5d2a55..87125f4 100644
+--- a/fanout.c
++++ b/fanout.c
+@@ -13,7 +13,7 @@
+ /* Comment out to forgo the creation of /dev entries
+  * The companion udev rules 'fanout.rules' sets the special file mode
+  */
+-#define DEV_MKNOD
++// #define DEV_MKNOD
+ 
+ #include <linux/kernel.h>
+ #include <linux/module.h>
diff --git a/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix b/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix
new file mode 100644
index 000000000000..487ad533668f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv
+, fetchFromGitHub
+, python3
+, which
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fatrace";
+  version = "0.17.0";
+
+  src = fetchFromGitHub {
+    owner = "martinpitt";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-MRHM+hyuRevK4L3u6dGw1S3O7w+BJBsprJVcSz6Q9xg=";
+  };
+
+  buildInputs = [ python3 which ];
+
+  postPatch = ''
+    substituteInPlace power-usage-report \
+      --replace "'which'" "'${which}/bin/which'"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "Report system-wide file access events";
+    homepage = "https://github.com/martinpitt/fatrace";
+    license = licenses.gpl3Plus;
+    longDescription = ''
+      fatrace reports file access events from all running processes.
+      Its main purpose is to find processes which keep waking up the disk
+      unnecessarily and thus prevent some power saving.
+      Requires a Linux kernel with the FANOTIFY configuration option enabled.
+      Enabling X86_MSR is also recommended for power-usage-report on x86.
+    '';
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix b/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix
new file mode 100644
index 000000000000..f762eca36beb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix
@@ -0,0 +1,104 @@
+{ stdenv
+, autoreconfHook
+, fetchFromGitLab
+, fetchpatch
+, fetchurl
+, fontconfig
+, freetype
+, gpm
+, lib
+, ncurses
+, pkg-config
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.7-2";
+  pname = "fbterm";
+
+  src = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "debian";
+    repo = pname;
+    rev = "debian/${version}";
+    hash = "sha256-vRUZgFpA1IkzkLzl7ImT+Yff5XqjFbUlkHmj/hd7XDE=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    ncurses
+  ];
+  buildInputs = [
+    gpm
+    freetype
+    fontconfig
+    ncurses
+  ];
+
+  makeFlags = [
+    "AR:=$(AR)"
+  ];
+
+  # preConfigure = ''
+  #   sed -e '/ifdef SYS_signalfd/atypedef long long loff_t;' -i src/fbterm.cpp
+  #   sed -e '/install-exec-hook:/,/^[^\t]/{d}; /.NOEXPORT/iinstall-exec-hook:\
+  #   ' -i src/Makefile.in
+  #   export HOME=$PWD;
+  #   export NIX_LDFLAGS="$NIX_LDFLAGS -lfreetype"
+  # '';
+
+  preInstall = ''
+    export HOME=$PWD
+  '';
+
+  postInstall =
+  let
+    fbtermrc = fetchurl {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/fbtermrc?h=fbterm";
+      hash = "sha256-zNIfi2ZjEGc5PLdOIirKGTXESb5Wm5XBAI1sfHa31LY=";
+    };
+  in
+  ''
+    mkdir -p "$out/share/terminfo"
+    tic -a -v2 -o"$out/share/terminfo" terminfo/fbterm
+
+    mkdir -p "$out/etc/fbterm"
+    cp "${fbtermrc}" "$out/etc/fbterm"
+  '';
+
+  # Patches from https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=fbterm
+  patches = [
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/fbconfig.patch?h=fbterm";
+      hash = "sha256-skCdUqyMkkqxS1YUI7cofsfnNNo3SL/qe4WEIXlhm/s=";
+    })
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/color_palette.patch?h=fbterm";
+      hash = "sha256-SkWxzfapyBTtMpTXkiFHRAw8/uXw7cAWwg5Q3TqWlk8=";
+    })
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/fbterm.patch?h=fbterm";
+      hash = "sha256-XNHBTGQGeaQPip2XgcKlr123VDwils2pnyiGqkBGhzU=";
+    })
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/0001-Fix-build-with-gcc-6.patch?h=fbterm";
+      hash = "sha256-3d3zBvr5upICVVkd6tn63IhuB0sF67f62aKnf8KvOwg=";
+    })
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/fix_ftbfs_crosscompile.patch?h=fbterm";
+      hash = "sha256-jv/FSG6dHR0jKjPXQIfqsvpiT/XYzwv/VwuV+qUSovM=";
+    })
+    (fetchpatch {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/fix_ftbfs_epoll.patch?h=fbterm";
+      hash = "sha256-wkhfG0uY/5ZApcXTERkaKqz5IDpnilxUEcxull4645A=";
+    })
+  ];
+
+  meta = with lib; {
+    description = "Framebuffer terminal emulator";
+    homepage = "https://salsa.debian.org/debian/fbterm";
+    maintainers = with maintainers; [ lovesegfault raskin ];
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch b/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch
new file mode 100644
index 000000000000..549674047a93
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch
@@ -0,0 +1,12 @@
+diff --git a/src/fbio.cpp b/src/fbio.cpp
+index e5afc44..2485227 100644
+--- a/src/fbio.cpp
++++ b/src/fbio.cpp
+@@ -18,6 +18,7 @@
+  *
+  */
+ 
++#include <sys/select.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include "config.h"
diff --git a/nixpkgs/pkgs/os-specific/linux/ffado/default.nix b/nixpkgs/pkgs/os-specific/linux/ffado/default.nix
new file mode 100644
index 000000000000..3d44ad813a69
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ffado/default.nix
@@ -0,0 +1,108 @@
+{ lib
+, mkDerivation
+, dbus
+, dbus_cplusplus
+, desktop-file-utils
+, fetchurl
+, glibmm
+, kernel
+, libavc1394
+, libconfig
+, libiec61883
+, libraw1394
+, libxmlxx3
+, pkg-config
+, python3
+, scons
+, which
+, wrapQtAppsHook
+}:
+
+let
+  inherit (python3.pkgs) pyqt5 dbus-python;
+  python = python3.withPackages (pkgs: with pkgs; [ pyqt5 dbus-python ]);
+in
+mkDerivation rec {
+  pname = "ffado";
+  version = "2.4.7";
+
+  src = fetchurl {
+    url = "http://www.ffado.org/files/libffado-${version}.tgz";
+    sha256 = "0vsn3y52g6f77lqh9qfkd7dslmb7bbgy46cv5idynx4frqscc23s";
+  };
+
+  prePatch = ''
+    substituteInPlace ./support/tools/ffado-diag.in \
+      --replace /lib/modules/ "/run/booted-system/kernel-modules/lib/modules/"
+  '';
+
+  patches = [
+    # fix installing metainfo file
+    ./fix-build.patch
+  ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  nativeBuildInputs = [
+    desktop-file-utils
+    scons
+    pkg-config
+    which
+    python
+    pyqt5
+    wrapQtAppsHook
+  ];
+
+  prefixKey = "PREFIX=";
+  sconsFlags = [
+    "DEBUG=False"
+    "ENABLE_ALL=True"
+    "BUILD_TESTS=True"
+    "WILL_DEAL_WITH_XDG_MYSELF=True"
+    "BUILD_MIXER=True"
+    "UDEVDIR=${placeholder "out"}/lib/udev/rules.d"
+    "PYPKGDIR=${placeholder "out"}/${python3.sitePackages}"
+    "BINDIR=${placeholder "bin"}/bin"
+    "INCLUDEDIR=${placeholder "dev"}/include"
+    "PYTHON_INTERPRETER=${python.interpreter}"
+  ];
+
+  buildInputs = [
+    dbus
+    dbus_cplusplus
+    glibmm
+    libavc1394
+    libconfig
+    libiec61883
+    libraw1394
+    libxmlxx3
+    python
+  ];
+
+  enableParallelBuilding = true;
+  dontWrapQtApps = true;
+
+  postInstall = ''
+    desktop="$bin/share/applications/ffado-mixer.desktop"
+    install -DT -m 444 support/xdg/ffado.org-ffadomixer.desktop $desktop
+    substituteInPlace "$desktop" \
+      --replace Exec=ffado-mixer "Exec=$bin/bin/ffado-mixer" \
+      --replace hi64-apps-ffado ffado-mixer
+    install -DT -m 444 support/xdg/hi64-apps-ffado.png "$bin/share/icons/hicolor/64x64/apps/ffado-mixer.png"
+
+    # prevent build tools from leaking into closure
+    echo 'See `nix-store --query --tree ${placeholder "out"}`.' > $out/lib/libffado/static_info.txt
+  '';
+
+  preFixup = ''
+    wrapQtApp $bin/bin/ffado-mixer
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.ffado.org";
+    description = "FireWire audio drivers";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ goibhniu michojel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch b/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch
new file mode 100644
index 000000000000..7e360932613f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch
@@ -0,0 +1,26 @@
+From b0f2b20b23780dd2e67a01c15462070dd86c4ac1 Mon Sep 17 00:00:00 2001
+From: Jan Tojnar <jtojnar@gmail.com>
+Date: Sun, 3 Mar 2019 11:50:27 +0100
+Subject: [PATCH] Fix build on Nix
+
+We do not have global /usr.
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 05755e4b..3fbdc1d8 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -537,7 +537,7 @@ env['mandir'] = Template( env.destdir + env['MANDIR'] ).safe_substitute( env )
+ env['pypkgdir'] = Template( env.destdir + env['PYPKGDIR'] ).safe_substitute( env )
+ env['udevdir'] = Template( env.destdir + env['UDEVDIR'] ).safe_substitute( env )
+ env['PYPKGDIR'] = Template( env['PYPKGDIR'] ).safe_substitute( env )
+-env['metainfodir'] = Template( env.destdir + "/usr/share/metainfo" ).safe_substitute( env )
++env['metainfodir'] = Template( env.destdir + env['SHAREDIR'] + "/metainfo" ).safe_substitute( env )
+ 
+ env.Command( target=env['sharedir'], source="", action=Mkdir( env['sharedir'] ) )
+ 
+-- 
+2.19.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
new file mode 100644
index 000000000000..64607c5653eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
@@ -0,0 +1,103 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, pkg-config
+, libapparmor
+, which
+, xdg-dbus-proxy
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.72";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-XAlb6SSyY2S1iWDaulIlghQ16OGvT/wBCog95/nxkog=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libapparmor
+    which
+  ];
+
+  configureFlags = [
+    "--enable-apparmor"
+  ];
+
+  patches = [
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
+  ];
+
+  prePatch = ''
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
+
+    # Workaround for regression introduced in 0.9.72 preventing usage of
+    # end-of-options indicator "--"
+    # See https://github.com/netblue30/firejail/issues/5659
+    substituteInPlace src/firejail/sandbox.c \
+      --replace " && !arg_doubledash" ""
+  '';
+
+  preConfigure = ''
+    sed -e 's@/bin/bash@${stdenv.shell}@g' -i $( grep -lr /bin/bash .)
+    sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
+  '';
+
+  preBuild = ''
+    sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
+  '';
+
+  # The profile files provided with the firejail distribution include `.local`
+  # profile files using relative paths. The way firejail works when it comes to
+  # handling includes is by looking target files up in `~/.config/firejail`
+  # first, and then trying `SYSCONFDIR`. The latter normally points to
+  # `/etc/filejail`, but in the case of nixos points to the nix store. This
+  # makes it effectively impossible to place any profile files in
+  # `/etc/firejail`.
+  #
+  # The workaround applied below is by creating a set of `.local` files which
+  # only contain respective includes to `/etc/firejail`. This way
+  # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
+  # be searched in second order. This replicates the behaviour from
+  # non-nixos platforms.
+  #
+  # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
+  # for the profile file lookup implementation.
+  postInstall = ''
+    for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*{.inc,.profile} | awk '{print $2}' | sort | uniq)
+    do
+      echo "include /etc/firejail/$local" >$out/etc/firejail/$local
+    done
+  '';
+
+  # At high parallelism, the build sometimes fails with:
+  # bash: src/fsec-optimize/fsec-optimize: No such file or directory
+  enableParallelBuilding = false;
+
+  passthru.tests = nixosTests.firejail;
+
+  meta = {
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    homepage = "https://firejail.wordpress.com/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
new file mode 100644
index 000000000000..548bb80e7bf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -48,7 +48,7 @@
+ 	// build command
+ 	char *cmd[len];
+ 	unsigned curr_len = 0;
+-	cmd[curr_len++] = BINDIR "/firejail";
++	cmd[curr_len++] = "firejail";
+ 	cmd[curr_len++] = "--quiet";
+ 	cmd[curr_len++] = "--noprofile";
+ 	cmd[curr_len++] = "--caps.drop=all";
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
new file mode 100644
index 000000000000..6493eb4fdf26
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -0,0 +1,27 @@
+--- a/src/firejail/fs_overlayfs.c
++++ b/src/firejail/fs_overlayfs.c
+@@ -327,6 +327,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -384,6 +394,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/default.nix
new file mode 100644
index 000000000000..ab342d68c135
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/default.nix
@@ -0,0 +1,154 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, m4
+, cmake
+, perl
+, writeScript
+, enableUnstable ? false
+}:
+
+let
+  stableVersion = "1.4.0";
+in
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "ath9k-htc-blobless-firmware";
+  version = if enableUnstable then "unstable-2022-05-22" else stableVersion;
+
+  src = fetchFromGitHub ({
+    owner = "qca";
+    repo = "open-ath9k-htc-firmware";
+  } // (if enableUnstable then {
+    rev = "d856466a068afe4069335257c0d28295ff777d92";
+    hash = "sha256-9OE6qYGABeXjf1r/Depd+811EJ2e8I0Ni5ePHSOh9G4=";
+  } else {
+    rev = finalAttrs.version;
+    hash = "sha256-Q/A0ryIC5E1pt2Sh7o79gxHbe4OgdlrwflOWtxWSS5o=";
+  }));
+
+  postPatch = ''
+    patchShebangs target_firmware/firmware-crc.pl
+  '';
+
+  nativeBuildInputs = [ m4 cmake perl ];
+
+  env.NIX_CFLAGS_COMPILE = "-w";  # old libiberty emits fatal warnings
+
+  dontUseCmakeConfigure = true;
+  enableParallelBuilding = true;
+
+  # The firmware repository builds its own toolchain, with patches
+  # applied to the xtensa support in both gcc and binutils.
+  preBuild =
+    let
+      inherit (lib) toUpper splitString last listToAttrs pipe;
+      inherit (builtins) map;
+      urls-and-hashes = import (./. + "/urls-and-hashes-${finalAttrs.version}.nix");
+      make-links = pipe
+        [ "gcc" "binutils" "gmp" "mpfr" "mpc" ]
+        [ (map (vname: fetchurl rec {
+            url = urls-and-hashes."${(toUpper vname) + "_URL"}";
+            sha256 = urls-and-hashes."${(toUpper vname) + "_SUM"}" or "";
+            name = last (splitString "/" url);
+          }))
+          (map (v: "ln -sT ${v} toolchain/dl/${v.name}"))
+          (lib.concatStringsSep "\n")
+        ];
+    in ''
+      mkdir -p toolchain/dl
+      ${make-links}
+    '';
+
+  makeTargets = [ "toolchain" "firmware" ];
+
+  installPhase = ''
+    runHook preInstall
+    install -Dt "$out/lib/firmware/ath9k_htc/" target_firmware/*.fw
+    # make symlinks so that firmware will be automatically found
+    ln -s htc_7010.fw "$out/lib/firmware/ath9k_htc/htc_7010-${stableVersion}.fw"
+    ln -s htc_9271.fw "$out/lib/firmware/ath9k_htc/htc_9271-${stableVersion}.fw"
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit (finalAttrs) src;
+    updateScript = writeScript "${finalAttrs.pname}-${finalAttrs.version}-updateScript" ''
+      nix-shell '<nixpkgs>' -A ${finalAttrs.pname}${lib.optionalString enableUnstable "-unstable"}.passthru.update \
+      > pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-${finalAttrs.version}.nix
+    '';
+    update = stdenv.mkDerivation {
+      name = "${finalAttrs.pname}-${finalAttrs.version}-update";
+      shellHook = ''
+        echo 'rec {'
+        echo '  BASEDIR="$NIX_BUILD_TOP";'
+        make --dry-run --print-data-base -f ${finalAttrs.src}/Makefile download \
+          | egrep    '^[A-Z]+_(VER|URL|SUM|DIR) = ' \
+          | sed 's_\([^ ]*\) = \(.*\)_\1 = "\2\";_' \
+          | tr \( \{ \
+          | tr \) \}
+      ''
+      # sha256 checksums were not added to upstream's Makefile until
+      # after the 1.4.0 release.  The following line is needed for
+      # the `enableUnstable==false` build but not for the
+      # `enableUnstable==true` build.  We can remove the lines below
+      # as soon as `enableUnstable==false` points to a version
+      # greater than 1.4.0.
+      + lib.optionalString (finalAttrs.version == "1.4.0") ''
+        echo 'GCC_SUM = "sha256-kuYcbcOgpEnmLXKjgYX9pVAWioZwLeoHEl69PsOZYoI=";'
+        echo 'MPFR_SUM = "sha256-e2bD8T3IOF8IJkyAWFPz4aju2rgHHVgvPmYZccms1f0=";'
+        echo 'MPC_SUM = "sha256-7VqBXP6lJdx3jfDLN0aLnBtVSq8w2TKLFDHKcFt0AP8=";'
+        echo 'GMP_SUM = "sha256-H1iKrMxBu5rtlG+f44Uhwm2LKQ0APF34B/ZWkPKq3sk=";'
+        echo 'BINUTILS_SUM = "sha256-KrLlsD4IbRLGKV+DGtrUaz4UEKOiNJM6Lo+sZssuehk=";'
+      '' + ''
+        echo '}'
+        exit
+      '';
+    };
+  };
+
+  meta = {
+    description = "Blobless, open source wifi firmware for ath9k_htc.ko";
+    longDescription = ''
+      Firmware for Qualcomm Atheros cards which use the ath9k_htc.ko
+      Linux driver, supporting 802.11 abgn on both 2.4ghz and 5ghz
+      bands, 3x3-antenna MIMO, up to 600mbit/sec.
+
+      Most devices which use this driver are based on the Qualcomm
+      Atheros AR9271 chip, which is a PCIe device.  If your device
+      is connected via USB, it will also include a Qualcomm Atheros
+      AR7010, which bridges from a USB gadget interface to a PCIe
+      host interface.  This repository includes the firmware for
+      both chips.
+
+      This firmware is completely open source with no blobs, which
+      is quite rare in the wifi world.  Wifi chips have their own
+      dedicated general-purpose CPUs.  This source code allows you
+      to see what those CPUs are doing and modify their behavior.
+    '';
+    license = with lib.licenses; [ # see NOTICE.txt for details
+      bsd3                # almost everything; "the ClearBSD licence"
+      gpl2ClasspathPlus   # **/*cmnos_printf.c, only three files
+      mit                 # **/xtos, **/xtensa
+    ];
+
+    # release 1.4.0 vendors a GMP which uses an ancient version of
+    # autotools that does not work on aarch64 or powerpc.
+    # However, enableUnstable (unreleased upstream) works.
+    /*
+    # disabled until #195294 is merged
+    badPlatforms =
+      with lib.systems.inspect.patterns;
+      lib.optionals (!enableUnstable && lib.versionOlder finalAttrs.version "1.4.1") [
+        isAarch64
+        isPower64
+      ];
+    */
+
+    sourceProvenance = [ lib.sourceTypes.fromSource ];
+    homepage = "http://lists.infradead.org/mailman/listinfo/ath9k_htc_fw";
+    downloadPage = "https://github.com/qca/open-ath9k-htc-firmware";
+    changelog = "https://github.com/qca/open-ath9k-htc-firmware/tags";
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-1.4.0.nix b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-1.4.0.nix
new file mode 100644
index 000000000000..d67669c93b33
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-1.4.0.nix
@@ -0,0 +1,26 @@
+rec {
+  BASEDIR="$NIX_BUILD_TOP";
+BINUTILS_URL = "https://ftp.gnu.org/gnu/binutils/binutils-${BINUTILS_VER}.tar.bz2";
+DL_DIR = "${TOOLCHAIN_DIR}/dl";
+GMP_URL = "https://ftp.gnu.org/gnu/gmp/gmp-${GMP_VER}.tar.bz2";
+GCC_URL = "https://ftp.gnu.org/gnu/gcc/gcc-${GCC_VER}/gcc-${GCC_VER}.tar.bz2";
+BINUTILS_DIR = "binutils-${BINUTILS_VER}";
+GCC_VER = "4.7.4";
+MPFR_URL = "https://ftp.gnu.org/gnu/mpfr/mpfr-${MPFR_VER}.tar.bz2";
+MPC_VER = "1.0.1";
+GMP_DIR = "gmp-${GMP_VER}";
+MPC_URL = "https://ftp.gnu.org/gnu/mpc/mpc-${MPC_VER}.tar.gz";
+GCC_DIR = "gcc-${GCC_VER}";
+MPFR_DIR = "mpfr-${MPFR_VER}";
+MPC_DIR = "mpc-${MPC_VER}";
+MPFR_VER = "3.1.1";
+GMP_VER = "5.0.5";
+BINUTILS_VER = "2.23.1";
+BUILD_DIR = "${TOOLCHAIN_DIR}/build";
+TOOLCHAIN_DIR = "${BASEDIR}/toolchain";
+GCC_SUM = "sha256-kuYcbcOgpEnmLXKjgYX9pVAWioZwLeoHEl69PsOZYoI=";
+MPFR_SUM = "sha256-e2bD8T3IOF8IJkyAWFPz4aju2rgHHVgvPmYZccms1f0=";
+MPC_SUM = "sha256-7VqBXP6lJdx3jfDLN0aLnBtVSq8w2TKLFDHKcFt0AP8=";
+GMP_SUM = "sha256-H1iKrMxBu5rtlG+f44Uhwm2LKQ0APF34B/ZWkPKq3sk=";
+BINUTILS_SUM = "sha256-KrLlsD4IbRLGKV+DGtrUaz4UEKOiNJM6Lo+sZssuehk=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-unstable-2022-05-22.nix b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-unstable-2022-05-22.nix
new file mode 100644
index 000000000000..4234f91ef978
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/ath9k/urls-and-hashes-unstable-2022-05-22.nix
@@ -0,0 +1,26 @@
+rec {
+  BASEDIR="$NIX_BUILD_TOP";
+BINUTILS_URL = "https://ftp.gnu.org/gnu/binutils/binutils-${BINUTILS_VER}.tar.bz2";
+DL_DIR = "${TOOLCHAIN_DIR}/dl";
+GMP_SUM = "f51c99cb114deb21a60075ffb494c1a210eb9d7cb729ed042ddb7de9534451ea";
+GMP_URL = "https://ftp.gnu.org/gnu/gmp/gmp-${GMP_VER}.tar.bz2";
+GCC_URL = "https://ftp.gnu.org/gnu/gcc/gcc-${GCC_VER}/gcc-${GCC_VER}.tar.gz";
+BINUTILS_DIR = "binutils-${BINUTILS_VER}";
+GCC_VER = "10.2.0";
+MPFR_URL = "https://ftp.gnu.org/gnu/mpfr/mpfr-${MPFR_VER}.tar.bz2";
+MPC_VER = "1.1.0";
+GMP_DIR = "gmp-${GMP_VER}";
+MPC_URL = "https://ftp.gnu.org/gnu/mpc/mpc-${MPC_VER}.tar.gz";
+GCC_DIR = "gcc-${GCC_VER}";
+MPC_SUM = "6985c538143c1208dcb1ac42cedad6ff52e267b47e5f970183a3e75125b43c2e";
+GCC_SUM = "27e879dccc639cd7b0cc08ed575c1669492579529b53c9ff27b0b96265fa867d";
+BINUTILS_SUM = "7d24660f87093670738e58bcc7b7b06f121c0fcb0ca8fc44368d675a5ef9cff7";
+MPFR_DIR = "mpfr-${MPFR_VER}";
+MPC_DIR = "mpc-${MPC_VER}";
+MPFR_VER = "4.1.0";
+GMP_VER = "6.2.0";
+BINUTILS_VER = "2.35";
+BUILD_DIR = "${TOOLCHAIN_DIR}/build";
+MPFR_SUM = "feced2d430dd5a97805fa289fed3fc8ff2b094c02d05287fd6133e7f1f0ec926";
+TOOLCHAIN_DIR = "${BASEDIR}/toolchain";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
new file mode 100644
index 000000000000..fe7a3e9ae406
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "b43-fwcutter";
+  version = "019";
+
+  src = fetchurl {
+    url = "https://bues.ch/b43/fwcutter/b43-fwcutter-${version}.tar.bz2";
+    sha256 = "1ki1f5fy3yrw843r697f8mqqdz0pbsbqnvg4yzkhibpn1lqqbsnn";
+  };
+
+  patches = [ ./no-root-install.patch ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  meta = {
+    description = "Firmware extractor for cards supported by the b43 kernel module";
+    homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
+    license = lib.licenses.free;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch
new file mode 100644
index 000000000000..578812e0ad0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch
@@ -0,0 +1,18 @@
+diff -Naur b43-fwcutter-015-orig/Makefile b43-fwcutter-015/Makefile
+--- b43-fwcutter-015-orig/Makefile	2011-08-21 08:17:01.000000000 -0400
++++ b43-fwcutter-015/Makefile	2012-07-13 17:57:53.002154557 -0400
+@@ -51,10 +51,10 @@
+ 	$(QUIET_CC) $(CFLAGS) -o $(BIN) $(call OBJS,$(SRCS)) $(LDFLAGS)
+ 
+ install: all
+-	install -d -o 0 -g 0 -m 755 $(PREFIX)/bin/
+-	install -o 0 -g 0 -m 755 $(BIN) $(PREFIX)/bin/
+-	install -d -o 0 -g 0 -m 755 $(PREFIX)/man/man1/
+-	install -o 0 -g 0 -m 644 $(BIN).1 $(PREFIX)/man/man1/
++	install -d -m 755 $(PREFIX)/bin/
++	install -m 755 $(BIN) $(PREFIX)/bin/
++	install -d -m 755 $(PREFIX)/man/man1/
++	install -m 644 $(BIN).1 $(PREFIX)/man/man1/
+ 
+ clean:
+ 	-rm -Rf obj dep *.orig *.rej *~
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
new file mode 100644
index 000000000000..a5683a1ce535
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
@@ -0,0 +1,26 @@
+{ lib, stdenvNoCC, fetchurl, b43FirmwareCutter }:
+
+let version = "5.100.138"; in
+
+stdenvNoCC.mkDerivation {
+  pname = "b43-firmware";
+  inherit version;
+
+  src = fetchurl {
+    url = "http://www.lwfinger.com/b43-firmware/broadcom-wl-${version}.tar.bz2";
+    sha256 = "0vz4ka8gycf72gmnaq61k8rh8y17j1wm2k3fidxvcqjvmix0drzi";
+  };
+
+  nativeBuildInputs = [ b43FirmwareCutter ];
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    b43-fwcutter -w $out/lib/firmware linux/wl_apsta.o
+  '';
+
+  meta = {
+    description = "Firmware for cards supported by the b43 kernel module";
+    homepage = "https://wireless.wiki.kernel.org/en/users/drivers/b43";
+    license = lib.licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
new file mode 100644
index 000000000000..e117db45b182
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
@@ -0,0 +1,27 @@
+{ lib, stdenvNoCC, fetchurl, b43FirmwareCutter }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "b43-firmware";
+  version = "6.30.163.46";
+
+  src = fetchurl {
+    url = "http://www.lwfinger.com/b43-firmware/broadcom-wl-${version}.tar.bz2";
+    sha256 = "0baw6gcnrhxbb447msv34xg6rmlcj0gm3ahxwvdwfcvq4xmknz50";
+  };
+
+  nativeBuildInputs = [ b43FirmwareCutter ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    b43-fwcutter -w $out/lib/firmware *.wl_apsta.o
+  '';
+
+  meta = with lib; {
+    description = "Firmware for cards supported by the b43 kernel module";
+    homepage = "https://wireless.wiki.kernel.org/en/users/drivers/b43";
+    downloadPage = "http://www.lwfinger.com/b43-firmware";
+    license = licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
new file mode 100644
index 000000000000..073d443bee41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenvNoCC, fetchurl, cabextract, bt-fw-converter }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "broadcom-bt-firmware";
+  version = "12.0.1.1012";
+
+  src = fetchurl {
+    url = "http://download.windowsupdate.com/c/msdownload/update/driver/drvs/2017/04/852bb503-de7b-4810-a7dd-cbab62742f09_7cf83a4c194116648d17707ae37d564f9c70bec2.cab";
+    sha256 = "1b1qjwxjk4y91l3iz157kms8601n0mmiik32cs6w9b1q4sl4pxx9";
+  };
+
+  nativeBuildInputs = [ cabextract bt-fw-converter ];
+
+  unpackCmd = ''
+    mkdir -p ${pname}-${version}
+    cabextract $src --directory ${pname}-${version}
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware/brcm
+    bt-fw-converter -f bcbtums.inf -o $out/lib/firmware/brcm
+    for filename in $out/lib/firmware/brcm/*.hcd
+    do
+      linkname=$(basename $filename | awk 'match($0,/^(BCM)[0-9A-Z]+(-[0-9a-z]{4}-[0-9a-z]{4}\.hcd)$/,c) { print c[1]c[2] }')
+      if ! [ -z $linkname ]
+      then
+        ln -s --relative -T $filename $out/lib/firmware/brcm/$linkname
+      fi
+    done
+  '';
+
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = "042frb2dmrqfj8q83h5p769q6hg2b3i8fgnyvs9r9a71z7pbsagq";
+
+  meta = with lib; {
+    description = "Firmware for Broadcom WIDCOMM® Bluetooth devices";
+    homepage = "https://www.catalog.update.microsoft.com/Search.aspx?q=Broadcom+bluetooth";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ zraexy ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
new file mode 100644
index 000000000000..a28189a9e474
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
+
+stdenv.mkDerivation  rec {
+  pname = "bt-fw-converter";
+  version = "2017-02-19";
+  rev = "2d8b34402df01c6f7f4b8622de9e8b82fadf4153";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/winterheart/broadcom-bt-firmware/${rev}/tools/bt-fw-converter.pl";
+    sha256 = "c259b414a4a273c89a0fa7159b3ef73d1ea62b6de91c3a7c2fcc832868e39f4b";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  buildInputs = [ perl perlPackages.RegexpGrammars bluez ];
+
+  unpackCmd = ''
+    mkdir -p ${pname}-${version}
+    cp $src ${pname}-${version}/bt-fw-converter.pl
+  '';
+
+  installPhase = ''
+    install -D -m755 bt-fw-converter.pl $out/bin/bt-fw-converter
+    substituteInPlace $out/bin/bt-fw-converter --replace /usr/bin/hex2hcd ${bluez}/bin/hex2hcd
+    wrapProgram $out/bin/bt-fw-converter --set PERL5LIB $PERL5LIB
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/winterheart/broadcom-bt-firmware/";
+    description = "A tool that converts hex to hcd based on inf file";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ zraexy ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix
new file mode 100644
index 000000000000..ca6782688728
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix
@@ -0,0 +1,62 @@
+{ lib, stdenvNoCC, fetchurl, unrar-wrapper, pkgs }:
+
+let
+
+  version = "5.1.5769";
+
+
+  # Described on https://github.com/patjak/facetimehd/wiki/Extracting-the-sensor-calibration-files
+
+  # From the wiki page, range extracted with binwalk:
+  zipUrl = "https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp${version}.zip";
+  zipRange = "2338085-3492508"; # the whole download is 518MB, this deflate stream is 1.2MB
+
+  # CRC and length from the ZIP entry header (not strictly necessary, but makes it extract cleanly):
+  gzFooter = ''\x51\x1f\x86\x78\xcf\x5b\x12\x00'';
+
+  # Also from the wiki page:
+  calibrationFiles = [
+    { file = "1771_01XX.dat"; offset = "1644880"; size = "19040"; }
+    { file = "1871_01XX.dat"; offset = "1606800"; size = "19040"; }
+    { file = "1874_01XX.dat"; offset = "1625840"; size = "19040"; }
+    { file = "9112_01XX.dat"; offset = "1663920"; size = "33060"; }
+  ];
+
+in
+
+stdenvNoCC.mkDerivation {
+
+  pname = "facetimehd-calibration";
+  inherit version;
+  src = fetchurl {
+    url = zipUrl;
+    sha256 = "1dzyv457fp6d8ly29sivqn6llwj5ydygx7p8kzvdnsp11zvid2xi";
+    curlOpts = "-r ${zipRange}";
+  };
+
+  dontUnpack = true;
+  dontInstall = true;
+
+  buildInputs = [ unrar-wrapper ];
+
+  buildPhase = ''
+    { printf '\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00'
+      cat $src
+      printf '${gzFooter}'
+    } | zcat > AppleCamera64.exe
+    unrar x AppleCamera64.exe AppleCamera.sys
+
+    mkdir -p $out/lib/firmware/facetimehd
+  '' + lib.concatMapStrings ({file, offset, size}: ''
+    dd bs=1 skip=${offset} count=${size} if=AppleCamera.sys of=$out/lib/firmware/facetimehd/${file}
+  '') calibrationFiles;
+
+  meta = with lib; {
+    description = "facetimehd calibration";
+    homepage = "https://support.apple.com/kb/DL1837";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ alexshpilkin womfoo grahamc ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
new file mode 100644
index 000000000000..6679f1f19e75
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenvNoCC, fetchurl, cpio, xz, pkgs }:
+
+let
+
+  version = "1.43_5";
+
+
+  # Updated according to https://github.com/patjak/bcwc_pcie/pull/81/files
+  # and https://github.com/patjak/bcwc_pcie/blob/5a7083bd98b38ef3bd223f7ee531d58f4fb0fe7c/firmware/Makefile#L3-L9
+  # and https://github.com/patjak/bcwc_pcie/blob/5a7083bd98b38ef3bd223f7ee531d58f4fb0fe7c/firmware/extract-firmware.sh
+
+  # From the Makefile:
+  dmgUrl = "https://updates.cdn-apple.com/2019/cert/041-88431-20191011-e7ee7d98-2878-4cd9-bc0a-d98b3a1e24b1/OSXUpd10.11.5.dmg";
+  dmgRange = "204909802-207733123"; # the whole download is 1.3GB, this cuts it down to 2MB
+  # Notes:
+  # 1. Be sure to update the sha256 below in the fetch_url
+  # 2. Be sure to update the homepage in the meta
+
+  # Also from the Makefile (OS_DRV, OS_DRV_DIR), but seems to not change:
+  firmwareIn = "./System/Library/Extensions/AppleCameraInterface.kext/Contents/MacOS/AppleCameraInterface";
+  firmwareOut = "firmware.bin";
+
+  # The following are from the extract-firmware.sh
+  firmwareOffset = "81920"; # Variable: firmw_offsets
+  firmwareSize = "603715"; # Variable: firmw_sizes
+
+
+  # separated this here as the script will fail without the 'exit 0'
+  unpack = pkgs.writeScriptBin "unpack" ''
+    xzcat -Q $src | cpio --format odc -i -d ${firmwareIn}
+    exit 0
+  '';
+
+in
+
+stdenvNoCC.mkDerivation {
+
+  pname = "facetimehd-firmware";
+  inherit version;
+  src = fetchurl {
+    url = dmgUrl;
+    sha256 = "0s8crlh8rvpanzk1w4z3hich0a3mw0m5xhpcg07bxy02calhpdk1";
+    curlOpts = "-r ${dmgRange}";
+  };
+
+  dontUnpack = true;
+  dontInstall = true;
+
+  buildInputs = [ cpio xz ];
+
+  buildPhase = ''
+    ${unpack}/bin/unpack
+    dd bs=1 skip=${firmwareOffset} count=${firmwareSize} if=${firmwareIn} of=${firmwareOut}.gz &> /dev/null
+    mkdir -p $out/lib/firmware/facetimehd
+    gunzip -c ${firmwareOut}.gz > $out/lib/firmware/facetimehd/${firmwareOut}
+  '';
+
+  meta = with lib; {
+    description = "facetimehd firmware";
+    homepage = "https://support.apple.com/kb/DL1877";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ womfoo grahamc ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/Cargo.lock b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/Cargo.lock
new file mode 100644
index 000000000000..db5008fda79b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/Cargo.lock
@@ -0,0 +1,4125 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "addr2line"
+version = "0.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a76fd60b23679b7d19bd066031410fb7e458ccc5e958eb5c325888ce4baedc97"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+
+[[package]]
+name = "aho-corasick"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "anstream"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ca84f3628370c59db74ee214b3263d58f9aadd9b4fe7e711fd87dc452b7f163"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is-terminal",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41ed9a86bf92ae6580e0a31281f65a1b1d867c0cc68d5346e2ae128dddfa6a7d"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e765fd216e48e067936442276d1d57399e37bce53c264d6fefbe298080cb57ee"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b"
+dependencies = [
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "180abfa45703aebe0093f79badacc01b8fd4ea2e35118747e5811127f926e188"
+dependencies = [
+ "anstyle",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.71"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c7d0618f0e0b7e8ff11427422b64564d5fb0be1940354bfe2e0529b18a9d9b8"
+
+[[package]]
+name = "apply"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f47b57fc4521e3cae26a4d45b5227f8fadee4c345be0fefd8d5d1711afb8aeb9"
+
+[[package]]
+name = "arc-swap"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bddcadddf5e9015d310179a59bb28c4d4b9920ad0f11e8e14dbadf654890c9a6"
+
+[[package]]
+name = "async-broadcast"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c48ccdbf6ca6b121e0f586cbc0e73ae440e56c67c30fa0873b4e110d9c26d2b"
+dependencies = [
+ "event-listener",
+ "futures-core",
+]
+
+[[package]]
+name = "async-channel"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf46fee83e5ccffc220104713af3292ff9bc7c64c7de289f66dae8e38d826833"
+dependencies = [
+ "concurrent-queue",
+ "event-listener",
+ "futures-core",
+]
+
+[[package]]
+name = "async-executor"
+version = "1.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fa3dc5f2a8564f07759c008b9109dc0d39de92a88d5588b8a5036d286383afb"
+dependencies = [
+ "async-lock",
+ "async-task",
+ "concurrent-queue",
+ "fastrand",
+ "futures-lite",
+ "slab",
+]
+
+[[package]]
+name = "async-fs"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "279cf904654eeebfa37ac9bb1598880884924aab82e290aa65c9e77a0e142e06"
+dependencies = [
+ "async-lock",
+ "autocfg",
+ "blocking",
+ "futures-lite",
+]
+
+[[package]]
+name = "async-io"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fc5b45d93ef0529756f812ca52e44c221b35341892d3dcc34132ac02f3dd2af"
+dependencies = [
+ "async-lock",
+ "autocfg",
+ "cfg-if",
+ "concurrent-queue",
+ "futures-lite",
+ "log",
+ "parking",
+ "polling",
+ "rustix",
+ "slab",
+ "socket2",
+ "waker-fn",
+]
+
+[[package]]
+name = "async-lock"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa24f727524730b077666307f2734b4a1a1c57acb79193127dcc8914d5242dd7"
+dependencies = [
+ "event-listener",
+]
+
+[[package]]
+name = "async-recursion"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e97ce7de6cf12de5d7226c73f5ba9811622f4db3a5b91b55c53e987e5f91cba"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "async-task"
+version = "4.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc7ab41815b3c653ccd2978ec3255c81349336702dfdf62ee6f7069b12a3aae"
+
+[[package]]
+name = "async-trait"
+version = "0.1.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9ccdd8f2a161be9bd5c023df56f1b2a0bd1d83872ae53b71a84a12c9bf6e842"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "atk"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c3d816ce6f0e2909a96830d6911c2aff044370b1ef92d7f267b43bae5addedd"
+dependencies = [
+ "atk-sys",
+ "bitflags",
+ "glib",
+ "libc",
+]
+
+[[package]]
+name = "atk-sys"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58aeb089fb698e06db8089971c7ee317ab9644bade33383f63631437b03aafb6"
+dependencies = [
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1181e1e0d1fce796a03db1ae795d67167da795f9cf4a39c37589e85ef57f26d3"
+
+[[package]]
+name = "atty"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+dependencies = [
+ "hermit-abi 0.1.19",
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "autocfg"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+
+[[package]]
+name = "backtrace"
+version = "0.3.67"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "233d376d6d185f2a3093e58f283f60f880315b6c60075b01f36b3b85154564ca"
+dependencies = [
+ "addr2line",
+ "cc",
+ "cfg-if",
+ "libc",
+ "miniz_oxide 0.6.2",
+ "object",
+ "rustc-demangle",
+]
+
+[[package]]
+name = "base32"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23ce669cd6c8588f79e15cf450314f9638f967fc5770ff1c7c1deb0925ea7cfa"
+
+[[package]]
+name = "base64"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+
+[[package]]
+name = "base64"
+version = "0.21.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a"
+
+[[package]]
+name = "better-panic"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fa9e1d11a268684cbd90ed36370d7577afb6c62d912ddff5c15fc34343e5036"
+dependencies = [
+ "backtrace",
+ "console",
+]
+
+[[package]]
+name = "bincode"
+version = "1.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "block"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d8c1fef690941d3e7788d328517591fecc684c084084702d6ff1641e993699a"
+
+[[package]]
+name = "block-buffer"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "blocking"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77231a1c8f801696fc0123ec6150ce92cffb8e164a02afb9c8ddee0e9b65ad65"
+dependencies = [
+ "async-channel",
+ "async-lock",
+ "async-task",
+ "atomic-waker",
+ "fastrand",
+ "futures-lite",
+ "log",
+]
+
+[[package]]
+name = "buildchain"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1e4ba006f08f732ddc25f629c349fbb89c67e6c90a4764ce04534d32a1940b0"
+dependencies = [
+ "base32",
+ "clap 3.2.25",
+ "lxd",
+ "plain",
+ "rand 0.8.5",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "sha2 0.10.6",
+ "sodalite",
+ "tempdir",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8"
+
+[[package]]
+name = "byteorder"
+version = "1.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
+
+[[package]]
+name = "bytes"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89b2fd2a0dcf38d7971e2194b6b6eebab45ae01067456a7fd93d5547a61b70be"
+
+[[package]]
+name = "cairo-rs"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c76ee391b03d35510d9fa917357c7f1855bd9a6659c95a1b392e33f49b3369bc"
+dependencies = [
+ "bitflags",
+ "cairo-sys-rs",
+ "glib",
+ "libc",
+ "thiserror",
+]
+
+[[package]]
+name = "cairo-sys-rs"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c55d429bef56ac9172d25fecb85dc8068307d17acd74b377866b7a1ef25d3c8"
+dependencies = [
+ "glib-sys",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "cascade"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d499b43edbf784dd81e16f0395f5b4350a35b477da8a074251087adefc11cb52"
+
+[[package]]
+name = "cc"
+version = "1.0.79"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
+
+[[package]]
+name = "cdylib-link-lines"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a317db7ea5b455731e51d7f632762716fa5c0b1098dcaa6221e55e2386d170f2"
+dependencies = [
+ "serde",
+ "serde_derive",
+ "toml 0.5.11",
+]
+
+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
+[[package]]
+name = "cfg-expr"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8790cf1286da485c72cf5fc7aeba308438800036ec67d89425924c4807268c9"
+dependencies = [
+ "smallvec",
+ "target-lexicon",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "clap"
+version = "3.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123"
+dependencies = [
+ "atty",
+ "bitflags",
+ "clap_derive",
+ "clap_lex 0.2.4",
+ "indexmap",
+ "once_cell",
+ "strsim",
+ "termcolor",
+ "textwrap",
+]
+
+[[package]]
+name = "clap"
+version = "4.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a1f23fa97e1d1641371b51f35535cb26959b8e27ab50d167a8b996b5bada819"
+dependencies = [
+ "clap_builder",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fdc5d93c358224b4d6867ef1356d740de2303e9892edc06c5340daeccd96bab"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "bitflags",
+ "clap_lex 0.4.1",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "3.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae6371b8bdc8b7d3959e9cf7b22d4435ef3e79e138688421ec654acf8c81b008"
+dependencies = [
+ "heck 0.4.1",
+ "proc-macro-error",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5"
+dependencies = [
+ "os_str_bytes",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
+
+[[package]]
+name = "combine"
+version = "4.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35ed6e9d84f0b51a7f52daf1c7d71dd136fd7a3f41a8462b8cdb8c78d920fad4"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "commoncrypto"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d056a8586ba25a1e4d61cb090900e495952c7886786fc55f909ab2f819b69007"
+dependencies = [
+ "commoncrypto-sys",
+]
+
+[[package]]
+name = "commoncrypto-sys"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fed34f46747aa73dfaa578069fd8279d2818ade2b55f38f22a9401c7f4083e2"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "concurrent-queue"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62ec6771ecfa0762d24683ee5a32ad78487a3d3afdc0fb8cae19d2c5deb50b7c"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "console"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3d79fbe8970a77e3e34151cc13d3b3e248aa0faaecb9f6091fa07ebefe5ad60"
+dependencies = [
+ "encode_unicode",
+ "lazy_static",
+ "libc",
+ "windows-sys 0.42.0",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e4c1eaa2012c47becbbad2ab175484c2a84d1185b566fb2cc5b8707343dfe58"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c063cd8cc95f5c377ed0d4b49a4b21f632396ff690e8470c29b3359b346984b"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "crypto-hash"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a77162240fd97248d19a564a565eb563a3f592b386e4136fb300909e67dddca"
+dependencies = [
+ "commoncrypto",
+ "hex 0.3.2",
+ "openssl",
+ "winapi",
+]
+
+[[package]]
+name = "dashmap"
+version = "5.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "907076dfda823b0b36d2a1bb5f90c96660a5bbcd7729e10727f07858f22c4edc"
+dependencies = [
+ "cfg-if",
+ "hashbrown",
+ "lock_api",
+ "once_cell",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "dbus"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48b5f0f36f1eebe901b0e6bee369a77ed3396334bf3f09abd46454a576f71819"
+dependencies = [
+ "libc",
+ "libdbus-sys",
+]
+
+[[package]]
+name = "dbus"
+version = "0.9.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bb21987b9fb1613058ba3843121dd18b163b254d8a6e797e144cbac14d96d1b"
+dependencies = [
+ "libc",
+ "libdbus-sys",
+ "winapi",
+]
+
+[[package]]
+name = "dbus-crossroads"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a816e8ae3382c7b1bccfa6f2778346ee5b13f80e0eccf80cf8f2912af73995a"
+dependencies = [
+ "dbus 0.9.7",
+]
+
+[[package]]
+name = "derivative"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "digest"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f"
+dependencies = [
+ "block-buffer 0.10.4",
+ "crypto-common",
+]
+
+[[package]]
+name = "dirs-next"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
+dependencies = [
+ "cfg-if",
+ "dirs-sys-next",
+]
+
+[[package]]
+name = "dirs-sys-next"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
+dependencies = [
+ "libc",
+ "redox_users",
+ "winapi",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "ecflash"
+version = "0.1.0"
+source = "git+https://github.com/system76/ecflash.git?branch=stable#ee9d69d4edf3bee6b2fb6dddb021bb58ee3bbbbb"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "either"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
+
+[[package]]
+name = "encode_unicode"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
+
+[[package]]
+name = "encoding_rs"
+version = "0.8.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071a31f4ee85403370b58aca746f01041ede6f0da2730960ad001edc2b71b394"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "enum_derive"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "406ac2a8c9eedf8af9ee1489bee9e50029278a6456c740f7454cf8a158abc816"
+
+[[package]]
+name = "enumflags2"
+version = "0.7.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c041f5090df68b32bcd905365fd51769c8b9d553fe87fde0b683534f10c01bd2"
+dependencies = [
+ "enumflags2_derive",
+ "serde",
+]
+
+[[package]]
+name = "enumflags2_derive"
+version = "0.7.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e9a1f9f7d83e59740248a6e14ecf93929ade55027844dfcea78beafccc15745"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "errno"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4bcfec3a70f97c962c307b2d2c56e358cf1d00b558d74262b5f929ee8cc7e73a"
+dependencies = [
+ "errno-dragonfly",
+ "libc",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "errno-dragonfly"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf"
+dependencies = [
+ "cc",
+ "libc",
+]
+
+[[package]]
+name = "event-listener"
+version = "2.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
+
+[[package]]
+name = "failure"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
+dependencies = [
+ "backtrace",
+ "failure_derive",
+]
+
+[[package]]
+name = "failure_derive"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "synstructure",
+]
+
+[[package]]
+name = "fastrand"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e51093e27b0797c359783294ca4f0a911c270184cb10f85783b118614a1501be"
+dependencies = [
+ "instant",
+]
+
+[[package]]
+name = "fern"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9f0c14694cbd524c8720dd69b0e3179344f04ebb5f90f2e4a440c6ea3b2f1ee"
+dependencies = [
+ "log",
+]
+
+[[package]]
+name = "field-offset"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a3cf3a800ff6e860c863ca6d4b16fd999db8b752819c1606884047b73e468535"
+dependencies = [
+ "memoffset 0.8.0",
+ "rustc_version",
+]
+
+[[package]]
+name = "filetime"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cbc844cecaee9d4443931972e1289c8ff485cb4cc2767cb03ca139ed6885153"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall 0.2.16",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "find-crate"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59a98bbaacea1c0eb6a0876280051b892eb73594fd90cf3b20e9c817029c57d2"
+dependencies = [
+ "toml 0.5.11",
+]
+
+[[package]]
+name = "firmware-manager"
+version = "0.1.5"
+dependencies = [
+ "apply",
+ "better-panic",
+ "dashmap",
+ "futures",
+ "fwupd-dbus",
+ "human-sort",
+ "i18n-embed",
+ "i18n-embed-fl",
+ "log",
+ "once_cell",
+ "rust-embed",
+ "shrinkwraprs",
+ "slotmap",
+ "system76-firmware-daemon",
+ "thiserror",
+ "tokio",
+ "tokio-udev",
+ "users",
+ "xdg",
+]
+
+[[package]]
+name = "firmware-manager-gtk"
+version = "0.1.5"
+dependencies = [
+ "better-panic",
+ "cascade",
+ "clap 4.2.5",
+ "fern",
+ "firmware-manager",
+ "gdk",
+ "gio",
+ "glib",
+ "gtk",
+ "html2md",
+ "i18n-embed",
+ "i18n-embed-fl",
+ "log",
+ "once_cell",
+ "rust-embed",
+ "shrinkwraprs",
+ "slotmap",
+ "upower_dbus",
+ "yansi",
+]
+
+[[package]]
+name = "firmware-manager-gtk-ffi"
+version = "0.1.5"
+dependencies = [
+ "cdylib-link-lines",
+ "firmware-manager-gtk",
+ "glib",
+ "gtk",
+ "gtk-sys",
+ "i18n-embed",
+ "i18n-embed-fl",
+ "once_cell",
+ "rust-embed",
+]
+
+[[package]]
+name = "firmware-manager-notify"
+version = "0.1.5"
+dependencies = [
+ "firmware-manager",
+ "fomat-macros",
+ "i18n-embed",
+ "i18n-embed-fl",
+ "notify-rust",
+ "once_cell",
+ "rust-embed",
+]
+
+[[package]]
+name = "flate2"
+version = "1.0.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b9429470923de8e8cbd4d2dc513535400b4b3fef0319fb5c4e1f520a7bef743"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide 0.7.1",
+]
+
+[[package]]
+name = "fluent"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61f69378194459db76abd2ce3952b790db103ceb003008d3d50d97c41ff847a7"
+dependencies = [
+ "fluent-bundle",
+ "unic-langid",
+]
+
+[[package]]
+name = "fluent-bundle"
+version = "0.15.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e242c601dec9711505f6d5bbff5bedd4b61b2469f2e8bb8e57ee7c9747a87ffd"
+dependencies = [
+ "fluent-langneg",
+ "fluent-syntax",
+ "intl-memoizer",
+ "intl_pluralrules",
+ "rustc-hash",
+ "self_cell",
+ "smallvec",
+ "unic-langid",
+]
+
+[[package]]
+name = "fluent-langneg"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c4ad0989667548f06ccd0e306ed56b61bd4d35458d54df5ec7587c0e8ed5e94"
+dependencies = [
+ "unic-langid",
+]
+
+[[package]]
+name = "fluent-syntax"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0abed97648395c902868fee9026de96483933faa54ea3b40d652f7dfe61ca78"
+dependencies = [
+ "thiserror",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "fomat-macros"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f722aa875298d34a0ebb6004699f6f4ea830d36dec8ac2effdbbc840248a096"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "freedesktop-desktop-entry"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8f6c340bead95f07434f2432ab52ce048f290d93e42e3c63f416a364801e4bf"
+dependencies = [
+ "markup",
+]
+
+[[package]]
+name = "fuchsia-cprng"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
+
+[[package]]
+name = "futf"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df420e2e84819663797d1ec6544b13c5be84629e7bb00dc960d6917db2987843"
+dependencies = [
+ "mac",
+ "new_debug_unreachable",
+]
+
+[[package]]
+name = "futures"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23342abe12aba583913b2e62f22225ff9c950774065e4bfb61a19cd9770fec40"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccecee823288125bd88b4d7f565c9e58e41858e47ab72e8ea2d64e93624386e0"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fff74096e71ed47f8e023204cfd0aa1289cd54ae5430a9523be060cdb849964"
+
+[[package]]
+name = "futures-lite"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49a9d51ce47660b1e808d3c990b4709f2f415d928835a17dfd16991515c46bce"
+dependencies = [
+ "fastrand",
+ "futures-core",
+ "futures-io",
+ "memchr",
+ "parking",
+ "pin-project-lite",
+ "waker-fn",
+]
+
+[[package]]
+name = "futures-macro"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e"
+
+[[package]]
+name = "futures-task"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76d3d132be6c0e6aa1534069c705a74a5997a356c0dc2f86a47765e5617c5b65"
+
+[[package]]
+name = "futures-util"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "fwupd-dbus"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "740e23cb282f6e8e1aaa26b04553cdf04dbe9c6c18b94a8bdd7da0cc75c4c225"
+dependencies = [
+ "base64 0.13.1",
+ "bitflags",
+ "cascade",
+ "crypto-hash",
+ "dbus 0.9.7",
+ "hex-view",
+ "log",
+ "shrinkwraprs",
+ "thiserror",
+ "ureq",
+ "url",
+ "xdg",
+ "zbus",
+]
+
+[[package]]
+name = "gdk"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6e05c1f572ab0e1f15be94217f0dc29088c248b14f792a5ff0af0d84bcda9e8"
+dependencies = [
+ "bitflags",
+ "cairo-rs",
+ "gdk-pixbuf",
+ "gdk-sys",
+ "gio",
+ "glib",
+ "libc",
+ "pango",
+]
+
+[[package]]
+name = "gdk-pixbuf"
+version = "0.15.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad38dd9cc8b099cceecdf41375bb6d481b1b5a7cd5cd603e10a69a9383f8619a"
+dependencies = [
+ "bitflags",
+ "gdk-pixbuf-sys",
+ "gio",
+ "glib",
+ "libc",
+]
+
+[[package]]
+name = "gdk-pixbuf-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "140b2f5378256527150350a8346dbdb08fadc13453a7a2d73aecd5fab3c402a7"
+dependencies = [
+ "gio-sys",
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gdk-sys"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32e7a08c1e8f06f4177fb7e51a777b8c1689f743a7bc11ea91d44d2226073a88"
+dependencies = [
+ "cairo-sys-rs",
+ "gdk-pixbuf-sys",
+ "gio-sys",
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "pango-sys",
+ "pkg-config",
+ "system-deps",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "gimli"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad0a93d233ebf96623465aad4046a8d3aa4da22d4f4beba5388838c8a434bbb4"
+
+[[package]]
+name = "gio"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68fdbc90312d462781a395f7a16d96a2b379bb6ef8cd6310a2df272771c4283b"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "gio-sys",
+ "glib",
+ "libc",
+ "once_cell",
+ "thiserror",
+]
+
+[[package]]
+name = "gio-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32157a475271e2c4a023382e9cab31c4584ee30a97da41d3c4e9fdd605abcf8d"
+dependencies = [
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "system-deps",
+ "winapi",
+]
+
+[[package]]
+name = "glib"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edb0306fbad0ab5428b0ca674a23893db909a98582969c9b537be4ced78c505d"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-task",
+ "glib-macros",
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "once_cell",
+ "smallvec",
+ "thiserror",
+]
+
+[[package]]
+name = "glib-macros"
+version = "0.15.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10c6ae9f6fa26f4fb2ac16b528d138d971ead56141de489f8111e259b9df3c4a"
+dependencies = [
+ "anyhow",
+ "heck 0.4.1",
+ "proc-macro-crate",
+ "proc-macro-error",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "glib-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef4b192f8e65e9cf76cbf4ea71fa8e3be4a0e18ffe3d68b8da6836974cc5bad4"
+dependencies = [
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gobject-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d57ce44246becd17153bd035ab4d32cfee096a657fc01f2231c9278378d1e0a"
+dependencies = [
+ "glib-sys",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gtk"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92e3004a2d5d6d8b5057d2b57b3712c9529b62e82c77f25c1fecde1fd5c23bd0"
+dependencies = [
+ "atk",
+ "bitflags",
+ "cairo-rs",
+ "field-offset",
+ "futures-channel",
+ "gdk",
+ "gdk-pixbuf",
+ "gio",
+ "glib",
+ "gtk-sys",
+ "gtk3-macros",
+ "libc",
+ "once_cell",
+ "pango",
+ "pkg-config",
+]
+
+[[package]]
+name = "gtk-sys"
+version = "0.15.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5bc2f0587cba247f60246a0ca11fe25fb733eabc3de12d1965fc07efab87c84"
+dependencies = [
+ "atk-sys",
+ "cairo-sys-rs",
+ "gdk-pixbuf-sys",
+ "gdk-sys",
+ "gio-sys",
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "pango-sys",
+ "system-deps",
+]
+
+[[package]]
+name = "gtk3-macros"
+version = "0.15.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "684c0456c086e8e7e9af73ec5b84e35938df394712054550e81558d21c44ab0d"
+dependencies = [
+ "anyhow",
+ "proc-macro-crate",
+ "proc-macro-error",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "h2"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17f8a914c2987b688368b5138aa05321db91f4090cf26118185672ad588bce21"
+dependencies = [
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "http",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+
+[[package]]
+name = "heck"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
+dependencies = [
+ "unicode-segmentation",
+]
+
+[[package]]
+name = "heck"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
+
+[[package]]
+name = "hermit-abi"
+version = "0.1.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "hermit-abi"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee512640fe35acbfb4bb779db6f0d80704c2cacfa2e39b601ef3e3f47d1ae4c7"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "hermit-abi"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fed44880c466736ef9a5c5b5facefb5ed0785676d0c02d612db14e54f0d84286"
+
+[[package]]
+name = "hex"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "hex-view"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "494e16c9fe4dd02a88f3fe9ec0f27e38045691ea0ceb11603670f220ff5ca97f"
+
+[[package]]
+name = "home"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5444c27eef6923071f7ebcc33e3444508466a76f7a2b93da00ed6e19f30c1ddb"
+dependencies = [
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "html2md"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be92446e11d68f5d71367d571c229d09ced1f24ab6d08ea0bff329d5f6c0b2a3"
+dependencies = [
+ "html5ever",
+ "jni",
+ "lazy_static",
+ "markup5ever_rcdom",
+ "percent-encoding",
+ "regex",
+]
+
+[[package]]
+name = "html5ever"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bea68cab48b8459f17cf1c944c67ddc572d272d9f2b274140f223ecb1da4a3b7"
+dependencies = [
+ "log",
+ "mac",
+ "markup5ever",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "http"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd6effc99afb63425aff9b05836f029929e345a6148a14b7ecd5ab67af944482"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1"
+dependencies = [
+ "bytes",
+ "http",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904"
+
+[[package]]
+name = "httpdate"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421"
+
+[[package]]
+name = "human-sort"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "140a09c9305e6d5e557e2ed7cbc68e05765a7d4213975b87cb04920689cc6219"
+
+[[package]]
+name = "hyper"
+version = "0.14.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab302d72a6f11a3b910431ff93aae7e773078c769f0a3ef15fb9ec692ed147d4"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper-tls"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
+dependencies = [
+ "bytes",
+ "hyper",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+]
+
+[[package]]
+name = "i18n-config"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d9f93ceee6543011739bc81699b5e0cf1f23f3a80364649b6d80de8636bc8df"
+dependencies = [
+ "log",
+ "serde",
+ "serde_derive",
+ "thiserror",
+ "toml 0.5.11",
+ "unic-langid",
+]
+
+[[package]]
+name = "i18n-embed"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2653dd1a8be0726315603f1c180b29f90e5b2a58f8b943d949d5170d9ad81101"
+dependencies = [
+ "arc-swap",
+ "fluent",
+ "fluent-langneg",
+ "fluent-syntax",
+ "i18n-embed-impl",
+ "intl-memoizer",
+ "lazy_static",
+ "locale_config",
+ "log",
+ "parking_lot",
+ "rust-embed",
+ "thiserror",
+ "unic-langid",
+ "walkdir",
+]
+
+[[package]]
+name = "i18n-embed-fl"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b5809e2295beeb55013705c3b947cbbe83b8cadf3c73a1e6dca06381927212a"
+dependencies = [
+ "dashmap",
+ "find-crate",
+ "fluent",
+ "fluent-syntax",
+ "i18n-config",
+ "i18n-embed",
+ "lazy_static",
+ "proc-macro-error",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "strsim",
+ "syn 1.0.109",
+ "unic-langid",
+]
+
+[[package]]
+name = "i18n-embed-impl"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0db2330e035808eb064afb67e6743ddce353763af3e0f2bdfc2476e00ce76136"
+dependencies = [
+ "find-crate",
+ "i18n-config",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "idna"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+]
+
+[[package]]
+name = "index-fixed"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4161ceaf2f41b6cd3f6502f5da085d4ad4393a51e0c70ed2fce1d5698d798fae"
+
+[[package]]
+name = "indexmap"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+dependencies = [
+ "autocfg",
+ "hashbrown",
+]
+
+[[package]]
+name = "instant"
+version = "0.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "intl-memoizer"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c310433e4a310918d6ed9243542a6b83ec1183df95dff8f23f87bb88a264a66f"
+dependencies = [
+ "type-map",
+ "unic-langid",
+]
+
+[[package]]
+name = "intl_pluralrules"
+version = "7.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "078ea7b7c29a2b4df841a7f6ac8775ff6074020c6776d48491ce2268e068f972"
+dependencies = [
+ "unic-langid",
+]
+
+[[package]]
+name = "io-lifetimes"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c66c74d2ae7e79a5a8f7ac924adbe38ee42a859c6539ad869eb51f0b52dc220"
+dependencies = [
+ "hermit-abi 0.3.1",
+ "libc",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12b6ee2129af8d4fb011108c73d99a1b83a85977f23b82460c0ae2e25bb4b57f"
+
+[[package]]
+name = "is-terminal"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adcf93614601c8129ddf72e2d5633df827ba6551541c6d8c59520a371475be1f"
+dependencies = [
+ "hermit-abi 0.3.1",
+ "io-lifetimes",
+ "rustix",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "itertools"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f56a2d0bc861f9165be4eb3442afd3c236d8a98afd426f65d92324ae1091a484"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
+
+[[package]]
+name = "jni"
+version = "0.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec"
+dependencies = [
+ "cesu8",
+ "combine",
+ "jni-sys",
+ "log",
+ "thiserror",
+ "walkdir",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
+
+[[package]]
+name = "js-sys"
+version = "0.3.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730"
+dependencies = [
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
+[[package]]
+name = "libc"
+version = "0.2.142"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317"
+
+[[package]]
+name = "libdbus-sys"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06085512b750d640299b79be4bad3d2fa90a9c00b1fd9e1b46364f66f0485c72"
+dependencies = [
+ "pkg-config",
+]
+
+[[package]]
+name = "libudev-sys"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c8469b4a23b962c1396b9b451dda50ef5b283e8dd309d69033475fa9b334324"
+dependencies = [
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b64f40e5e03e0d54f03845c8197d0291253cdbedfb1cb46b13c2c117554a9f4c"
+
+[[package]]
+name = "locale_config"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d2c35b16f4483f6c26f0e4e9550717a2f6575bcd6f12a53ff0c490a94a6934"
+dependencies = [
+ "lazy_static",
+ "objc",
+ "objc-foundation",
+ "regex",
+ "winapi",
+]
+
+[[package]]
+name = "lock_api"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "435011366fe56583b16cf956f9df0095b405b82d76425bc8981c0e22e60ec4df"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "lxd"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "918a314b8eb7d4e19c3d154b4069b12aa37c25a68bae4f2c2a69f50bf47c7c5a"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "mac"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
+
+[[package]]
+name = "mac-notification-sys"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e72d50edb17756489e79d52eb146927bec8eba9dd48faadf9ef08bca3791ad5"
+dependencies = [
+ "cc",
+ "dirs-next",
+ "objc-foundation",
+ "objc_id",
+ "time",
+]
+
+[[package]]
+name = "malloc_buf"
+version = "0.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62bb907fe88d54d8d9ce32a3cceab4218ed2f6b7d35617cafe9adf84e43919cb"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "markup"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "360ec4d83ae8c3150530220fd89e0c5dba54cfc8d7675695f1fdc3581880dce9"
+dependencies = [
+ "markup-proc-macro",
+]
+
+[[package]]
+name = "markup-proc-macro"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba9c3711ed5187a843aaa960eb78db98f64d76ea22a47c204ca2affb3904bb92"
+dependencies = [
+ "proc-macro2 0.4.30",
+ "quote 0.6.13",
+ "syn 0.15.44",
+]
+
+[[package]]
+name = "markup5ever"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a2629bb1404f3d34c2e921f21fd34ba00b206124c81f65c50b43b6aaefeb016"
+dependencies = [
+ "log",
+ "phf",
+ "phf_codegen",
+ "string_cache",
+ "string_cache_codegen",
+ "tendril",
+]
+
+[[package]]
+name = "markup5ever_rcdom"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9521dd6750f8e80ee6c53d65e2e4656d7de37064f3a7a5d2d11d05df93839c2"
+dependencies = [
+ "html5ever",
+ "markup5ever",
+ "tendril",
+ "xml5ever",
+]
+
+[[package]]
+name = "memchr"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+
+[[package]]
+name = "memoffset"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "memoffset"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d61c719bcfbcf5d62b3a09efa6088de8c54bc0bfcd3ea7ae39fcc186108b8de1"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b275950c28b37e794e8c55d88aeb5e139d0ce23fdbbeda68f8d7174abdf9e8fa"
+dependencies = [
+ "adler",
+]
+
+[[package]]
+name = "miniz_oxide"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7"
+dependencies = [
+ "adler",
+]
+
+[[package]]
+name = "mio"
+version = "0.7.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8067b404fe97c70829f082dec8bcf4f71225d7eaea1d8645349cb76fa06205cc"
+dependencies = [
+ "libc",
+ "log",
+ "miow",
+ "ntapi",
+ "winapi",
+]
+
+[[package]]
+name = "mio"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b9d9a46eff5b4ff64b45a9e316a6d1e0bc719ef429cbec4dc630684212bfdf9"
+dependencies = [
+ "libc",
+ "log",
+ "wasi",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "miow"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9f1c5b025cda876f66ef43a113f91ebc9f4ccef34843000e0adf6ebbab84e21"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "new_debug_unreachable"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54"
+
+[[package]]
+name = "nix"
+version = "0.26.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfdda3d196821d6af13126e40375cdf7da646a96114af134d5f417a9a1dc8e1a"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+ "memoffset 0.7.1",
+ "static_assertions",
+]
+
+[[package]]
+name = "notify-rust"
+version = "4.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bfa211d18e360f08e36c364308f394b5eb23a6629150690e109a916dc6f610e"
+dependencies = [
+ "dbus 0.9.7",
+ "log",
+ "mac-notification-sys",
+ "tauri-winrt-notification",
+]
+
+[[package]]
+name = "ntapi"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c28774a7fd2fbb4f0babd8237ce554b73af68021b5f695a3cebd6c59bac0980f"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "num_cpus"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fac9e2da13b5eb447a6ce3d392f23a29d8694bff781bf03a16cd9ac8697593b"
+dependencies = [
+ "hermit-abi 0.2.6",
+ "libc",
+]
+
+[[package]]
+name = "objc"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "915b1b472bc21c53464d6c8461c9d3af805ba1ef837e1cac254428f4a77177b1"
+dependencies = [
+ "malloc_buf",
+]
+
+[[package]]
+name = "objc-foundation"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1add1b659e36c9607c7aab864a76c7a4c2760cd0cd2e120f3fb8b952c7e22bf9"
+dependencies = [
+ "block",
+ "objc",
+ "objc_id",
+]
+
+[[package]]
+name = "objc_id"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c92d4ddb4bd7b50d730c215ff871754d0da6b2178849f8a2a2ab69712d0c073b"
+dependencies = [
+ "objc",
+]
+
+[[package]]
+name = "object"
+version = "0.30.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea86265d3d3dcb6a27fc51bd29a4bf387fae9d2986b823079d4986af253eb439"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.17.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
+
+[[package]]
+name = "opaque-debug"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+
+[[package]]
+name = "openssl"
+version = "0.10.52"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01b8574602df80f7b85fdfc5392fa884a4e3b3f4f35402c070ab34c3d3f78d56"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.87"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e17f59264b2809d77ae94f0e1ebabc434773f370d6ca667bd223ea10e06cc7e"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "ordered-stream"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aa2b01e1d916879f73a53d01d1d6cee68adbb31d6d9177a8cfce093cced1d50"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "os_str_bytes"
+version = "6.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ceedf44fb00f2d1984b0bc98102627ce622e083e49a5bacdb3e514fa4238e267"
+
+[[package]]
+name = "pango"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e4045548659aee5313bde6c582b0d83a627b7904dd20dc2d9ef0895d414e4f"
+dependencies = [
+ "bitflags",
+ "glib",
+ "libc",
+ "once_cell",
+ "pango-sys",
+]
+
+[[package]]
+name = "pango-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2a00081cde4661982ed91d80ef437c20eacaf6aa1a5962c0279ae194662c3aa"
+dependencies = [
+ "glib-sys",
+ "gobject-sys",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "parking"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "14f2252c834a40ed9bb5422029649578e63aa341ac401f74e719dd1afda8394e"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9069cbb9f99e3a5083476ccb29ceb1de18b9118cafa53e90c9551235de2b9521"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall 0.2.16",
+ "smallvec",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e"
+
+[[package]]
+name = "phf"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fabbf1ead8a5bcbc20f5f8b939ee3f5b0f6f281b6ad3468b84656b658b455259"
+dependencies = [
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_codegen"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fb1c3a8bc4dd4e5cfce29b44ffc14bedd2ee294559a294e2a4d4c9e9a6a13cd"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_generator"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d5285893bb5eb82e6aaf5d59ee909a06a16737a8970984dd7746ba9283498d6"
+dependencies = [
+ "phf_shared",
+ "rand 0.8.5",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+dependencies = [
+ "siphasher",
+]
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkg-config"
+version = "0.3.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
+
+[[package]]
+name = "plain"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
+
+[[package]]
+name = "polling"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b2d323e8ca7996b3e23126511a523f7e62924d93ecd5ae73b333815b0eb3dce"
+dependencies = [
+ "autocfg",
+ "bitflags",
+ "cfg-if",
+ "concurrent-queue",
+ "libc",
+ "log",
+ "pin-project-lite",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+
+[[package]]
+name = "precomputed-hash"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
+
+[[package]]
+name = "proc-macro-crate"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f4c021e1093a56626774e81216a4ce732a735e5bad4868a03f3ed65ca0c3919"
+dependencies = [
+ "once_cell",
+ "toml_edit",
+]
+
+[[package]]
+name = "proc-macro-error"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+dependencies = [
+ "proc-macro-error-attr",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro-error-attr"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "0.4.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759"
+dependencies = [
+ "unicode-xid 0.1.0",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.56"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b63bdb0cd06f1f4dedf69b254734f9b45af66e4a031e42a7480257d9898b435"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quick-xml"
+version = "0.23.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11bafc859c6815fbaffbbbf4229ecb767ac913fecb27f9ad4343662e9ef099ea"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "quote"
+version = "0.6.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1"
+dependencies = [
+ "proc-macro2 0.4.30",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc"
+dependencies = [
+ "proc-macro2 1.0.56",
+]
+
+[[package]]
+name = "rand"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293"
+dependencies = [
+ "fuchsia-cprng",
+ "libc",
+ "rand_core 0.3.1",
+ "rdrand",
+ "winapi",
+]
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b"
+dependencies = [
+ "rand_core 0.4.2",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rdrand"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
+dependencies = [
+ "rand_core 0.3.1",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "redox_users"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
+dependencies = [
+ "getrandom",
+ "redox_syscall 0.2.16",
+ "thiserror",
+]
+
+[[package]]
+name = "regex"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af83e617f331cc6ae2da5443c602dfa5af81e517212d9d611a5b3ba1777b5370"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c"
+
+[[package]]
+name = "remove_dir_all"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "reqwest"
+version = "0.11.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13293b639a097af28fc8a90f22add145a9c954e49d77da06263d58cf44d5fb91"
+dependencies = [
+ "base64 0.21.0",
+ "bytes",
+ "encoding_rs",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "hyper",
+ "hyper-tls",
+ "ipnet",
+ "js-sys",
+ "log",
+ "mime",
+ "native-tls",
+ "once_cell",
+ "percent-encoding",
+ "pin-project-lite",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "winreg",
+]
+
+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin",
+ "untrusted",
+ "web-sys",
+ "winapi",
+]
+
+[[package]]
+name = "rust-embed"
+version = "6.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b68543d5527e158213414a92832d2aab11a84d2571a5eb021ebe22c43aab066"
+dependencies = [
+ "rust-embed-impl",
+ "rust-embed-utils",
+ "walkdir",
+]
+
+[[package]]
+name = "rust-embed-impl"
+version = "6.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d4e0f0ced47ded9a68374ac145edd65a6c1fa13a96447b873660b2a568a0fd7"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "rust-embed-utils",
+ "syn 1.0.109",
+ "walkdir",
+]
+
+[[package]]
+name = "rust-embed-utils"
+version = "7.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "512b0ab6853f7e14e3c8754acb43d6f748bb9ced66aa5915a6553ac8213f7731"
+dependencies = [
+ "sha2 0.10.6",
+ "walkdir",
+]
+
+[[package]]
+name = "rust-lzma"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "895dc04daeaeee338bb96e229797902ed3f0675bfc59d5b42e0f0b0c13ac54da"
+dependencies = [
+ "pkg-config",
+]
+
+[[package]]
+name = "rustc-demangle"
+version = "0.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
+
+[[package]]
+name = "rustc-hash"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustix"
+version = "0.37.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8bbfc1d1c7c40c01715f47d71444744a81669ca84e8b63e25a55e169b1f86433"
+dependencies = [
+ "bitflags",
+ "errno",
+ "io-lifetimes",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "rustls"
+version = "0.20.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f"
+dependencies = [
+ "log",
+ "ring",
+ "sct",
+ "webpki",
+]
+
+[[package]]
+name = "ryu"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041"
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3"
+dependencies = [
+ "windows-sys 0.42.0",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
+
+[[package]]
+name = "sct"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a332be01508d814fed64bf28f798a146d73792121129962fdf335bb3c49a4254"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "31c9bb296072e961fcbd8853511dd39c2d8be2deb1e17c6860b1d30732b323b4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "self_cell"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ef965a420fe14fdac7dd018862966a4c14094f900e1650bbc71ddd7d580c8af"
+
+[[package]]
+name = "semver"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bebd363326d05ec3e2f532ab7660680f3b02130d780c299bca73469d521bc0ed"
+
+[[package]]
+name = "serde"
+version = "1.0.160"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb2f3770c8bce3bcda7e149193a069a0f4365bda1fa5cd88e03bca26afc1216c"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.160"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.96"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "057d394a50403bcac12672b2b18fb387ab6d289d957dab67dd201875391e52f1"
+dependencies = [
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_repr"
+version = "0.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bcec881020c684085e55a25f7fd888954d56609ef363479dc5a1305eb0d40cab"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "serde_spanned"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0efd8caf556a6cebd3b285caf480045fcc1ac04f6bd786b09a6f11af30c4fcf4"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.10.6",
+]
+
+[[package]]
+name = "sha2"
+version = "0.9.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+dependencies = [
+ "block-buffer 0.9.0",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.9.0",
+ "opaque-debug",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.10.6",
+]
+
+[[package]]
+name = "shrinkwraprs"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e63e6744142336dfb606fe2b068afa2e1cca1ee6a5d8377277a92945d81fa331"
+dependencies = [
+ "bitflags",
+ "itertools",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "siphasher"
+version = "0.3.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de"
+
+[[package]]
+name = "slab"
+version = "0.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6528351c9bc8ab22353f9d776db39a20288e8d6c37ef8cfe3317cf875eecfc2d"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "slotmap"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1e08e261d0e8f5c43123b7adf3e4ca1690d655377ac93a03b2c9d3e98de1342"
+dependencies = [
+ "version_check",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0"
+
+[[package]]
+name = "socket2"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64a4a911eed85daf18834cfaa86a79b7d266ff93ff5ba14005426219480ed662"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "sodalite"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41784a359d15c58bba298cccb7f30a847a1a42d0620c9bdaa0aa42fdb3c280e0"
+dependencies = [
+ "index-fixed",
+]
+
+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
+[[package]]
+name = "static_assertions"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
+
+[[package]]
+name = "string_cache"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f91138e76242f575eb1d3b38b4f1362f10d3a43f47d182a5b359af488a02293b"
+dependencies = [
+ "new_debug_unreachable",
+ "once_cell",
+ "parking_lot",
+ "phf_shared",
+ "precomputed-hash",
+ "serde",
+]
+
+[[package]]
+name = "string_cache_codegen"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6bb30289b722be4ff74a408c3cc27edeaad656e06cb1fe8fa9231fa59c728988"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+]
+
+[[package]]
+name = "strsim"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
+
+[[package]]
+name = "strum"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7ac893c7d471c8a21f31cfe213ec4f6d9afeed25537c772e08ef3f005f8729e"
+dependencies = [
+ "strum_macros",
+]
+
+[[package]]
+name = "strum_macros"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "339f799d8b549e3744c7ac7feb216383e4005d94bdb22561b3ab8f3b808ae9fb"
+dependencies = [
+ "heck 0.3.3",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "syn"
+version = "0.15.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5"
+dependencies = [
+ "proc-macro2 0.4.30",
+ "quote 0.6.13",
+ "unicode-xid 0.1.0",
+]
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a34fcf3e8b60f57e6a14301a2e916d323af98b0ea63c599441eec8558660c822"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "unicode-ident",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "unicode-xid 0.2.4",
+]
+
+[[package]]
+name = "system-deps"
+version = "6.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0fe581ad25d11420b873cf9aedaca0419c2b411487b134d4d21065f3d092055"
+dependencies = [
+ "cfg-expr",
+ "heck 0.4.1",
+ "pkg-config",
+ "toml 0.7.3",
+ "version-compare",
+]
+
+[[package]]
+name = "system76-firmware"
+version = "1.0.51"
+source = "git+https://github.com/pop-os/system76-firmware#c3d5323647a0853c4d28e4f7148a4a96f63dbb3a"
+dependencies = [
+ "anyhow",
+ "bincode",
+ "buildchain",
+ "clap 3.2.25",
+ "ecflash",
+ "libc",
+ "plain",
+ "rust-lzma",
+ "serde",
+ "serde_json",
+ "sha2 0.9.9",
+ "system76_ectool",
+ "tar",
+ "tempdir",
+ "uuid",
+]
+
+[[package]]
+name = "system76-firmware-daemon"
+version = "0.1.0"
+source = "git+https://github.com/pop-os/system76-firmware#c3d5323647a0853c4d28e4f7148a4a96f63dbb3a"
+dependencies = [
+ "dbus 0.9.7",
+ "dbus-crossroads",
+ "enum_derive",
+ "libc",
+ "serde",
+ "serde_json",
+ "shrinkwraprs",
+ "system76-firmware",
+ "thiserror",
+]
+
+[[package]]
+name = "system76_ectool"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c957fdd329e017031dbd261ff48fad01296660a9c237942c226cff064bd0610a"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "tar"
+version = "0.4.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d779dc6aeff029314570f666ec83f19df7280bb36ef338442cfa8c604021b80"
+dependencies = [
+ "filetime",
+ "libc",
+ "xattr",
+]
+
+[[package]]
+name = "target-lexicon"
+version = "0.12.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd1ba337640d60c3e96bc6f0638a939b9c9a7f2c316a1598c279828b3d1dc8c5"
+
+[[package]]
+name = "tauri-winrt-notification"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c58de036c4d2e20717024de2a3c4bf56c301f07b21bc8ef9b57189fce06f1f3b"
+dependencies = [
+ "quick-xml",
+ "strum",
+ "windows",
+]
+
+[[package]]
+name = "tempdir"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8"
+dependencies = [
+ "rand 0.4.6",
+ "remove_dir_all",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9fbec84f381d5795b08656e4912bec604d162bff9291d6189a78f4c8ab87998"
+dependencies = [
+ "cfg-if",
+ "fastrand",
+ "redox_syscall 0.3.5",
+ "rustix",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "tendril"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d24a120c5fc464a3458240ee02c299ebcb9d67b5249c8848b09d639dca8d7bb0"
+dependencies = [
+ "futf",
+ "mac",
+ "utf-8",
+]
+
+[[package]]
+name = "termcolor"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "textwrap"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d"
+
+[[package]]
+name = "thiserror"
+version = "1.0.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "time"
+version = "0.3.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890"
+dependencies = [
+ "serde",
+ "time-core",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd"
+
+[[package]]
+name = "tinystr"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ac3f5b6856e931e15e07b478e98c8045239829a65f9156d4fa7e7788197a5ef"
+dependencies = [
+ "displaydoc",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tokio"
+version = "1.28.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3c786bf8134e5a3a166db9b29ab8f48134739014a3eca7bc6bfa95d673b136f"
+dependencies = [
+ "autocfg",
+ "bytes",
+ "libc",
+ "mio 0.8.6",
+ "num_cpus",
+ "pin-project-lite",
+ "socket2",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-udev"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "246ffebae60acd93eb0056bac967cad807c7aa09916fabceac50479ad1f53e64"
+dependencies = [
+ "futures-core",
+ "mio 0.7.14",
+ "tokio",
+ "udev",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "toml"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "toml"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b403acf6f2bb0859c93c7f0d967cb4a75a7ac552100f9322faf64dc047669b21"
+dependencies = [
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "toml_edit",
+]
+
+[[package]]
+name = "toml_datetime"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ab8ed2edee10b50132aed5f331333428b011c99402b5a534154ed15746f9622"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "toml_edit"
+version = "0.19.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "239410c8609e8125456927e6707163a3b1fdb40561e4b803bc041f466ccfdc13"
+dependencies = [
+ "indexmap",
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "winnow",
+]
+
+[[package]]
+name = "tools"
+version = "0.1.0"
+dependencies = [
+ "clap 4.2.5",
+ "freedesktop-desktop-entry",
+]
+
+[[package]]
+name = "tower-service"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
+
+[[package]]
+name = "tracing"
+version = "0.1.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8"
+dependencies = [
+ "cfg-if",
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f57e3ca2a01450b1a921183a9c9cbfda207fd822cef4ccb00a65402cbba7a74"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 2.0.15",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24eb03ba0eab1fd845050058ce5e616558e8f8d8fca633e6b163fe25c797213a"
+dependencies = [
+ "once_cell",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed"
+
+[[package]]
+name = "type-map"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d3364c5e96cb2ad1603037ab253ddd34d7fb72a58bdddf4b7350760fc69a46"
+dependencies = [
+ "rustc-hash",
+]
+
+[[package]]
+name = "typenum"
+version = "1.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
+
+[[package]]
+name = "udev"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c960764f7e816eed851a96c364745d37f9fe71a2e7dba79fbd40104530b5dd0"
+dependencies = [
+ "libc",
+ "libudev-sys",
+ "mio 0.8.6",
+ "pkg-config",
+]
+
+[[package]]
+name = "uds_windows"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce65604324d3cce9b966701489fbd0cf318cb1f7bd9dd07ac9a4ee6fb791930d"
+dependencies = [
+ "tempfile",
+ "winapi",
+]
+
+[[package]]
+name = "unic-langid"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "398f9ad7239db44fd0f80fe068d12ff22d78354080332a5077dc6f52f14dcf2f"
+dependencies = [
+ "unic-langid-impl",
+]
+
+[[package]]
+name = "unic-langid-impl"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e35bfd2f2b8796545b55d7d3fd3e89a0613f68a0d1c8bc28cb7ff96b411a35ff"
+dependencies = [
+ "serde",
+ "tinystr",
+]
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4"
+
+[[package]]
+name = "unicode-normalization"
+version = "0.1.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
+dependencies = [
+ "tinyvec",
+]
+
+[[package]]
+name = "unicode-segmentation"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
+
+[[package]]
+name = "unicode-xid"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
+[[package]]
+name = "upower_dbus"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8121b555fe6fd748fb4bb147f7b31b5ea17d006633183447e0d89e19d9aa9b7"
+dependencies = [
+ "dbus 0.6.5",
+ "failure",
+ "failure_derive",
+]
+
+[[package]]
+name = "ureq"
+version = "2.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "338b31dd1314f68f3aabf3ed57ab922df95ffcd902476ca7ba3c4ce7b908c46d"
+dependencies = [
+ "base64 0.13.1",
+ "flate2",
+ "log",
+ "once_cell",
+ "rustls",
+ "url",
+ "webpki",
+ "webpki-roots",
+]
+
+[[package]]
+name = "url"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+]
+
+[[package]]
+name = "users"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24cc0f6d6f267b73e5a2cadf007ba8f9bc39c6a6f9666f8cf25ea809a153b032"
+dependencies = [
+ "libc",
+ "log",
+]
+
+[[package]]
+name = "utf-8"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
+
+[[package]]
+name = "uuid"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version-compare"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "579a42fc0b8e0c63b76519a339be31bed574929511fa53c1a3acae26eb258f29"
+
+[[package]]
+name = "version_check"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "waker-fn"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca"
+
+[[package]]
+name = "walkdir"
+version = "2.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36df944cda56c7d8d8b7496af378e6b16de9284591917d307c9b4d313c44e698"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
+[[package]]
+name = "want"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0"
+dependencies = [
+ "log",
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.84"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b"
+dependencies = [
+ "cfg-if",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.84"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9"
+dependencies = [
+ "bumpalo",
+ "log",
+ "once_cell",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f219e0d211ba40266969f6dbdd90636da12f75bee4fc9d6c23d1260dadb51454"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.84"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5"
+dependencies = [
+ "quote 1.0.26",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.84"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.84"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d"
+
+[[package]]
+name = "web-sys"
+version = "0.3.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "0.22.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87"
+dependencies = [
+ "webpki",
+]
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-util"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1c4bd0a50ac6020f65184721f758dba47bb9fbc2133df715ec74a237b26794a"
+dependencies = [
+ "windows_aarch64_msvc 0.39.0",
+ "windows_i686_gnu 0.39.0",
+ "windows_i686_msvc 0.39.0",
+ "windows_x86_64_gnu 0.39.0",
+ "windows_x86_64_msvc 0.39.0",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.42.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
+dependencies = [
+ "windows-targets 0.42.2",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.0",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.0",
+ "windows_aarch64_msvc 0.48.0",
+ "windows_i686_gnu 0.48.0",
+ "windows_i686_msvc 0.48.0",
+ "windows_x86_64_gnu 0.48.0",
+ "windows_x86_64_gnullvm 0.48.0",
+ "windows_x86_64_msvc 0.48.0",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec7711666096bd4096ffa835238905bb33fb87267910e154b18b44eaabb340f2"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "763fc57100a5f7042e3057e7e8d9bdd7860d330070251a73d003563a3bb49e1b"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7bc7cbfe58828921e10a9f446fcaaf649204dcfe6c1ddd712c5eebae6bda1106"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6868c165637d653ae1e8dc4d82c25d4f97dd6605eaa8d784b5c6e0ab2a252b65"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e4d40883ae9cae962787ca76ba76390ffa29214667a111db9e0a1ad8377e809"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a"
+
+[[package]]
+name = "winnow"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61de7bac303dc551fe038e2b3cef0f571087a47571ea6e79a87692ac99b99699"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "winreg"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "xattr"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d1526bbe5aaeb5eb06885f4d987bcdfa5e23187055de9b83fe00156a821fabc"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "xdg"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "688597db5a750e9cad4511cb94729a078e274308099a0382b5b8203bbc767fee"
+dependencies = [
+ "home",
+]
+
+[[package]]
+name = "xdg-home"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2769203cd13a0c6015d515be729c526d041e9cf2c0cc478d57faee85f40c6dcd"
+dependencies = [
+ "nix",
+ "winapi",
+]
+
+[[package]]
+name = "xml5ever"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4034e1d05af98b51ad7214527730626f019682d797ba38b51689212118d8e650"
+dependencies = [
+ "log",
+ "mac",
+ "markup5ever",
+]
+
+[[package]]
+name = "yansi"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09041cd90cf85f7f8b2df60c646f853b7f535ce68f85244eb6731cf89fa498ec"
+
+[[package]]
+name = "zbus"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29242fa5ec5693629ae74d6eb1f69622a9511f600986d6d9779bccf36ac316e3"
+dependencies = [
+ "async-broadcast",
+ "async-executor",
+ "async-fs",
+ "async-io",
+ "async-lock",
+ "async-recursion",
+ "async-task",
+ "async-trait",
+ "byteorder",
+ "derivative",
+ "enumflags2",
+ "event-listener",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "hex 0.4.3",
+ "nix",
+ "once_cell",
+ "ordered-stream",
+ "rand 0.8.5",
+ "serde",
+ "serde_repr",
+ "sha1",
+ "static_assertions",
+ "tracing",
+ "uds_windows",
+ "winapi",
+ "xdg-home",
+ "zbus_macros",
+ "zbus_names",
+ "zvariant",
+]
+
+[[package]]
+name = "zbus_macros"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "537793e26e9af85f774801dc52c6f6292352b2b517c5cf0449ffd3735732a53a"
+dependencies = [
+ "proc-macro-crate",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "regex",
+ "syn 1.0.109",
+ "zvariant_utils",
+]
+
+[[package]]
+name = "zbus_names"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f34f314916bd89bdb9934154627fab152f4f28acdda03e7c4c68181b214fe7e3"
+dependencies = [
+ "serde",
+ "static_assertions",
+ "zvariant",
+]
+
+[[package]]
+name = "zvariant"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46fe4914a985446d6fd287019b5fceccce38303d71407d9e6e711d44954a05d8"
+dependencies = [
+ "byteorder",
+ "enumflags2",
+ "libc",
+ "serde",
+ "static_assertions",
+ "zvariant_derive",
+]
+
+[[package]]
+name = "zvariant_derive"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34c20260af4b28b3275d6676c7e2a6be0d4332e8e0aba4616d34007fd84e462a"
+dependencies = [
+ "proc-macro-crate",
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+ "zvariant_utils",
+]
+
+[[package]]
+name = "zvariant_utils"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53b22993dbc4d128a17a3b6c92f1c63872dd67198537ee728d8b5d7c40640a8b"
+dependencies = [
+ "proc-macro2 1.0.56",
+ "quote 1.0.26",
+ "syn 1.0.109",
+]
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
new file mode 100644
index 000000000000..af455e7ef61f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, stdenv
+, rustPlatform
+, fetchFromGitHub
+, cargo
+, pkg-config
+, rustc
+, openssl
+, udev
+, gtk3
+, wrapGAppsHook
+}:
+
+stdenv.mkDerivation rec {
+  pname = "firmware-manager";
+  version = "0.1.5";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    hash = "sha256-Q+LJJ4xK583fAcwuOFykt6GKT0rVJgmTt+zUX4o4Tm4=";
+  };
+
+  cargoDeps = rustPlatform.importCargoLock {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "ecflash-0.1.0" = "sha256-W613wbW54R65/rs6oiPAH/qov2OVEjMMszpUJdX4TxI=";
+      "system76-firmware-1.0.51" = "sha256-+GPz7uKygGnFUptQEGYWkEdHgxBc65kLZqpwZqtwets=";
+    };
+  };
+
+  postPatch = ''
+    substituteInPlace Makefile --replace '$(DESTDIR)/etc' '$(DESTDIR)$(prefix)/etc'
+  '';
+
+  nativeBuildInputs = [
+    cargo
+    rustc
+    pkg-config
+    rustPlatform.cargoSetupHook
+    wrapGAppsHook
+  ];
+
+  buildInputs = [
+    openssl
+    gtk3
+    udev
+  ];
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  meta = {
+    description = "Graphical frontend for firmware management";
+    homepage = "https://github.com/pop-os/firmware-manager";
+    license = lib.licenses.gpl3;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
new file mode 100644
index 000000000000..460ac0ad17b4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
@@ -0,0 +1,42 @@
+{ lib
+, writeText
+, flutter
+, fetchFromGitHub
+}:
+
+flutter.buildFlutterApplication rec {
+  pname = "firmware-updater";
+  version = "unstable-2023-09-17";
+
+  pubspecLockFile = ./pubspec.lock;
+  depsListFile = ./deps.json;
+  vendorHash = "sha256-5xd9ppnWleKVA69DJWVdY+rZziu4dQBCu16I0ivD8kE=";
+
+  src = fetchFromGitHub {
+    owner = "canonical";
+    repo = "firmware-updater";
+    rev = "855999da8d3d0c9930e06f2d296d82b55aeff79e";
+    hash = "sha256-tIeEuHl+sCKd756NYPmxXiV1Sg2m9W0eGUtM/Iskeu8=";
+  };
+
+  postPatch = ''
+    rm -f pubspec.lock
+    ln -s "${writeText "${pname}-overrides.yaml" (builtins.toJSON {
+      dependency_overrides = {
+        yaru = "^1.1.0";
+        yaru_icons = "^2.2.1";
+        yaru_widgets = "^3.1.0";
+        mockito = "^5.4.2";
+        test_api = "^0.6.1";
+      };
+    })}" pubspec_overrides.yaml
+  '';
+
+  meta = with lib; {
+    description = "Firmware Updater for Linux";
+    homepage = "https://github.com/canonical/firmware-updater";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ mkg20001 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/deps.json b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/deps.json
new file mode 100644
index 000000000000..702ddfd8c093
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/deps.json
@@ -0,0 +1,1616 @@
+[
+  {
+    "name": "firmware_updater",
+    "version": "0.0.0",
+    "kind": "root",
+    "source": "root",
+    "dependencies": [
+      "collection",
+      "dbus",
+      "dio",
+      "file",
+      "flutter",
+      "flutter_html",
+      "flutter_localizations",
+      "freezed_annotation",
+      "fwupd",
+      "gtk",
+      "handy_window",
+      "meta",
+      "path",
+      "provider",
+      "safe_change_notifier",
+      "ubuntu_logger",
+      "ubuntu_service",
+      "ubuntu_session",
+      "ubuntu_test",
+      "upower",
+      "yaru",
+      "yaru_colors",
+      "yaru_icons",
+      "yaru_widgets",
+      "build_runner",
+      "flutter_lints",
+      "flutter_test",
+      "freezed",
+      "integration_test",
+      "melos",
+      "mockito",
+      "test_api"
+    ]
+  },
+  {
+    "name": "test_api",
+    "version": "0.6.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "boolean_selector",
+      "collection",
+      "meta",
+      "source_span",
+      "stack_trace",
+      "stream_channel",
+      "string_scanner",
+      "term_glyph"
+    ]
+  },
+  {
+    "name": "term_glyph",
+    "version": "1.2.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "string_scanner",
+    "version": "1.2.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "source_span"
+    ]
+  },
+  {
+    "name": "source_span",
+    "version": "1.10.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "path",
+      "term_glyph"
+    ]
+  },
+  {
+    "name": "path",
+    "version": "1.8.3",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "collection",
+    "version": "1.17.2",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "stream_channel",
+    "version": "2.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async"
+    ]
+  },
+  {
+    "name": "async",
+    "version": "2.11.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "meta"
+    ]
+  },
+  {
+    "name": "meta",
+    "version": "1.9.1",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "stack_trace",
+    "version": "1.11.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "path"
+    ]
+  },
+  {
+    "name": "boolean_selector",
+    "version": "2.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "source_span",
+      "string_scanner"
+    ]
+  },
+  {
+    "name": "mockito",
+    "version": "5.4.2",
+    "kind": "dev",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "build",
+      "code_builder",
+      "collection",
+      "dart_style",
+      "matcher",
+      "meta",
+      "path",
+      "source_gen",
+      "test_api"
+    ]
+  },
+  {
+    "name": "source_gen",
+    "version": "1.4.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "async",
+      "build",
+      "dart_style",
+      "glob",
+      "path",
+      "source_span",
+      "yaml"
+    ]
+  },
+  {
+    "name": "yaml",
+    "version": "3.1.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "source_span",
+      "string_scanner"
+    ]
+  },
+  {
+    "name": "glob",
+    "version": "2.1.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "collection",
+      "file",
+      "path",
+      "string_scanner"
+    ]
+  },
+  {
+    "name": "file",
+    "version": "6.1.4",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "meta",
+      "path"
+    ]
+  },
+  {
+    "name": "dart_style",
+    "version": "2.3.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "args",
+      "path",
+      "pub_semver",
+      "source_span"
+    ]
+  },
+  {
+    "name": "pub_semver",
+    "version": "2.1.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "meta"
+    ]
+  },
+  {
+    "name": "args",
+    "version": "2.4.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "analyzer",
+    "version": "5.13.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "_fe_analyzer_shared",
+      "collection",
+      "convert",
+      "crypto",
+      "glob",
+      "meta",
+      "package_config",
+      "path",
+      "pub_semver",
+      "source_span",
+      "watcher",
+      "yaml"
+    ]
+  },
+  {
+    "name": "watcher",
+    "version": "1.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "path"
+    ]
+  },
+  {
+    "name": "package_config",
+    "version": "2.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "path"
+    ]
+  },
+  {
+    "name": "crypto",
+    "version": "3.0.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "typed_data"
+    ]
+  },
+  {
+    "name": "typed_data",
+    "version": "1.3.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection"
+    ]
+  },
+  {
+    "name": "convert",
+    "version": "3.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "typed_data"
+    ]
+  },
+  {
+    "name": "_fe_analyzer_shared",
+    "version": "61.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta"
+    ]
+  },
+  {
+    "name": "build",
+    "version": "2.4.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "async",
+      "convert",
+      "crypto",
+      "glob",
+      "logging",
+      "meta",
+      "package_config",
+      "path"
+    ]
+  },
+  {
+    "name": "logging",
+    "version": "1.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "matcher",
+    "version": "0.12.16",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "meta",
+      "stack_trace",
+      "term_glyph",
+      "test_api"
+    ]
+  },
+  {
+    "name": "code_builder",
+    "version": "4.5.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "built_collection",
+      "built_value",
+      "collection",
+      "matcher",
+      "meta"
+    ]
+  },
+  {
+    "name": "built_value",
+    "version": "8.6.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "built_collection",
+      "collection",
+      "fixnum",
+      "meta"
+    ]
+  },
+  {
+    "name": "fixnum",
+    "version": "1.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "built_collection",
+    "version": "5.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "melos",
+    "version": "3.1.1",
+    "kind": "dev",
+    "source": "hosted",
+    "dependencies": [
+      "ansi_styles",
+      "args",
+      "cli_launcher",
+      "cli_util",
+      "collection",
+      "conventional_commit",
+      "file",
+      "glob",
+      "graphs",
+      "http",
+      "meta",
+      "mustache_template",
+      "path",
+      "platform",
+      "pool",
+      "prompts",
+      "pub_semver",
+      "pub_updater",
+      "pubspec",
+      "string_scanner",
+      "yaml",
+      "yaml_edit"
+    ]
+  },
+  {
+    "name": "yaml_edit",
+    "version": "2.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "meta",
+      "source_span",
+      "yaml"
+    ]
+  },
+  {
+    "name": "pubspec",
+    "version": "2.3.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "path",
+      "pub_semver",
+      "yaml",
+      "uri"
+    ]
+  },
+  {
+    "name": "uri",
+    "version": "1.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "matcher",
+      "quiver"
+    ]
+  },
+  {
+    "name": "quiver",
+    "version": "3.2.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "matcher"
+    ]
+  },
+  {
+    "name": "pub_updater",
+    "version": "0.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "http",
+      "json_annotation",
+      "process",
+      "pub_semver"
+    ]
+  },
+  {
+    "name": "process",
+    "version": "4.2.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "file",
+      "path",
+      "platform"
+    ]
+  },
+  {
+    "name": "platform",
+    "version": "3.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "json_annotation",
+    "version": "4.8.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta"
+    ]
+  },
+  {
+    "name": "http",
+    "version": "1.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "http_parser",
+      "meta"
+    ]
+  },
+  {
+    "name": "http_parser",
+    "version": "4.0.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "source_span",
+      "string_scanner",
+      "typed_data"
+    ]
+  },
+  {
+    "name": "prompts",
+    "version": "2.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "charcode",
+      "io"
+    ]
+  },
+  {
+    "name": "io",
+    "version": "1.0.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta",
+      "path",
+      "string_scanner"
+    ]
+  },
+  {
+    "name": "charcode",
+    "version": "1.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "pool",
+    "version": "1.5.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "stack_trace"
+    ]
+  },
+  {
+    "name": "mustache_template",
+    "version": "2.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "graphs",
+    "version": "2.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection"
+    ]
+  },
+  {
+    "name": "conventional_commit",
+    "version": "0.6.0+1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "cli_util",
+    "version": "0.4.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta",
+      "path"
+    ]
+  },
+  {
+    "name": "cli_launcher",
+    "version": "0.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "path",
+      "yaml"
+    ]
+  },
+  {
+    "name": "ansi_styles",
+    "version": "0.3.2+1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "integration_test",
+    "version": "0.0.0",
+    "kind": "dev",
+    "source": "sdk",
+    "dependencies": [
+      "flutter",
+      "flutter_driver",
+      "flutter_test",
+      "path",
+      "vm_service",
+      "async",
+      "boolean_selector",
+      "characters",
+      "clock",
+      "collection",
+      "fake_async",
+      "file",
+      "matcher",
+      "material_color_utilities",
+      "meta",
+      "source_span",
+      "stack_trace",
+      "stream_channel",
+      "string_scanner",
+      "sync_http",
+      "term_glyph",
+      "test_api",
+      "vector_math",
+      "web",
+      "webdriver"
+    ]
+  },
+  {
+    "name": "webdriver",
+    "version": "3.0.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "matcher",
+      "path",
+      "stack_trace",
+      "sync_http"
+    ]
+  },
+  {
+    "name": "sync_http",
+    "version": "0.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "web",
+    "version": "0.1.4-beta",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "vector_math",
+    "version": "2.1.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "material_color_utilities",
+    "version": "0.5.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection"
+    ]
+  },
+  {
+    "name": "fake_async",
+    "version": "1.3.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "clock",
+      "collection"
+    ]
+  },
+  {
+    "name": "clock",
+    "version": "1.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "characters",
+    "version": "1.3.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "vm_service",
+    "version": "11.7.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "flutter_test",
+    "version": "0.0.0",
+    "kind": "dev",
+    "source": "sdk",
+    "dependencies": [
+      "flutter",
+      "test_api",
+      "matcher",
+      "path",
+      "fake_async",
+      "clock",
+      "stack_trace",
+      "vector_math",
+      "async",
+      "boolean_selector",
+      "characters",
+      "collection",
+      "material_color_utilities",
+      "meta",
+      "source_span",
+      "stream_channel",
+      "string_scanner",
+      "term_glyph",
+      "web"
+    ]
+  },
+  {
+    "name": "flutter",
+    "version": "0.0.0",
+    "kind": "direct",
+    "source": "sdk",
+    "dependencies": [
+      "characters",
+      "collection",
+      "material_color_utilities",
+      "meta",
+      "vector_math",
+      "web",
+      "sky_engine"
+    ]
+  },
+  {
+    "name": "sky_engine",
+    "version": "0.0.99",
+    "kind": "transitive",
+    "source": "sdk",
+    "dependencies": []
+  },
+  {
+    "name": "flutter_driver",
+    "version": "0.0.0",
+    "kind": "transitive",
+    "source": "sdk",
+    "dependencies": [
+      "file",
+      "flutter",
+      "flutter_test",
+      "fuchsia_remote_debug_protocol",
+      "path",
+      "meta",
+      "vm_service",
+      "webdriver",
+      "async",
+      "boolean_selector",
+      "characters",
+      "clock",
+      "collection",
+      "matcher",
+      "material_color_utilities",
+      "platform",
+      "process",
+      "source_span",
+      "stack_trace",
+      "stream_channel",
+      "string_scanner",
+      "sync_http",
+      "term_glyph",
+      "test_api",
+      "vector_math",
+      "web"
+    ]
+  },
+  {
+    "name": "fuchsia_remote_debug_protocol",
+    "version": "0.0.0",
+    "kind": "transitive",
+    "source": "sdk",
+    "dependencies": [
+      "process",
+      "vm_service",
+      "file",
+      "meta",
+      "path",
+      "platform"
+    ]
+  },
+  {
+    "name": "freezed",
+    "version": "2.4.1",
+    "kind": "dev",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "build",
+      "build_config",
+      "collection",
+      "meta",
+      "source_gen",
+      "freezed_annotation",
+      "json_annotation"
+    ]
+  },
+  {
+    "name": "freezed_annotation",
+    "version": "2.4.1",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "json_annotation",
+      "meta"
+    ]
+  },
+  {
+    "name": "build_config",
+    "version": "1.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "checked_yaml",
+      "json_annotation",
+      "path",
+      "pubspec_parse",
+      "yaml"
+    ]
+  },
+  {
+    "name": "pubspec_parse",
+    "version": "1.2.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "checked_yaml",
+      "collection",
+      "json_annotation",
+      "pub_semver",
+      "yaml"
+    ]
+  },
+  {
+    "name": "checked_yaml",
+    "version": "2.0.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "json_annotation",
+      "source_span",
+      "yaml"
+    ]
+  },
+  {
+    "name": "flutter_lints",
+    "version": "2.0.2",
+    "kind": "dev",
+    "source": "hosted",
+    "dependencies": [
+      "lints"
+    ]
+  },
+  {
+    "name": "lints",
+    "version": "2.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "build_runner",
+    "version": "2.4.6",
+    "kind": "dev",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "args",
+      "async",
+      "build",
+      "build_config",
+      "build_daemon",
+      "build_resolvers",
+      "build_runner_core",
+      "code_builder",
+      "collection",
+      "crypto",
+      "dart_style",
+      "frontend_server_client",
+      "glob",
+      "graphs",
+      "http_multi_server",
+      "io",
+      "js",
+      "logging",
+      "meta",
+      "mime",
+      "package_config",
+      "path",
+      "pool",
+      "pub_semver",
+      "pubspec_parse",
+      "shelf",
+      "shelf_web_socket",
+      "stack_trace",
+      "stream_transform",
+      "timing",
+      "watcher",
+      "web_socket_channel",
+      "yaml"
+    ]
+  },
+  {
+    "name": "web_socket_channel",
+    "version": "2.4.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "crypto",
+      "stream_channel"
+    ]
+  },
+  {
+    "name": "timing",
+    "version": "1.0.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "json_annotation"
+    ]
+  },
+  {
+    "name": "stream_transform",
+    "version": "2.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "shelf_web_socket",
+    "version": "1.0.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "shelf",
+      "stream_channel",
+      "web_socket_channel"
+    ]
+  },
+  {
+    "name": "shelf",
+    "version": "1.4.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "collection",
+      "http_parser",
+      "path",
+      "stack_trace",
+      "stream_channel"
+    ]
+  },
+  {
+    "name": "mime",
+    "version": "1.0.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "js",
+    "version": "0.6.7",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta"
+    ]
+  },
+  {
+    "name": "http_multi_server",
+    "version": "3.2.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async"
+    ]
+  },
+  {
+    "name": "frontend_server_client",
+    "version": "3.2.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "path"
+    ]
+  },
+  {
+    "name": "build_runner_core",
+    "version": "7.2.8",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "build",
+      "build_config",
+      "build_resolvers",
+      "collection",
+      "convert",
+      "crypto",
+      "glob",
+      "graphs",
+      "json_annotation",
+      "logging",
+      "meta",
+      "path",
+      "package_config",
+      "pool",
+      "timing",
+      "watcher",
+      "yaml"
+    ]
+  },
+  {
+    "name": "build_resolvers",
+    "version": "2.2.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "analyzer",
+      "async",
+      "build",
+      "collection",
+      "crypto",
+      "graphs",
+      "logging",
+      "package_config",
+      "path",
+      "pool",
+      "pub_semver",
+      "stream_transform",
+      "yaml"
+    ]
+  },
+  {
+    "name": "build_daemon",
+    "version": "4.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "built_collection",
+      "built_value",
+      "http_multi_server",
+      "logging",
+      "path",
+      "pool",
+      "shelf",
+      "shelf_web_socket",
+      "stream_transform",
+      "watcher",
+      "web_socket_channel"
+    ]
+  },
+  {
+    "name": "yaru_widgets",
+    "version": "3.1.0",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "yaru",
+      "yaru_icons",
+      "yaru_window"
+    ]
+  },
+  {
+    "name": "yaru_window",
+    "version": "0.1.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "yaru_window_linux",
+      "yaru_window_manager",
+      "yaru_window_platform_interface",
+      "yaru_window_web"
+    ]
+  },
+  {
+    "name": "yaru_window_web",
+    "version": "0.0.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "flutter_web_plugins",
+      "yaru_window_platform_interface"
+    ]
+  },
+  {
+    "name": "yaru_window_platform_interface",
+    "version": "0.1.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "meta",
+      "plugin_platform_interface"
+    ]
+  },
+  {
+    "name": "plugin_platform_interface",
+    "version": "2.1.5",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta"
+    ]
+  },
+  {
+    "name": "flutter_web_plugins",
+    "version": "0.0.0",
+    "kind": "transitive",
+    "source": "sdk",
+    "dependencies": [
+      "flutter",
+      "characters",
+      "collection",
+      "material_color_utilities",
+      "meta",
+      "vector_math",
+      "web"
+    ]
+  },
+  {
+    "name": "yaru_window_manager",
+    "version": "0.1.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "flutter_web_plugins",
+      "window_manager",
+      "yaru_window_platform_interface"
+    ]
+  },
+  {
+    "name": "window_manager",
+    "version": "0.3.6",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "path",
+      "screen_retriever"
+    ]
+  },
+  {
+    "name": "screen_retriever",
+    "version": "0.1.9",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter"
+    ]
+  },
+  {
+    "name": "yaru_window_linux",
+    "version": "0.1.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "plugin_platform_interface"
+    ]
+  },
+  {
+    "name": "yaru_icons",
+    "version": "2.2.1",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "flutter"
+    ]
+  },
+  {
+    "name": "yaru",
+    "version": "1.1.0",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "flutter",
+      "gtk",
+      "platform"
+    ]
+  },
+  {
+    "name": "gtk",
+    "version": "2.1.0",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "ffi",
+      "flutter",
+      "meta"
+    ]
+  },
+  {
+    "name": "ffi",
+    "version": "2.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "yaru_colors",
+    "version": "0.1.7",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "flutter",
+      "meta",
+      "yaru_color_generator"
+    ]
+  },
+  {
+    "name": "yaru_color_generator",
+    "version": "0.1.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "meta"
+    ]
+  },
+  {
+    "name": "upower",
+    "version": "0.7.0",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "dbus"
+    ]
+  },
+  {
+    "name": "dbus",
+    "version": "0.7.8",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "args",
+      "ffi",
+      "meta",
+      "xml"
+    ]
+  },
+  {
+    "name": "xml",
+    "version": "6.3.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "meta",
+      "petitparser"
+    ]
+  },
+  {
+    "name": "petitparser",
+    "version": "5.4.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta"
+    ]
+  },
+  {
+    "name": "ubuntu_test",
+    "version": "0.1.0-beta.6",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "flutter_html",
+      "flutter_markdown",
+      "flutter_svg",
+      "flutter_test",
+      "mockito",
+      "test_api",
+      "ubuntu_localizations",
+      "yaru_test"
+    ]
+  },
+  {
+    "name": "yaru_test",
+    "version": "0.1.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "flutter_test",
+      "yaru",
+      "yaru_widgets",
+      "yaru_window_platform_interface"
+    ]
+  },
+  {
+    "name": "ubuntu_localizations",
+    "version": "0.3.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "diacritic",
+      "flutter",
+      "flutter_localizations",
+      "intl"
+    ]
+  },
+  {
+    "name": "intl",
+    "version": "0.18.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "clock",
+      "meta",
+      "path"
+    ]
+  },
+  {
+    "name": "flutter_localizations",
+    "version": "0.0.0",
+    "kind": "direct",
+    "source": "sdk",
+    "dependencies": [
+      "flutter",
+      "intl",
+      "characters",
+      "clock",
+      "collection",
+      "material_color_utilities",
+      "meta",
+      "path",
+      "vector_math",
+      "web"
+    ]
+  },
+  {
+    "name": "diacritic",
+    "version": "0.1.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "flutter_svg",
+    "version": "2.0.7",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "vector_graphics",
+      "vector_graphics_codec",
+      "vector_graphics_compiler"
+    ]
+  },
+  {
+    "name": "vector_graphics_compiler",
+    "version": "1.1.7",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "args",
+      "meta",
+      "path_parsing",
+      "xml",
+      "vector_graphics_codec"
+    ]
+  },
+  {
+    "name": "vector_graphics_codec",
+    "version": "1.1.7",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "path_parsing",
+    "version": "1.0.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "vector_math",
+      "meta"
+    ]
+  },
+  {
+    "name": "vector_graphics",
+    "version": "1.1.7",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "vector_graphics_codec"
+    ]
+  },
+  {
+    "name": "flutter_markdown",
+    "version": "0.6.17+1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter",
+      "markdown",
+      "meta",
+      "path"
+    ]
+  },
+  {
+    "name": "markdown",
+    "version": "7.1.1",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "args",
+      "meta"
+    ]
+  },
+  {
+    "name": "flutter_html",
+    "version": "3.0.0-beta.2",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "html",
+      "csslib",
+      "collection",
+      "list_counter",
+      "flutter"
+    ]
+  },
+  {
+    "name": "list_counter",
+    "version": "1.0.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": []
+  },
+  {
+    "name": "csslib",
+    "version": "0.17.3",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "source_span"
+    ]
+  },
+  {
+    "name": "html",
+    "version": "0.15.4",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "csslib",
+      "source_span"
+    ]
+  },
+  {
+    "name": "ubuntu_session",
+    "version": "0.0.4",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "dbus",
+      "meta"
+    ]
+  },
+  {
+    "name": "ubuntu_service",
+    "version": "0.2.4",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "get_it",
+      "meta"
+    ]
+  },
+  {
+    "name": "get_it",
+    "version": "7.6.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "async",
+      "collection"
+    ]
+  },
+  {
+    "name": "ubuntu_logger",
+    "version": "0.0.3",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "logging",
+      "logging_appenders",
+      "path"
+    ]
+  },
+  {
+    "name": "logging_appenders",
+    "version": "1.0.2",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "meta",
+      "logging",
+      "dio",
+      "intl",
+      "clock"
+    ]
+  },
+  {
+    "name": "dio",
+    "version": "4.0.6",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "http_parser",
+      "path"
+    ]
+  },
+  {
+    "name": "safe_change_notifier",
+    "version": "0.2.0",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "flutter"
+    ]
+  },
+  {
+    "name": "provider",
+    "version": "6.0.5",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "collection",
+      "flutter",
+      "nested"
+    ]
+  },
+  {
+    "name": "nested",
+    "version": "1.0.0",
+    "kind": "transitive",
+    "source": "hosted",
+    "dependencies": [
+      "flutter"
+    ]
+  },
+  {
+    "name": "handy_window",
+    "version": "0.3.1",
+    "kind": "direct",
+    "source": "hosted",
+    "dependencies": [
+      "flutter"
+    ]
+  },
+  {
+    "name": "fwupd",
+    "version": "0.2.2",
+    "kind": "direct",
+    "source": "git",
+    "dependencies": [
+      "collection",
+      "dbus",
+      "meta"
+    ]
+  }
+]
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock
new file mode 100644
index 000000000000..99d5d74560b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock
@@ -0,0 +1,1079 @@
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  _fe_analyzer_shared:
+    dependency: transitive
+    description:
+      name: _fe_analyzer_shared
+      sha256: ae92f5d747aee634b87f89d9946000c2de774be1d6ac3e58268224348cd0101a
+      url: "https://pub.dev"
+    source: hosted
+    version: "61.0.0"
+  analyzer:
+    dependency: transitive
+    description:
+      name: analyzer
+      sha256: ea3d8652bda62982addfd92fdc2d0214e5f82e43325104990d4f4c4a2a313562
+      url: "https://pub.dev"
+    source: hosted
+    version: "5.13.0"
+  ansi_styles:
+    dependency: transitive
+    description:
+      name: ansi_styles
+      sha256: "9c656cc12b3c27b17dd982b2cc5c0cfdfbdabd7bc8f3ae5e8542d9867b47ce8a"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.2+1"
+  args:
+    dependency: transitive
+    description:
+      name: args
+      sha256: eef6c46b622e0494a36c5a12d10d77fb4e855501a91c1b9ef9339326e58f0596
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.2"
+  async:
+    dependency: transitive
+    description:
+      name: async
+      sha256: "947bfcf187f74dbc5e146c9eb9c0f10c9f8b30743e341481c1e2ed3ecc18c20c"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.11.0"
+  boolean_selector:
+    dependency: transitive
+    description:
+      name: boolean_selector
+      sha256: "6cfb5af12253eaf2b368f07bacc5a80d1301a071c73360d746b7f2e32d762c66"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.1"
+  build:
+    dependency: transitive
+    description:
+      name: build
+      sha256: "80184af8b6cb3e5c1c4ec6d8544d27711700bc3e6d2efad04238c7b5290889f0"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.1"
+  build_config:
+    dependency: transitive
+    description:
+      name: build_config
+      sha256: bf80fcfb46a29945b423bd9aad884590fb1dc69b330a4d4700cac476af1708d1
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.1"
+  build_daemon:
+    dependency: transitive
+    description:
+      name: build_daemon
+      sha256: "5f02d73eb2ba16483e693f80bee4f088563a820e47d1027d4cdfe62b5bb43e65"
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.0.0"
+  build_resolvers:
+    dependency: transitive
+    description:
+      name: build_resolvers
+      sha256: "6c4dd11d05d056e76320b828a1db0fc01ccd376922526f8e9d6c796a5adbac20"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.2.1"
+  build_runner:
+    dependency: "direct dev"
+    description:
+      name: build_runner
+      sha256: "10c6bcdbf9d049a0b666702cf1cee4ddfdc38f02a19d35ae392863b47519848b"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.6"
+  build_runner_core:
+    dependency: transitive
+    description:
+      name: build_runner_core
+      sha256: "30859c90e9ddaccc484f56303931f477b1f1ba2bab74aa32ed5d6ce15870f8cf"
+      url: "https://pub.dev"
+    source: hosted
+    version: "7.2.8"
+  built_collection:
+    dependency: transitive
+    description:
+      name: built_collection
+      sha256: "376e3dd27b51ea877c28d525560790aee2e6fbb5f20e2f85d5081027d94e2100"
+      url: "https://pub.dev"
+    source: hosted
+    version: "5.1.1"
+  built_value:
+    dependency: transitive
+    description:
+      name: built_value
+      sha256: ff627b645b28fb8bdb69e645f910c2458fd6b65f6585c3a53e0626024897dedf
+      url: "https://pub.dev"
+    source: hosted
+    version: "8.6.2"
+  characters:
+    dependency: transitive
+    description:
+      name: characters
+      sha256: "04a925763edad70e8443c99234dc3328f442e811f1d8fd1a72f1c8ad0f69a605"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.3.0"
+  charcode:
+    dependency: transitive
+    description:
+      name: charcode
+      sha256: fb98c0f6d12c920a02ee2d998da788bca066ca5f148492b7085ee23372b12306
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.3.1"
+  checked_yaml:
+    dependency: transitive
+    description:
+      name: checked_yaml
+      sha256: feb6bed21949061731a7a75fc5d2aa727cf160b91af9a3e464c5e3a32e28b5ff
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.0.3"
+  cli_launcher:
+    dependency: transitive
+    description:
+      name: cli_launcher
+      sha256: "5e7e0282b79e8642edd6510ee468ae2976d847a0a29b3916e85f5fa1bfe24005"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.1"
+  cli_util:
+    dependency: transitive
+    description:
+      name: cli_util
+      sha256: b8db3080e59b2503ca9e7922c3df2072cf13992354d5e944074ffa836fba43b7
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.4.0"
+  clock:
+    dependency: transitive
+    description:
+      name: clock
+      sha256: cb6d7f03e1de671e34607e909a7213e31d7752be4fb66a86d29fe1eb14bfb5cf
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.1"
+  code_builder:
+    dependency: transitive
+    description:
+      name: code_builder
+      sha256: "4ad01d6e56db961d29661561effde45e519939fdaeb46c351275b182eac70189"
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.5.0"
+  collection:
+    dependency: "direct main"
+    description:
+      name: collection
+      sha256: f092b211a4319e98e5ff58223576de6c2803db36221657b46c82574721240687
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.17.2"
+  conventional_commit:
+    dependency: transitive
+    description:
+      name: conventional_commit
+      sha256: dec15ad1118f029c618651a4359eb9135d8b88f761aa24e4016d061cd45948f2
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.0+1"
+  convert:
+    dependency: transitive
+    description:
+      name: convert
+      sha256: "0f08b14755d163f6e2134cb58222dd25ea2a2ee8a195e53983d57c075324d592"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.1"
+  crypto:
+    dependency: transitive
+    description:
+      name: crypto
+      sha256: ff625774173754681d66daaf4a448684fb04b78f902da9cb3d308c19cc5e8bab
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.0.3"
+  csslib:
+    dependency: transitive
+    description:
+      name: csslib
+      sha256: "831883fb353c8bdc1d71979e5b342c7d88acfbc643113c14ae51e2442ea0f20f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.17.3"
+  dart_style:
+    dependency: transitive
+    description:
+      name: dart_style
+      sha256: "1efa911ca7086affd35f463ca2fc1799584fb6aa89883cf0af8e3664d6a02d55"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.2"
+  dbus:
+    dependency: "direct main"
+    description:
+      name: dbus
+      sha256: "6f07cba3f7b3448d42d015bfd3d53fe12e5b36da2423f23838efc1d5fb31a263"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.7.8"
+  diacritic:
+    dependency: transitive
+    description:
+      name: diacritic
+      sha256: a84e03ec2779375fb86430dbe9d8fba62c68376f2499097a5f6e75556babe706
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.4"
+  dio:
+    dependency: "direct main"
+    description:
+      name: dio
+      sha256: "7d328c4d898a61efc3cd93655a0955858e29a0aa647f0f9e02d59b3bb275e2e8"
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.0.6"
+  fake_async:
+    dependency: transitive
+    description:
+      name: fake_async
+      sha256: "511392330127add0b769b75a987850d136345d9227c6b94c96a04cf4a391bf78"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.3.1"
+  ffi:
+    dependency: transitive
+    description:
+      name: ffi
+      sha256: "7bf0adc28a23d395f19f3f1eb21dd7cfd1dd9f8e1c50051c069122e6853bc878"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.0"
+  file:
+    dependency: "direct main"
+    description:
+      name: file
+      sha256: "1b92bec4fc2a72f59a8e15af5f52cd441e4a7860b49499d69dfa817af20e925d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "6.1.4"
+  fixnum:
+    dependency: transitive
+    description:
+      name: fixnum
+      sha256: "25517a4deb0c03aa0f32fd12db525856438902d9c16536311e76cdc57b31d7d1"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
+  flutter:
+    dependency: "direct main"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  flutter_driver:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  flutter_html:
+    dependency: "direct main"
+    description:
+      name: flutter_html
+      sha256: "02ad69e813ecfc0728a455e4bf892b9379983e050722b1dce00192ee2e41d1ee"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.0.0-beta.2"
+  flutter_lints:
+    dependency: "direct dev"
+    description:
+      name: flutter_lints
+      sha256: "2118df84ef0c3ca93f96123a616ae8540879991b8b57af2f81b76a7ada49b2a4"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.0.2"
+  flutter_localizations:
+    dependency: "direct main"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  flutter_markdown:
+    dependency: transitive
+    description:
+      name: flutter_markdown
+      sha256: "2b206d397dd7836ea60035b2d43825c8a303a76a5098e66f42d55a753e18d431"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.17+1"
+  flutter_svg:
+    dependency: transitive
+    description:
+      name: flutter_svg
+      sha256: "8c5d68a82add3ca76d792f058b186a0599414f279f00ece4830b9b231b570338"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.0.7"
+  flutter_test:
+    dependency: "direct dev"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  flutter_web_plugins:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  freezed:
+    dependency: "direct dev"
+    description:
+      name: freezed
+      sha256: "2df89855fe181baae3b6d714dc3c4317acf4fccd495a6f36e5e00f24144c6c3b"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.1"
+  freezed_annotation:
+    dependency: "direct main"
+    description:
+      name: freezed_annotation
+      sha256: c3fd9336eb55a38cc1bbd79ab17573113a8deccd0ecbbf926cca3c62803b5c2d
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.1"
+  frontend_server_client:
+    dependency: transitive
+    description:
+      name: frontend_server_client
+      sha256: "408e3ca148b31c20282ad6f37ebfa6f4bdc8fede5b74bc2f08d9d92b55db3612"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.2.0"
+  fuchsia_remote_debug_protocol:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  fwupd:
+    dependency: "direct main"
+    description:
+      path: "."
+      ref: refresh-property-cache
+      resolved-ref: "22f96d558fb3b72b682758a7b55f39002cd217c2"
+      url: "https://github.com/d-loose/fwupd.dart"
+    source: git
+    version: "0.2.2"
+  get_it:
+    dependency: transitive
+    description:
+      name: get_it
+      sha256: "529de303c739fca98cd7ece5fca500d8ff89649f1bb4b4e94fb20954abcd7468"
+      url: "https://pub.dev"
+    source: hosted
+    version: "7.6.0"
+  glob:
+    dependency: transitive
+    description:
+      name: glob
+      sha256: "0e7014b3b7d4dac1ca4d6114f82bf1782ee86745b9b42a92c9289c23d8a0ab63"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.2"
+  graphs:
+    dependency: transitive
+    description:
+      name: graphs
+      sha256: aedc5a15e78fc65a6e23bcd927f24c64dd995062bcd1ca6eda65a3cff92a4d19
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.1"
+  gtk:
+    dependency: "direct main"
+    description:
+      name: gtk
+      sha256: e8ce9ca4b1df106e4d72dad201d345ea1a036cc12c360f1a7d5a758f78ffa42c
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.0"
+  handy_window:
+    dependency: "direct main"
+    description:
+      name: handy_window
+      sha256: "458a9f7d4ae23816e8f33c76596f943a04e7eff13d864e0867f3b40f1647d63d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.1"
+  html:
+    dependency: transitive
+    description:
+      name: html
+      sha256: "3a7812d5bcd2894edf53dfaf8cd640876cf6cef50a8f238745c8b8120ea74d3a"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.15.4"
+  http:
+    dependency: transitive
+    description:
+      name: http
+      sha256: "759d1a329847dd0f39226c688d3e06a6b8679668e350e2891a6474f8b4bb8525"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
+  http_multi_server:
+    dependency: transitive
+    description:
+      name: http_multi_server
+      sha256: "97486f20f9c2f7be8f514851703d0119c3596d14ea63227af6f7a481ef2b2f8b"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.2.1"
+  http_parser:
+    dependency: transitive
+    description:
+      name: http_parser
+      sha256: "2aa08ce0341cc9b354a498388e30986515406668dbcc4f7c950c3e715496693b"
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.0.2"
+  integration_test:
+    dependency: "direct dev"
+    description: flutter
+    source: sdk
+    version: "0.0.0"
+  intl:
+    dependency: transitive
+    description:
+      name: intl
+      sha256: "3bc132a9dbce73a7e4a21a17d06e1878839ffbf975568bc875c60537824b0c4d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.18.1"
+  io:
+    dependency: transitive
+    description:
+      name: io
+      sha256: "2ec25704aba361659e10e3e5f5d672068d332fc8ac516421d483a11e5cbd061e"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.4"
+  js:
+    dependency: transitive
+    description:
+      name: js
+      sha256: f2c445dce49627136094980615a031419f7f3eb393237e4ecd97ac15dea343f3
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.7"
+  json_annotation:
+    dependency: transitive
+    description:
+      name: json_annotation
+      sha256: b10a7b2ff83d83c777edba3c6a0f97045ddadd56c944e1a23a3fdf43a1bf4467
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.8.1"
+  lints:
+    dependency: transitive
+    description:
+      name: lints
+      sha256: "0a217c6c989d21039f1498c3ed9f3ed71b354e69873f13a8dfc3c9fe76f1b452"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.1"
+  list_counter:
+    dependency: transitive
+    description:
+      name: list_counter
+      sha256: c447ae3dfcd1c55f0152867090e67e219d42fe6d4f2807db4bbe8b8d69912237
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.2"
+  logging:
+    dependency: transitive
+    description:
+      name: logging
+      sha256: "04094f2eb032cbb06c6f6e8d3607edcfcb0455e2bb6cbc010cb01171dcb64e6d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.1"
+  logging_appenders:
+    dependency: transitive
+    description:
+      name: logging_appenders
+      sha256: c2ea00fb779a81e995943f1e3e6e6969d463de3882d134d78ad58e76f2b6f1b1
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.2"
+  markdown:
+    dependency: transitive
+    description:
+      name: markdown
+      sha256: acf35edccc0463a9d7384e437c015a3535772e09714cf60e07eeef3a15870dcd
+      url: "https://pub.dev"
+    source: hosted
+    version: "7.1.1"
+  matcher:
+    dependency: transitive
+    description:
+      name: matcher
+      sha256: "1803e76e6653768d64ed8ff2e1e67bea3ad4b923eb5c56a295c3e634bad5960e"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.12.16"
+  material_color_utilities:
+    dependency: transitive
+    description:
+      name: material_color_utilities
+      sha256: "9528f2f296073ff54cb9fee677df673ace1218163c3bc7628093e7eed5203d41"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.5.0"
+  melos:
+    dependency: "direct dev"
+    description:
+      name: melos
+      sha256: "3f22f6cc629d72acf3acc8a7f8563384550290fa30790efa328c9cf606aa17d7"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.1"
+  meta:
+    dependency: "direct main"
+    description:
+      name: meta
+      sha256: "3c74dbf8763d36539f114c799d8a2d87343b5067e9d796ca22b5eb8437090ee3"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.9.1"
+  mime:
+    dependency: transitive
+    description:
+      name: mime
+      sha256: e4ff8e8564c03f255408decd16e7899da1733852a9110a58fe6d1b817684a63e
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.4"
+  mockito:
+    dependency: "direct dev"
+    description:
+      name: mockito
+      sha256: "7d5b53bcd556c1bc7ffbe4e4d5a19c3e112b7e925e9e172dd7c6ad0630812616"
+      url: "https://pub.dev"
+    source: hosted
+    version: "5.4.2"
+  mustache_template:
+    dependency: transitive
+    description:
+      name: mustache_template
+      sha256: a46e26f91445bfb0b60519be280555b06792460b27b19e2b19ad5b9740df5d1c
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.0.0"
+  nested:
+    dependency: transitive
+    description:
+      name: nested
+      sha256: "03bac4c528c64c95c722ec99280375a6f2fc708eec17c7b3f07253b626cd2a20"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.0"
+  package_config:
+    dependency: transitive
+    description:
+      name: package_config
+      sha256: "1c5b77ccc91e4823a5af61ee74e6b972db1ef98c2ff5a18d3161c982a55448bd"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.0"
+  path:
+    dependency: "direct main"
+    description:
+      name: path
+      sha256: "8829d8a55c13fc0e37127c29fedf290c102f4e40ae94ada574091fe0ff96c917"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.8.3"
+  path_parsing:
+    dependency: transitive
+    description:
+      name: path_parsing
+      sha256: e3e67b1629e6f7e8100b367d3db6ba6af4b1f0bb80f64db18ef1fbabd2fa9ccf
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.1"
+  petitparser:
+    dependency: transitive
+    description:
+      name: petitparser
+      sha256: cb3798bef7fc021ac45b308f4b51208a152792445cce0448c9a4ba5879dd8750
+      url: "https://pub.dev"
+    source: hosted
+    version: "5.4.0"
+  platform:
+    dependency: transitive
+    description:
+      name: platform
+      sha256: "4a451831508d7d6ca779f7ac6e212b4023dd5a7d08a27a63da33756410e32b76"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
+  plugin_platform_interface:
+    dependency: transitive
+    description:
+      name: plugin_platform_interface
+      sha256: "43798d895c929056255600343db8f049921cbec94d31ec87f1dc5c16c01935dd"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.5"
+  pool:
+    dependency: transitive
+    description:
+      name: pool
+      sha256: "20fe868b6314b322ea036ba325e6fc0711a22948856475e2c2b6306e8ab39c2a"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.5.1"
+  process:
+    dependency: transitive
+    description:
+      name: process
+      sha256: "53fd8db9cec1d37b0574e12f07520d582019cb6c44abf5479a01505099a34a09"
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.2.4"
+  prompts:
+    dependency: transitive
+    description:
+      name: prompts
+      sha256: "3773b845e85a849f01e793c4fc18a45d52d7783b4cb6c0569fad19f9d0a774a1"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.0.0"
+  provider:
+    dependency: "direct main"
+    description:
+      name: provider
+      sha256: cdbe7530b12ecd9eb455bdaa2fcb8d4dad22e80b8afb4798b41479d5ce26847f
+      url: "https://pub.dev"
+    source: hosted
+    version: "6.0.5"
+  pub_semver:
+    dependency: transitive
+    description:
+      name: pub_semver
+      sha256: "40d3ab1bbd474c4c2328c91e3a7df8c6dd629b79ece4c4bd04bee496a224fb0c"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.4"
+  pub_updater:
+    dependency: transitive
+    description:
+      name: pub_updater
+      sha256: b06600619c8c219065a548f8f7c192b3e080beff95488ed692780f48f69c0625
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.1"
+  pubspec:
+    dependency: transitive
+    description:
+      name: pubspec
+      sha256: f534a50a2b4d48dc3bc0ec147c8bd7c304280fff23b153f3f11803c4d49d927e
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.0"
+  pubspec_parse:
+    dependency: transitive
+    description:
+      name: pubspec_parse
+      sha256: c63b2876e58e194e4b0828fcb080ad0e06d051cb607a6be51a9e084f47cb9367
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.3"
+  quiver:
+    dependency: transitive
+    description:
+      name: quiver
+      sha256: b1c1ac5ce6688d77f65f3375a9abb9319b3cb32486bdc7a1e0fdf004d7ba4e47
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.2.1"
+  safe_change_notifier:
+    dependency: "direct main"
+    description:
+      name: safe_change_notifier
+      sha256: e69034655ea33aa7dce3c5bb33cf12fc7c07a0ce7d59b7291fd030b70d059570
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.2.0"
+  screen_retriever:
+    dependency: transitive
+    description:
+      name: screen_retriever
+      sha256: "6ee02c8a1158e6dae7ca430da79436e3b1c9563c8cf02f524af997c201ac2b90"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.9"
+  shelf:
+    dependency: transitive
+    description:
+      name: shelf
+      sha256: ad29c505aee705f41a4d8963641f91ac4cee3c8fad5947e033390a7bd8180fa4
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.4.1"
+  shelf_web_socket:
+    dependency: transitive
+    description:
+      name: shelf_web_socket
+      sha256: "9ca081be41c60190ebcb4766b2486a7d50261db7bd0f5d9615f2d653637a84c1"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.4"
+  sky_engine:
+    dependency: transitive
+    description: flutter
+    source: sdk
+    version: "0.0.99"
+  source_gen:
+    dependency: transitive
+    description:
+      name: source_gen
+      sha256: fc0da689e5302edb6177fdd964efcb7f58912f43c28c2047a808f5bfff643d16
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.4.0"
+  source_span:
+    dependency: transitive
+    description:
+      name: source_span
+      sha256: "53e943d4206a5e30df338fd4c6e7a077e02254531b138a15aec3bd143c1a8b3c"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.10.0"
+  stack_trace:
+    dependency: transitive
+    description:
+      name: stack_trace
+      sha256: c3c7d8edb15bee7f0f74debd4b9c5f3c2ea86766fe4178eb2a18eb30a0bdaed5
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.11.0"
+  stream_channel:
+    dependency: transitive
+    description:
+      name: stream_channel
+      sha256: "83615bee9045c1d322bbbd1ba209b7a749c2cbcdcb3fdd1df8eb488b3279c1c8"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.1"
+  stream_transform:
+    dependency: transitive
+    description:
+      name: stream_transform
+      sha256: "14a00e794c7c11aa145a170587321aedce29769c08d7f58b1d141da75e3b1c6f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.0"
+  string_scanner:
+    dependency: transitive
+    description:
+      name: string_scanner
+      sha256: "556692adab6cfa87322a115640c11f13cb77b3f076ddcc5d6ae3c20242bedcde"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.0"
+  sync_http:
+    dependency: transitive
+    description:
+      name: sync_http
+      sha256: "7f0cd72eca000d2e026bcd6f990b81d0ca06022ef4e32fb257b30d3d1014a961"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.1"
+  term_glyph:
+    dependency: transitive
+    description:
+      name: term_glyph
+      sha256: a29248a84fbb7c79282b40b8c72a1209db169a2e0542bce341da992fe1bc7e84
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.1"
+  test_api:
+    dependency: "direct overridden"
+    description:
+      name: test_api
+      sha256: "5c2f730018264d276c20e4f1503fd1308dfbbae39ec8ee63c5236311ac06954b"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.1"
+  timing:
+    dependency: transitive
+    description:
+      name: timing
+      sha256: "70a3b636575d4163c477e6de42f247a23b315ae20e86442bebe32d3cabf61c32"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.1"
+  typed_data:
+    dependency: transitive
+    description:
+      name: typed_data
+      sha256: facc8d6582f16042dd49f2463ff1bd6e2c9ef9f3d5da3d9b087e244a7b564b3c
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.3.2"
+  ubuntu_localizations:
+    dependency: transitive
+    description:
+      name: ubuntu_localizations
+      sha256: a75e87b9f1c3dc678f69a943eb4cee8ccbd5b0db64d491750325950e311adab0
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.4"
+  ubuntu_logger:
+    dependency: "direct main"
+    description:
+      name: ubuntu_logger
+      sha256: f6d663e5b9c33e90a7a77a2f15b7f76e90be1dd98a94b6640d7bd74db262060f
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.0.3"
+  ubuntu_service:
+    dependency: "direct main"
+    description:
+      name: ubuntu_service
+      sha256: f6ad4dfb099af41e750c59aad00d67a96e22df00f4962d2e25d56ae3db78be49
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.2.4"
+  ubuntu_session:
+    dependency: "direct main"
+    description:
+      name: ubuntu_session
+      sha256: ce79fdd31faf7982b061b2e4a1cdd0815baf3b6b976e9c16c72609749511f3a1
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.0.4"
+  ubuntu_test:
+    dependency: "direct main"
+    description:
+      name: ubuntu_test
+      sha256: "2361b741808a11d95c64a50666151d536133e75cade17b8feccca1e67364be88"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.0-beta.6"
+  upower:
+    dependency: "direct main"
+    description:
+      name: upower
+      sha256: cf042403154751180affa1d15614db7fa50234bc2373cd21c3db666c38543ebf
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.7.0"
+  uri:
+    dependency: transitive
+    description:
+      name: uri
+      sha256: "889eea21e953187c6099802b7b4cf5219ba8f3518f604a1033064d45b1b8268a"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.0.0"
+  vector_graphics:
+    dependency: transitive
+    description:
+      name: vector_graphics
+      sha256: "670f6e07aca990b4a2bcdc08a784193c4ccdd1932620244c3a86bb72a0eac67f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.7"
+  vector_graphics_codec:
+    dependency: transitive
+    description:
+      name: vector_graphics_codec
+      sha256: "7451721781d967db9933b63f5733b1c4533022c0ba373a01bdd79d1a5457f69f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.7"
+  vector_graphics_compiler:
+    dependency: transitive
+    description:
+      name: vector_graphics_compiler
+      sha256: "80a13c613c8bde758b1464a1755a7b3a8f2b6cec61fbf0f5a53c94c30f03ba2e"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.7"
+  vector_math:
+    dependency: transitive
+    description:
+      name: vector_math
+      sha256: "80b3257d1492ce4d091729e3a67a60407d227c27241d6927be0130c98e741803"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.4"
+  vm_service:
+    dependency: transitive
+    description:
+      name: vm_service
+      sha256: c620a6f783fa22436da68e42db7ebbf18b8c44b9a46ab911f666ff09ffd9153f
+      url: "https://pub.dev"
+    source: hosted
+    version: "11.7.1"
+  watcher:
+    dependency: transitive
+    description:
+      name: watcher
+      sha256: "3d2ad6751b3c16cf07c7fca317a1413b3f26530319181b37e3b9039b84fc01d8"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
+  web:
+    dependency: transitive
+    description:
+      name: web
+      sha256: dc8ccd225a2005c1be616fe02951e2e342092edf968cf0844220383757ef8f10
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.4-beta"
+  web_socket_channel:
+    dependency: transitive
+    description:
+      name: web_socket_channel
+      sha256: d88238e5eac9a42bb43ca4e721edba3c08c6354d4a53063afaa568516217621b
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.4.0"
+  webdriver:
+    dependency: transitive
+    description:
+      name: webdriver
+      sha256: "3c923e918918feeb90c4c9fdf1fe39220fa4c0e8e2c0fffaded174498ef86c49"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.0.2"
+  window_manager:
+    dependency: transitive
+    description:
+      name: window_manager
+      sha256: "6ee795be9124f90660ea9d05e581a466de19e1c89ee74fc4bf528f60c8600edd"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.3.6"
+  xml:
+    dependency: transitive
+    description:
+      name: xml
+      sha256: "5bc72e1e45e941d825fd7468b9b4cc3b9327942649aeb6fc5cdbf135f0a86e84"
+      url: "https://pub.dev"
+    source: hosted
+    version: "6.3.0"
+  yaml:
+    dependency: transitive
+    description:
+      name: yaml
+      sha256: "75769501ea3489fca56601ff33454fe45507ea3bfb014161abc3b43ae25989d5"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.2"
+  yaml_edit:
+    dependency: transitive
+    description:
+      name: yaml_edit
+      sha256: "1579d4a0340a83cf9e4d580ea51a16329c916973bffd5bd4b45e911b25d46bfd"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.1.1"
+  yaru:
+    dependency: "direct main"
+    description:
+      name: yaru
+      sha256: "24047f0de452784840a326874192d26cb5ebd8cf5eac7864086e5bc9272a28db"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
+  yaru_color_generator:
+    dependency: transitive
+    description:
+      name: yaru_color_generator
+      sha256: "78b96cefc4eef763e4786f891ce336cdd55ef8edc55494c4bea2bc9d10ef9c96"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.0"
+  yaru_colors:
+    dependency: "direct main"
+    description:
+      name: yaru_colors
+      sha256: "42814cafa3c4a6876962559ae9d8b9ff088a59635e649e4eae86d35905496063"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.7"
+  yaru_icons:
+    dependency: "direct main"
+    description:
+      name: yaru_icons
+      sha256: cbb0b5945f407116fd8a1fbe7265e7ffa0d568249d496343a69cb5c55360bba1
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.2.1"
+  yaru_test:
+    dependency: transitive
+    description:
+      name: yaru_test
+      sha256: "9396269fbe026bb9c398b9d4308c76982090ddeca102e4846bd4ba595333ff0a"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.4"
+  yaru_widgets:
+    dependency: "direct main"
+    description:
+      name: yaru_widgets
+      sha256: "482a71ef5566c6cb4135272f0041bf8a9c35729bf9079b0d304eedfa2fa0cc0c"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
+  yaru_window:
+    dependency: transitive
+    description:
+      name: yaru_window
+      sha256: "55c8f039d13aaa1b211a8cf0b7731ae2fdcac9b1be1e0994eb14ad1d17fecaf7"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.3"
+  yaru_window_linux:
+    dependency: transitive
+    description:
+      name: yaru_window_linux
+      sha256: c45606cf75880ae6427bbe176dc5313356f16c876c7013a19aeee782882c40c2
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.3"
+  yaru_window_manager:
+    dependency: transitive
+    description:
+      name: yaru_window_manager
+      sha256: "2d358263d19ae6598df21d6d8c0d25e75c79a82f459b63b0013a13e395c48b23"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.2"
+  yaru_window_platform_interface:
+    dependency: transitive
+    description:
+      name: yaru_window_platform_interface
+      sha256: e9f8cd34e207d7f7b771ae70dee347ed974cee06b981819c4181b3e474e52254
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.1.2"
+  yaru_window_web:
+    dependency: transitive
+    description:
+      name: yaru_window_web
+      sha256: "3ff30758a330d7626d54643df0cca6c179782f401aba7752da9cc0d60c9a6f74"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.0.3"
+sdks:
+  dart: ">=3.1.0-185.0.dev <4.0.0"
+  flutter: ">=3.10.0"
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
new file mode 100644
index 000000000000..a8adefc63468
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, substituteAll
+, pkg-config
+, meson
+, ninja
+, gnu-efi
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fwupd-efi";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://people.freedesktop.org/~hughsient/releases/${pname}-${version}.tar.xz";
+    sha256 = "sha256-1Ys04TwhWYZ8ORJgr04kGO6/lI1I36sC6kcrVoP/r1k=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    gnu-efi
+  ];
+
+  postPatch = ''
+    patchShebangs \
+      efi/generate_binary.py \
+      efi/generate_sbat.py
+  '';
+
+  mesonFlags = [
+    "-Defi-includedir=${gnu-efi}/include/efi"
+    "-Defi-libdir=${gnu-efi}/lib"
+    "-Defi-ldsdir=${gnu-efi}/lib"
+    "-Defi_sbat_distro_id=nixos"
+    "-Defi_sbat_distro_summary=NixOS"
+    "-Defi_sbat_distro_pkgname=${pname}"
+    "-Defi_sbat_distro_version=${version}"
+    "-Defi_sbat_distro_url=https://search.nixos.org/packages?channel=unstable&show=fwupd-efi&from=0&size=50&sort=relevance&query=fwupd-efi"
+  ];
+
+  meta = with lib; {
+    homepage = "https://fwupd.org/";
+    maintainers = with maintainers; [ amaxine ];
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
new file mode 100644
index 000000000000..4e95ccea8dc1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
@@ -0,0 +1,138 @@
+diff --git a/data/bios-settings.d/meson.build b/data/bios-settings.d/meson.build
+index b0ff5b106..13ac380d0 100644
+--- a/data/bios-settings.d/meson.build
++++ b/data/bios-settings.d/meson.build
+@@ -1,5 +1,5 @@
+ if build_standalone and host_machine.system() == 'linux'
+ install_data('README.md',
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'bios-settings.d')
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'bios-settings.d')
+ )
+ endif
+diff --git a/data/meson.build b/data/meson.build
+index e13da4adf..6858c240f 100644
+--- a/data/meson.build
++++ b/data/meson.build
+@@ -26,7 +26,7 @@ endif
+
+ if build_standalone
+   install_data(['fwupd.conf'],
+-    install_dir: join_paths(sysconfdir, 'fwupd'),
++    install_dir: join_paths(sysconfdir_install, 'fwupd'),
+     install_mode: 'rw-r-----',
+   )
+   plugin_quirks += files([
+diff --git a/data/pki/meson.build b/data/pki/meson.build
+index 3649fecea..c3462744b 100644
+--- a/data/pki/meson.build
++++ b/data/pki/meson.build
+@@ -12,13 +12,13 @@ install_data([
+     'GPG-KEY-Linux-Foundation-Firmware',
+     'GPG-KEY-Linux-Vendor-Firmware-Service',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd')
+ )
+ install_data([
+     'GPG-KEY-Linux-Foundation-Metadata',
+     'GPG-KEY-Linux-Vendor-Firmware-Service',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd-metadata')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd-metadata')
+ )
+ endif
+
+@@ -26,11 +26,11 @@ if supported_pkcs7
+ install_data([
+     'LVFS-CA.pem',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd')
+ )
+ install_data([
+     'LVFS-CA.pem',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd-metadata')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd-metadata')
+ )
+ endif
+diff --git a/data/remotes.d/meson.build b/data/remotes.d/meson.build
+index c20a1a05e..5354bac7f 100644
+--- a/data/remotes.d/meson.build
++++ b/data/remotes.d/meson.build
+@@ -15,14 +15,14 @@ if build_standalone and get_option('lvfs') != 'false'
+     output: 'lvfs.conf',
+     configuration: con3,
+     install: true,
+-    install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++    install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+   )
+   configure_file(
+     input: 'lvfs-testing.conf',
+     output: 'lvfs-testing.conf',
+     configuration: con3,
+     install: true,
+-    install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++    install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+   )
+   i18n.merge_file(
+     input: 'lvfs.metainfo.xml',
+@@ -56,12 +56,12 @@ configure_file(
+   output: 'vendor.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+ )
+ configure_file(
+   input: 'vendor-directory.conf',
+   output: 'vendor-directory.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+ )
+diff --git a/meson.build b/meson.build
+index ca6ccdf92..0a3097d90 100644
+--- a/meson.build
++++ b/meson.build
+@@ -195,6 +195,12 @@ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+ localedir = join_paths(prefix, get_option('localedir'))
+
++if get_option('sysconfdir_install') != ''
++  sysconfdir_install = join_paths(prefix, get_option('sysconfdir_install'))
++else
++  sysconfdir_install = sysconfdir
++endif
++
+ diffcmd = find_program('diff')
+ gio = dependency('gio-2.0', version: '>= 2.68.0')
+ giounix = dependency('gio-unix-2.0', version: '>= 2.68.0', required: false)
+
+diff --git a/meson_options.txt b/meson_options.txt
+index 877891126..986d0ee31 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -1,3 +1,8 @@
++option('sysconfdir_install',
++  type: 'string',
++  value: '',
++  description: 'sysconfdir to use during installation'
++)
+ option('build',
+   type: 'combo',
+   choices: [
+diff --git a/plugins/uefi-capsule/meson.build b/plugins/uefi-capsule/meson.build
+index eb196c21e..c9a29f680 100644
+--- a/plugins/uefi-capsule/meson.build
++++ b/plugins/uefi-capsule/meson.build
+@@ -20,7 +20,7 @@ if host_machine.system() == 'linux'
+     output: '35_fwupd',
+     configuration: con2,
+     install: true,
+-    install_dir: join_paths(sysconfdir, 'grub.d')
++    install_dir: join_paths(sysconfdir_install, 'grub.d')
+   )
+ elif host_machine.system() == 'freebsd'
+   backend_srcs += 'fu-uefi-backend-freebsd.c'
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix
new file mode 100644
index 000000000000..f4914d843272
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix
@@ -0,0 +1,400 @@
+# Updating? Keep $out/etc synchronized with passthru keys
+
+{ stdenv
+, lib
+, fetchFromGitHub
+, gi-docgen
+, pkg-config
+, gobject-introspection
+, gettext
+, libgudev
+, libdrm
+, polkit
+, libxmlb
+, glib
+, gusb
+, sqlite
+, libarchive
+, libredirect
+, curl
+, libjcat
+, elfutils
+, efivar
+, valgrind
+, meson
+, libuuid
+, colord
+, ninja
+, gnutls
+, protobufc
+, python3
+, wrapGAppsNoGuiHook
+, ensureNewerSourcesForZipFilesHook
+, json-glib
+, bash-completion
+, shared-mime-info
+, umockdev
+, vala
+, makeFontsConf
+, freefont_ttf
+, pango
+, tpm2-tss
+, bubblewrap
+, efibootmgr
+, flashrom
+, tpm2-tools
+, fwupd-efi
+, nixosTests
+, runCommand
+, unstableGitUpdater
+, modemmanager
+, libqmi
+, libmbim
+, libcbor
+, xz
+, enableFlashrom ? false
+, enablePassim ? false
+}:
+
+let
+  python = python3.withPackages (p: with p; [
+    jinja2
+    pygobject3
+    setuptools
+  ]);
+
+  isx86 = stdenv.hostPlatform.isx86;
+
+  # Dell isn't supported on Aarch64
+  haveDell = isx86;
+
+  # only redfish for x86_64
+  haveRedfish = stdenv.isx86_64;
+
+  # only use msr if x86 (requires cpuid)
+  haveMSR = isx86;
+
+  # # Currently broken on Aarch64
+  # haveFlashrom = isx86;
+  # Experimental
+  haveFlashrom = isx86 && enableFlashrom;
+
+  runPythonCommand =
+    name:
+    buildCommandPython:
+
+    runCommand
+      name
+      {
+        nativeBuildInputs = [ python3 ];
+        inherit buildCommandPython;
+      }
+      ''
+        exec python3 -c "$buildCommandPython"
+      '';
+
+  test-firmware =
+    let
+      version = "unstable-2022-04-02";
+      src = fetchFromGitHub {
+        name = "fwupd-test-firmware-${version}";
+        owner = "fwupd";
+        repo = "fwupd-test-firmware";
+        rev = "39954e434d63e20e85870dd1074818f48a0c08b7";
+        hash = "sha256-d4qG3fKyxkfN91AplRYqARFz+aRr+R37BpE450bPxi0=";
+        passthru = {
+          inherit src version; # For update script
+          updateScript = unstableGitUpdater {
+            url = "${test-firmware.meta.homepage}.git";
+          };
+        };
+      };
+    in
+    src // {
+      meta = src.meta // {
+        # For update script
+        position =
+          let
+            pos = builtins.unsafeGetAttrPos "updateScript" test-firmware;
+          in
+          pos.file + ":" + toString pos.line;
+      };
+    };
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "fwupd";
+  version = "1.9.7";
+
+  # libfwupd goes to lib
+  # daemon, plug-ins and libfwupdplugin go to out
+  # CLI programs go to out
+  outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ];
+
+  src = fetchFromGitHub {
+    owner = "fwupd";
+    repo = "fwupd";
+    rev = finalAttrs.version;
+    hash = "sha256-NhVCIjkwoTZptctIrkU9HgXzjr+KCUZfEKcjoYgAEdM=";
+  };
+
+  patches = [
+    # Since /etc is the domain of NixOS, not Nix,
+    # we cannot install files there.
+    # Let’s install the files to $prefix/etc
+    # while still reading them from /etc.
+    # NixOS module for fwupd will take take care of copying the files appropriately.
+    ./add-option-for-installation-sysconfdir.patch
+
+    # Install plug-ins and libfwupdplugin to $out output,
+    # they are not really part of the library.
+    ./install-fwupdplugin-to-out.patch
+
+    # Installed tests are installed to different output
+    # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
+    ./installed-tests-path.patch
+
+    # EFI capsule is located in fwupd-efi now.
+    ./efi-app-path.patch
+  ];
+
+  nativeBuildInputs = [
+    # required for firmware zipping
+    ensureNewerSourcesForZipFilesHook
+    meson
+    ninja
+    gi-docgen
+    pkg-config
+    gobject-introspection
+    gettext
+    shared-mime-info
+    valgrind
+    gnutls
+    protobufc # for protoc
+    python
+    wrapGAppsNoGuiHook
+    vala
+  ];
+
+  buildInputs = [
+    polkit
+    libxmlb
+    gusb
+    sqlite
+    libarchive
+    libdrm
+    curl
+    elfutils
+    libgudev
+    colord
+    libjcat
+    libuuid
+    json-glib
+    umockdev
+    bash-completion
+    pango
+    tpm2-tss
+    efivar
+    fwupd-efi
+    protobufc
+    modemmanager
+    libmbim
+    libcbor
+    libqmi
+    xz # for liblzma
+  ] ++ lib.optionals haveFlashrom [
+    flashrom
+  ];
+
+  mesonFlags = [
+    "-Ddocs=enabled"
+    "-Dplugin_dummy=true"
+    # We are building the official releases.
+    "-Dsupported_build=enabled"
+    "-Dlaunchd=disabled"
+    "-Dudevdir=lib/udev"
+    "-Dsystemd_root_prefix=${placeholder "out"}"
+    "-Dinstalled_test_prefix=${placeholder "installedTests"}"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "-Dsysconfdir_install=${placeholder "out"}/etc"
+    "-Defi_os_dir=nixos"
+    "-Dplugin_modem_manager=enabled"
+    # We do not want to place the daemon into lib (cyclic reference)
+    "--libexecdir=${placeholder "out"}/libexec"
+  ] ++ lib.optionals (!enablePassim) [
+    "-Dpassim=disabled"
+  ] ++ lib.optionals (!haveDell) [
+    "-Dplugin_synaptics_mst=disabled"
+  ] ++ lib.optionals (!haveRedfish) [
+    "-Dplugin_redfish=disabled"
+  ] ++ lib.optionals (!haveFlashrom) [
+    "-Dplugin_flashrom=disabled"
+  ] ++ lib.optionals (!haveMSR) [
+    "-Dplugin_msr=disabled"
+  ];
+
+  # TODO: wrapGAppsHook wraps efi capsule even though it is not ELF
+  dontWrapGApps = true;
+
+  doCheck = true;
+
+  # Environment variables
+
+  # Fontconfig error: Cannot load default config file
+  FONTCONFIG_FILE =
+    let
+      fontsConf = makeFontsConf {
+        fontDirectories = [ freefont_ttf ];
+      };
+    in
+    fontsConf;
+
+  # error: “PolicyKit files are missing”
+  # https://github.com/NixOS/nixpkgs/pull/67625#issuecomment-525788428
+  PKG_CONFIG_POLKIT_GOBJECT_1_ACTIONDIR = "/run/current-system/sw/share/polkit-1/actions";
+
+  # Phase hooks
+
+  postPatch = ''
+    patchShebangs \
+      contrib/generate-version-script.py \
+      contrib/generate-man.py \
+      po/test-deps
+
+    substituteInPlace data/installed-tests/fwupdmgr-p2p.sh \
+      --replace "gdbus" ${glib.bin}/bin/gdbus
+
+    # tests fail with: Failed to load SMBIOS: neither SMBIOS or DT found
+    sed -i 's/test(.*)//' plugins/lenovo-thinklmi/meson.build
+    sed -i 's/test(.*)//' plugins/mtd/meson.build
+    # fails on amd cpu
+    sed -i 's/test(.*)//' libfwupdplugin/meson.build
+    # in nixos test tries to chmod 0777 $out/share/installed-tests/fwupd/tests/redfish.conf
+    sed -i "s/get_option('tests')/false/" plugins/redfish/meson.build
+
+    # Device tests use device emulation and need to download emulation data from
+    # the internet, which does not work on our test VMs.
+    # It's probably better to disable these tests for NixOS by setting
+    # the device-tests directory to /dev/null.
+    # For more info on device emulation, see:
+    #   https://github.com/fwupd/fwupd/blob/eeeac4e9ba8a6513428b456a551bffd95d533e50/docs/device-emulation.md
+    substituteInPlace data/installed-tests/meson.build \
+      --replace "join_paths(datadir, 'fwupd', 'device-tests')" "'/dev/null'"
+  '';
+
+  preBuild = ''
+    # jcat-tool at buildtime requires a home directory
+    export HOME="$(mktemp -d)"
+  '';
+
+  preCheck = ''
+    addToSearchPath XDG_DATA_DIRS "${shared-mime-info}/share"
+
+    echo "12345678901234567890123456789012" > machine-id
+    export NIX_REDIRECTS=/etc/machine-id=$(realpath machine-id) \
+    LD_PRELOAD=${libredirect}/lib/libredirect.so
+  '';
+
+  postInstall = ''
+    # These files have weird licenses so they are shipped separately.
+    cp --recursive --dereference "${test-firmware}/installed-tests/tests" "$installedTests/libexec/installed-tests/fwupd"
+  '';
+
+  preFixup =
+    let
+      binPath = [
+        efibootmgr
+        bubblewrap
+        tpm2-tools
+      ];
+    in
+    ''
+      gappsWrapperArgs+=(
+        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+        # See programs reached with fu_common_find_program_in_path in source
+        --prefix PATH : "${lib.makeBinPath binPath}"
+      )
+    '';
+
+  postFixup = ''
+    # Since we had to disable wrapGAppsHook, we need to wrap the executables manually.
+    find -L "$out/bin" "$out/libexec" -type f -executable -print0 \
+      | while IFS= read -r -d ''' file; do
+      if [[ "$file" != *.efi ]]; then
+        echo "Wrapping program $file"
+        wrapGApp "$file"
+      fi
+    done
+
+    # Cannot be in postInstall, otherwise _multioutDocs hook in preFixup will move right back.
+    moveToOutput "share/doc" "$devdoc"
+  '';
+
+  separateDebugInfo = true;
+
+  passthru = {
+    filesInstalledToEtc = [
+      "fwupd/bios-settings.d/README.md"
+      "fwupd/fwupd.conf"
+      "fwupd/remotes.d/lvfs-testing.conf"
+      "fwupd/remotes.d/lvfs.conf"
+      "fwupd/remotes.d/vendor.conf"
+      "fwupd/remotes.d/vendor-directory.conf"
+      "pki/fwupd/GPG-KEY-Linux-Foundation-Firmware"
+      "pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service"
+      "pki/fwupd/LVFS-CA.pem"
+      "pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata"
+      "pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service"
+      "pki/fwupd-metadata/LVFS-CA.pem"
+      "grub.d/35_fwupd"
+    ];
+
+    # DisabledPlugins key in fwupd/daemon.conf
+    defaultDisabledPlugins = [
+      "test"
+      "test_ble"
+    ];
+
+    # For updating.
+    inherit test-firmware;
+
+    # For downstream consumers that need the fwupd-efi this was built with.
+    inherit fwupd-efi;
+
+    tests =
+      let
+        listToPy = list: "[${lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
+      in
+      {
+        installedTests = nixosTests.installed-tests.fwupd;
+
+        passthruMatches = runPythonCommand "fwupd-test-passthru-matches" ''
+          import itertools
+          import configparser
+          import os
+          import pathlib
+
+          etc = '${finalAttrs.finalPackage}/etc'
+          package_etc = set(itertools.chain.from_iterable([[os.path.relpath(os.path.join(prefix, file), etc) for file in files] for (prefix, dirs, files) in os.walk(etc)]))
+          passthru_etc = set(${listToPy finalAttrs.passthru.filesInstalledToEtc})
+          assert len(package_etc - passthru_etc) == 0, f'fwupd package contains the following paths in /etc that are not listed in passthru.filesInstalledToEtc: {package_etc - passthru_etc}'
+          assert len(passthru_etc - package_etc) == 0, f'fwupd package lists the following paths in passthru.filesInstalledToEtc that are not contained in /etc: {passthru_etc - package_etc}'
+
+          config = configparser.RawConfigParser()
+          config.read('${finalAttrs.finalPackage}/etc/fwupd/fwupd.conf')
+          package_disabled_plugins = config.get('fwupd', 'DisabledPlugins').rstrip(';').split(';')
+          passthru_disabled_plugins = ${listToPy finalAttrs.passthru.defaultDisabledPlugins}
+          assert package_disabled_plugins == passthru_disabled_plugins, f'Default disabled plug-ins in the package {package_disabled_plugins} do not match those listed in passthru.defaultDisabledPlugins {passthru_disabled_plugins}'
+
+          pathlib.Path(os.getenv('out')).touch()
+        '';
+      };
+  };
+
+  meta = with lib; {
+    homepage = "https://fwupd.org/";
+    maintainers = with maintainers; [ rvdp ];
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch
new file mode 100644
index 000000000000..f9e65a10e657
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch
@@ -0,0 +1,13 @@
+diff --git a/meson.build b/meson.build
+index b18108c74..7e674b4d2 100644
+--- a/meson.build
++++ b/meson.build
+@@ -404,7 +404,7 @@ endif
+
+ # EFI
+ if build_standalone
+-  efi_app_location = join_paths(libexecdir, 'fwupd', 'efi')
++  efi_app_location = join_paths(dependency('fwupd-efi').get_variable(pkgconfig: 'prefix'), 'libexec', 'fwupd', 'efi')
+   conf.set_quoted('EFI_APP_LOCATION', efi_app_location)
+   if host_cpu == 'x86'
+     EFI_MACHINE_TYPE_NAME = 'ia32'
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch
new file mode 100644
index 000000000000..e6269ae840bb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch
@@ -0,0 +1,14 @@
+diff --git a/meson.build b/meson.build
+index 9ae278b66..7cddf1a0d 100644
+--- a/meson.build
++++ b/meson.build
+@@ -507,7 +507,7 @@ if build_standalone
+ if host_machine.system() == 'windows'
+   libdir_pkg = 'fwupd-@0@'.format(fwupd_version)
+ else
+-  libdir_pkg = join_paths(libdir, 'fwupd-@0@'.format(fwupd_version))
++  libdir_pkg = join_paths(prefix, 'lib', 'fwupd-@0@'.format(fwupd_version))
+ endif
+ conf.set_quoted('FWUPD_LIBDIR_PKG', libdir_pkg)
+ endif
+
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
new file mode 100644
index 000000000000..2954f89e14c3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
@@ -0,0 +1,49 @@
+diff --git a/data/installed-tests/meson.build b/data/installed-tests/meson.build
+index dfce86b1c..5e34c4fa6 100644
+--- a/data/installed-tests/meson.build
++++ b/data/installed-tests/meson.build
+@@ -86,5 +86,5 @@ configure_file(
+   output: 'fwupd-tests.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(get_option('installed_test_prefix'), 'etc', 'fwupd', 'remotes.d'),
+ )
+diff --git a/meson.build b/meson.build
+index ca6ccdf92..36b1b47b0 100644
+--- a/meson.build
++++ b/meson.build
+@@ -188,8 +188,8 @@ else
+   datadir = join_paths(prefix, get_option('datadir'))
+   sysconfdir = join_paths(prefix, get_option('sysconfdir'))
+   localstatedir = join_paths(prefix, get_option('localstatedir'))
+-  installed_test_bindir = join_paths(libexecdir, 'installed-tests', meson.project_name())
+-  installed_test_datadir = join_paths(datadir, 'installed-tests', meson.project_name())
++  installed_test_bindir = join_paths(get_option('installed_test_prefix'), 'libexec', 'installed-tests', meson.project_name())
++  installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', meson.project_name())
+   daemon_dir = join_paths(libexecdir, 'fwupd')
+ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+@@ -497,6 +497,7 @@ gnome = import('gnome')
+ i18n = import('i18n')
+ 
+ conf.set_quoted('FWUPD_PREFIX', prefix)
++conf.set_quoted('FWUPD_INSTALLED_TEST_PREFIX', get_option('installed_test_prefix'))
+ conf.set_quoted('FWUPD_BINDIR', bindir)
+ conf.set_quoted('FWUPD_LIBDIR', libdir)
+ conf.set_quoted('FWUPD_LIBEXECDIR', libexecdir)
+diff --git a/meson_options.txt b/meson_options.txt
+index 877891126..bfc5d1afd 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -452,6 +452,10 @@ option('elogind',
+     'false': 'disabled',
+   },
+ )
++option('installed_test_prefix',
++  type: 'string',
++  description: 'Prefix for installed tests'
++)
+ option('tests',
+   type: 'boolean',
+   value: true,
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix
new file mode 100644
index 000000000000..af9a44b92f46
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix
@@ -0,0 +1,32 @@
+{ stdenvNoCC
+, lib
+, fetchurl }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "intel2200BGFirmware";
+  version = "3.1";
+
+  src = fetchurl {
+    url = "https://src.fedoraproject.org/repo/pkgs/ipw2200-firmware/ipw2200-fw-${version}.tgz/eaba788643c7cc7483dd67ace70f6e99/ipw2200-fw-${version}.tgz";
+    hash = "sha256-xoGMEcGMwDDVX/g/ZLK62P7vSF53QvhPlKYdgRpiWL0=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m644 ipw2200-bss.fw     $out/lib/firmware/ipw2200-bss.fw
+    install -D -m644 ipw2200-ibss.fw    $out/lib/firmware/ipw2200-ibss.fw
+    install -D -m644 ipw2200-sniffer.fw $out/lib/firmware/ipw2200-sniffer.fw
+    install -D -m644 LICENSE.ipw2200-fw $out/share/doc/intel2200BGFirmware/LICENSE
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Intel 2200BG cards";
+    homepage = "https://ipw2200.sourceforge.net/firmware.php";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ sternenseemann ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix
new file mode 100644
index 000000000000..a4bbd6d2bb6b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix
@@ -0,0 +1,79 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoPatchelfHook
+, expat
+, zlib
+
+# Pick one of
+# - ipu6 (Tiger Lake)
+# - ipu6ep (Alder Lake)
+, ipuVersion ? "ipu6"
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "${ipuVersion}-camera-bin";
+  version = "unstable-2023-02-08";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipu6-camera-bins";
+    rev = "276859fc6de83918a32727d676985ec40f31af2b";
+    hash = "sha256-QnedM2UBbGyd2wIF762Mi+VkDZYtC6MifK4XGGxlUzw=";
+  };
+
+  sourceRoot = "${finalAttrs.src.name}/${ipuVersion}";
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+    stdenv.cc.cc.lib
+    expat
+    zlib
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp --no-preserve=mode --recursive \
+      lib \
+      include \
+      $out/
+
+    install -m 0644 -D ../LICENSE $out/share/doc/LICENSE
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    for pcfile in $out/lib/pkgconfig/*.pc; do
+      substituteInPlace $pcfile \
+        --replace 'exec_prefix=/usr' 'exec_prefix=''${prefix}' \
+        --replace 'prefix=/usr' "prefix=$out" \
+        --replace 'libdir=/usr/lib' 'libdir=''${prefix}/lib' \
+        --replace 'includedir=/usr/include' 'includedir=''${prefix}/include'
+    done
+  '';
+
+  passthru = {
+    inherit ipuVersion;
+  };
+
+  meta = let
+    generation = {
+      ipu6 = "Tiger Lake";
+      ipu6ep = "Alder Lake";
+    }.${ipuVersion};
+  in with lib; {
+    description = "${generation} IPU firmware and proprietary image processing libraries";
+    homepage = "https://github.com/intel/ipu6-camera-bins";
+    license = licenses.issl;
+    sourceProvenance = with sourceTypes; [
+      binaryFirmware
+    ];
+    maintainers = with maintainers; [
+      hexa
+    ];
+    platforms = [ "x86_64-linux" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix
new file mode 100644
index 000000000000..fb2f940ddce6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+}:
+
+stdenv.mkDerivation {
+  pname = "ivsc-firmware";
+  version = "unstable-2022-11-02";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ivsc-firmware";
+    rev = "29c5eff4cdaf83e90ef2dcd2035a9cdff6343430";
+    hash = "sha256-GuD1oTnDEs0HslJjXx26DkVQIe0eS+js4UoaTDa77ME=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/vsc
+    cp --no-preserve=mode --recursive ./firmware/* $out/lib/firmware/vsc/
+    install -D ./LICENSE $out/share/doc
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware binaries for the Intel Vision Sensing Controller";
+    homepage = "https://github.com/intel/ivsc-firmware";
+    license = licenses.issl;
+    sourceProvenance = with sourceTypes; [
+      binaryFirmware
+    ];
+    maintainers = with maintainers; [
+      hexa
+    ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix
new file mode 100644
index 000000000000..9579ff11c739
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix
@@ -0,0 +1,31 @@
+{ stdenvNoCC, fetchFromGitHub, lib}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "libreelec-dvb-firmware";
+  version = "1.4.2";
+
+  src = fetchFromGitHub {
+    repo = "dvb-firmware";
+    owner = "LibreElec";
+    rev = version;
+    sha256 = "1xnfl4gp6d81gpdp86v5xgcqiqz2nf1i43sb3a4i5jqs8kxcap2k";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib
+    cp -rv firmware $out/lib
+    find $out/lib \( -name 'README.*' -or -name 'LICEN[SC]E.*' -or -name '*.txt' \) | xargs rm
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "DVB firmware from LibreELEC";
+    homepage = "https://github.com/LibreELEC/dvb-firmware";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ kittywitch ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
new file mode 100644
index 000000000000..283e04b47545
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
@@ -0,0 +1,47 @@
+let
+  source = import ./source.nix;
+in {
+  stdenvNoCC,
+  fetchzip,
+  lib,
+  rdfind,
+  which,
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "linux-firmware";
+  version = source.version;
+
+  src = fetchzip {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${source.revision}.tar.gz";
+    hash = source.sourceHash;
+  };
+
+  nativeBuildInputs = [
+    rdfind
+    which
+  ];
+
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  # Firmware blobs do not need fixing and should not be modified
+  dontFixup = true;
+
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = source.outputHash;
+
+  meta = with lib; {
+    description = "Binary firmware collection packaged by kernel.org";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fpletz ];
+    priority = 6; # give precedence to kernel firmware
+  };
+
+  passthru = {
+    inherit version;
+    updateScript = ./update.sh;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/source.nix b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/source.nix
new file mode 100644
index 000000000000..afe371a8887b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/source.nix
@@ -0,0 +1,6 @@
+{
+  version = "20231111";
+  revision = "20231111";
+  sourceHash = "sha256-S9Xkj2CbamHxqjTDfqRJu91MNrSntxrQ7HYyhvdH6Jo=";
+  outputHash = "sha256-Qrz9fSHUQf0Gl8pfol4yfe95sD8DQV/+riT1NCFussQ=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/update.sh b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/update.sh
new file mode 100755
index 000000000000..4b28d6e1374f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/update.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+cd "$(dirname "$(readlink -f "$0")")" || exit
+
+repo="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git"
+
+# step 1: figure out the latest version from the tags
+if [ -z "${1:-}" ]; then
+  revision="$(git ls-remote --refs --tags --sort refname "$repo" | tail -n1 | cut -f2 | cut -d '/' -f3)"
+  version=$revision
+else
+  revision=$1
+  if [ -z "${2:-}" ]; then
+    version="unstable-$(date "+%Y-%m-%d")"
+  else
+    version=$2
+  fi
+fi
+
+# step 2: prefetch the source tarball
+snapshotUrl="$repo/snapshot/linux-firmware-$revision.tar.gz"
+hash="$(nix-prefetch-url --unpack "$snapshotUrl")"
+sriHash="$(nix --experimental-features nix-command hash to-sri "sha256:$hash")"
+
+# step 3: rebuild as a non-FO derivation to get the right hash
+cat > source.nix << EOF
+{
+  version = "$version";
+  revision = "$revision";
+  sourceHash = "$sriHash";
+  outputHash = null;
+}
+EOF
+
+outPath="$(nix --experimental-features "nix-command flakes" build ".#linux-firmware" --no-link --print-out-paths)"
+outHash="$(nix --experimental-features nix-command hash path "$outPath")"
+
+# step 4: generate the final file
+cat > source.nix << EOF
+# This file is autogenerated! Run ./update.sh to regenerate.
+{
+  version = "$version";
+  revision = "$revision";
+  sourceHash = "$sriHash";
+  outputHash = "$outHash";
+}
+EOF
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
new file mode 100644
index 000000000000..428fbf9dc900
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
@@ -0,0 +1,61 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  pname = "raspberrypi-wireless-firmware";
+  version = "unstable-2023-05-04";
+
+  srcs = [
+    (fetchFromGitHub {
+      name = "bluez-firmware";
+      owner = "RPi-Distro";
+      repo = "bluez-firmware";
+      rev = "9556b08ace2a1735127894642cc8ea6529c04c90";
+      hash = "sha256-gKGK0XzNrws5REkKg/JP6SZx3KsJduu53SfH3Dichkc=";
+    })
+    (fetchFromGitHub {
+      name = "firmware-nonfree";
+      owner = "RPi-Distro";
+      repo = "firmware-nonfree";
+      rev = "2b465a10b04555b7f45b3acb85959c594922a3ce";
+      hash = "sha256-9UgB8f2AaxG7S5Px46jOP9wUeO1VXKB0uJiPWh32oDI=";
+    })
+  ];
+
+  sourceRoot = ".";
+
+  dontBuild = true;
+  # Firmware blobs do not need fixing and should not be modified
+  dontFixup = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p "$out/lib/firmware/brcm"
+
+    # Wifi firmware
+    cp -rv "$NIX_BUILD_TOP/firmware-nonfree/debian/config/brcm80211/." "$out/lib/firmware/"
+
+    # Bluetooth firmware
+    cp -rv "$NIX_BUILD_TOP/bluez-firmware/broadcom/." "$out/lib/firmware/brcm"
+
+    # brcmfmac43455-stdio.bin is a symlink to the non-existent path: ../cypress/cyfmac43455-stdio.bin.
+    # See https://github.com/RPi-Distro/firmware-nonfree/issues/26
+    ln -s "./cyfmac43455-sdio-standard.bin" "$out/lib/firmware/cypress/cyfmac43455-sdio.bin"
+
+    pushd $out/lib/firmware/brcm &>/dev/null
+    # Symlinks for Zero 2W
+    ln -s "./brcmfmac43436-sdio.bin" "$out/lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.bin"
+    ln -s "./brcmfmac43436-sdio.txt" "$out/lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.txt"
+    ln -s "./brcmfmac43436-sdio.clm_blob" "$out/lib/firmware/brcm/brcmfmac43430b0-sdio.clm_blob"
+    popd &>/dev/null
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
+    homepage = "https://github.com/RPi-Distro/firmware-nonfree";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lopsided98 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
new file mode 100644
index 000000000000..72c6f6235548
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
@@ -0,0 +1,53 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+let
+  inherit (lib) optionals;
+in
+stdenv.mkDerivation {
+  pname = "raspberrypi-armstubs";
+  version = "unstable-2022-07-11";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "tools";
+    rev = "439b6198a9b340de5998dd14a26a0d9d38a6bcac";
+    hash = "sha512-KMHgj73eXHT++IE8DbCsFeJ87ngc9R3XxMUJy4Z3s4/MtMeB9zblADHkyJqz9oyeugeJTrDtuVETPBRo7M4Y8A==";
+  };
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-march=armv8-a+crc"
+  ];
+
+  preConfigure = ''
+    cd armstubs
+  '';
+
+  makeFlags = [
+    "CC8=${stdenv.cc.targetPrefix}cc"
+    "LD8=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY8=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP8=${stdenv.cc.targetPrefix}objdump"
+    "CC7=${stdenv.cc.targetPrefix}cc"
+    "LD7=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY7=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP7=${stdenv.cc.targetPrefix}objdump"
+  ]
+  ++ optionals (stdenv.isAarch64) [ "armstub8.bin" "armstub8-gic.bin" ]
+  ++ optionals (stdenv.isAarch32) [ "armstub7.bin" "armstub8-32.bin" "armstub8-32-gic.bin" ]
+  ;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -vp $out/
+    cp -v *.bin $out/
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware related ARM stubs for the Raspberry Pi";
+    homepage = "https://github.com/raspberrypi/tools";
+    license = licenses.bsd3;
+    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ samueldr ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
new file mode 100644
index 000000000000..46f05c4029b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation rec {
+  # NOTE: this should be updated with linux_rpi
+  pname = "raspberrypi-firmware";
+  version = "1.20230405";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "firmware";
+    rev = version;
+    hash = "sha256-UtUd1MbsrDFxd/1C3eOAMDKPZMx+kSMFYOJP+Kc6IU8=";
+  };
+
+  installPhase = ''
+    mkdir -p $out/share/raspberrypi/
+    mv boot "$out/share/raspberrypi/"
+  '';
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  meta = with lib; {
+    description = "Firmware for the Raspberry Pi board";
+    homepage = "https://github.com/raspberrypi/firmware";
+    license = licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
+    maintainers = with maintainers; [ dezgeg ];
+    # Hash mismatch on source, mystery.
+    # Maybe due to https://github.com/NixOS/nix/issues/847
+    broken = stdenvNoCC.isDarwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix
new file mode 100644
index 000000000000..47e0068cc348
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  name = "rt5677-firmware";
+
+  src = fetchFromGitHub {
+    owner = "raphael";
+    repo = "linux-samus";
+    rev = "995de6c2093797905fbcd79f1a3625dd3f50be37";
+    sha256 = "sha256-PjPFpz4qJLC+vTomV31dA3AKGjfYjKB2ZYfUpnj61Cg=";
+  };
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    cp ./firmware/rt5677_elf_vad $out/lib/firmware
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek rt5677 device";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = [ maintainers.zohl ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
new file mode 100644
index 000000000000..53f32ac31f9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+with lib;
+stdenvNoCC.mkDerivation {
+  pname = "rtl8192su";
+  version = "unstable-2016-10-05";
+
+  src = fetchFromGitHub {
+    owner = "chunkeey";
+    repo = "rtl8192su";
+    rev = "c00112c9a14133290fe30bd3b44e45196994cb1c";
+    sha256 = "0j3c35paapq1icmxq0mg7pm2xa2m69q7bkfmwgq99d682yr2cb5l";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    for i in rtl8192sfw.bin \
+             rtl8192sufw-ap.bin \
+             rtl8192sufw-apple.bin \
+             rtl8192sufw-windows.bin \
+             rtl8712u-linux-firmware-bad.bin \
+             rtl8712u-most-recent-v2.6.6-bad.bin \
+             rtl8712u-most-recent-v2.6.6-bad.bin \
+             rtl8712u-oldest-but-good.bin;
+    do
+      install -D -pm644 firmwares/$i $out/lib/firmware/rtlwifi/$i
+    done
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8188SU/RTL8191SU/RTL8192SU";
+    homepage = "https://github.com/chunkeey/rtl8192su";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
new file mode 100644
index 000000000000..c3fbe79537c4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  name = "rtl8761b-firmware";
+
+  src = fetchFromGitHub {
+    owner = "Realtek-OpenSource";
+    repo = "android_hardware_realtek";
+    rev = "rtk1395";
+    sha256 = "sha256-vd9sZP7PGY+cmnqVty3sZibg01w8+UNinv8X85B+dzc=";
+  };
+
+  installPhase = ''
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_fw \
+      $out/lib/firmware/rtl_bt/rtl8761b_fw.bin
+
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_config \
+      $out/lib/firmware/rtl_bt/rtl8761b_config.bin
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8761b";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ milibopp ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
new file mode 100644
index 000000000000..b4e07624b6ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw88-firmware";
+  inherit (linuxPackages.rtw88) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw88
+    cp *.bin $out/lib/firmware/rtw88
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for the newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
new file mode 100644
index 000000000000..2f33a139c9d3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -0,0 +1,34 @@
+{ lib
+, fetchurl
+, stdenvNoCC
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "sof-firmware";
+  version = "2.2.6";
+
+  src = fetchurl {
+    url = "https://github.com/thesofproject/sof-bin/releases/download/v${version}/sof-bin-v${version}.tar.gz";
+    sha256 = "sha256-kyLCp2NtAoRcOyaYTVirj3jWP/THZtCEwxlqWF4ACQU=";
+  };
+
+  dontFixup = true; # binaries must not be stripped or patchelfed
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/lib/firmware/intel
+    cp -av sof-v${version} $out/lib/firmware/intel/sof
+    cp -av sof-tplg-v${version} $out/lib/firmware/intel/sof-tplg
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    changelog = "https://github.com/thesofproject/sof-bin/releases/tag/v${version}";
+    description = "Sound Open Firmware";
+    homepage = "https://www.sofproject.org/";
+    license = with licenses; [ bsd3 isc ];
+    maintainers = with maintainers; [ lblasc evenbrenden hmenke ];
+    platforms = with platforms; linux;
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/Cargo.lock b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/Cargo.lock
new file mode 100644
index 000000000000..3ac385d816eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/Cargo.lock
@@ -0,0 +1,1551 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "anyhow"
+version = "1.0.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2cb2f989d18dd141ab8ae82f64d1a8cdd37e0840f73a406896cf5e99502fab61"
+
+[[package]]
+name = "atty"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+dependencies = [
+ "hermit-abi 0.1.19",
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "autocfg"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+
+[[package]]
+name = "base32"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23ce669cd6c8588f79e15cf450314f9638f967fc5770ff1c7c1deb0925ea7cfa"
+
+[[package]]
+name = "base64"
+version = "0.21.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a"
+
+[[package]]
+name = "bincode"
+version = "1.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "block-buffer"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cce20737498f97b993470a6e536b8523f0af7892a4f928cceb1ac5e52ebe7e"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "buildchain"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1e4ba006f08f732ddc25f629c349fbb89c67e6c90a4764ce04534d32a1940b0"
+dependencies = [
+ "base32",
+ "clap",
+ "lxd",
+ "plain",
+ "rand 0.8.5",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "sha2 0.10.6",
+ "sodalite",
+ "tempdir",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535"
+
+[[package]]
+name = "bytes"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfb24e866b15a1af2a1b663f10c6b6b8f397a84aadb828f12e5b289ec23a3a3c"
+
+[[package]]
+name = "cc"
+version = "1.0.79"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "clap"
+version = "3.2.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "71655c45cb9845d3270c9d6df84ebe72b4dad3c2ba3f7023ad47c144e4e473a5"
+dependencies = [
+ "atty",
+ "bitflags",
+ "clap_derive",
+ "clap_lex",
+ "indexmap",
+ "once_cell",
+ "strsim",
+ "termcolor",
+ "textwrap",
+]
+
+[[package]]
+name = "clap_derive"
+version = "3.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea0c8bce528c4be4da13ea6fead8965e95b6073585a2f05204bd8f4119f82a65"
+dependencies = [
+ "heck",
+ "proc-macro-error",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5"
+dependencies = [
+ "os_str_bytes",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "dbus"
+version = "0.9.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bb21987b9fb1613058ba3843121dd18b163b254d8a6e797e144cbac14d96d1b"
+dependencies = [
+ "libc",
+ "libdbus-sys",
+ "winapi",
+]
+
+[[package]]
+name = "dbus-crossroads"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a816e8ae3382c7b1bccfa6f2778346ee5b13f80e0eccf80cf8f2912af73995a"
+dependencies = [
+ "dbus",
+]
+
+[[package]]
+name = "digest"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f"
+dependencies = [
+ "block-buffer 0.10.3",
+ "crypto-common",
+]
+
+[[package]]
+name = "ecflash"
+version = "0.1.0"
+source = "git+https://github.com/system76/ecflash.git?branch=stable#ee9d69d4edf3bee6b2fb6dddb021bb58ee3bbbbb"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "either"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
+
+[[package]]
+name = "encoding_rs"
+version = "0.8.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9852635589dc9f9ea1b6fe9f05b50ef208c85c834a562f0c6abb1c475736ec2b"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "enum_derive"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "406ac2a8c9eedf8af9ee1489bee9e50029278a6456c740f7454cf8a158abc816"
+
+[[package]]
+name = "fastrand"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499"
+dependencies = [
+ "instant",
+]
+
+[[package]]
+name = "filetime"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e884668cd0c7480504233e951174ddc3b382f7c2666e3b7310b5c4e7b0c37f9"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "windows-sys",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "fuchsia-cprng"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
+
+[[package]]
+name = "futures-channel"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ba265a92256105f45b719605a571ffe2d1f0fea3807304b522c1d778f79eed"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04909a7a7e4633ae6c4a9ab280aeb86da1236243a77b694a49eacd659a4bd3ac"
+
+[[package]]
+name = "futures-io"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00f5fb52a06bdcadeb54e8d3671f8888a39697dcb0b81b23b55174030427f4eb"
+
+[[package]]
+name = "futures-sink"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39c15cf1a4aa79df40f1bb462fb39676d0ad9e366c2a33b590d7c66f4f81fcf9"
+
+[[package]]
+name = "futures-task"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ffb393ac5d9a6eaa9d3fdf37ae2776656b706e200c8e16b1bdb227f5198e6ea"
+
+[[package]]
+name = "futures-util"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "197676987abd2f9cadff84926f410af1c183608d36641465df73ae8211dc65d6"
+dependencies = [
+ "futures-core",
+ "futures-io",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bff49e947297f3312447abdca79f45f4738097cc82b06e72054d2223f601f1b9"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c05aeb6a22b8f62540c194aac980f2115af067bfe15a0734d7277a768d396b31"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "h2"
+version = "0.3.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f9f29bc9dda355256b2916cf526ab02ce0aeaaaf2bad60d65ef3f12f11dd0f4"
+dependencies = [
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "http",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+
+[[package]]
+name = "heck"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9"
+
+[[package]]
+name = "hermit-abi"
+version = "0.1.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "hermit-abi"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee512640fe35acbfb4bb779db6f0d80704c2cacfa2e39b601ef3e3f47d1ae4c7"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "http"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75f43d41e26995c17e71ee126451dd3941010b0514a81a9d11f3b341debc2399"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1"
+dependencies = [
+ "bytes",
+ "http",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904"
+
+[[package]]
+name = "httpdate"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421"
+
+[[package]]
+name = "hyper"
+version = "0.14.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "034711faac9d2166cb1baf1a2fb0b60b1f277f8492fd72176c17f3515e1abd3c"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper-tls"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
+dependencies = [
+ "bytes",
+ "hyper",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+]
+
+[[package]]
+name = "idna"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+]
+
+[[package]]
+name = "index-fixed"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4161ceaf2f41b6cd3f6502f5da085d4ad4393a51e0c70ed2fce1d5698d798fae"
+
+[[package]]
+name = "indexmap"
+version = "1.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1885e79c1fc4b10f0e172c475f458b7f7b93061064d98c3293e98c5ba0c8b399"
+dependencies = [
+ "autocfg",
+ "hashbrown",
+]
+
+[[package]]
+name = "instant"
+version = "0.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30e22bd8629359895450b59ea7a776c850561b96a3b1d31321c1949d9e6c9146"
+
+[[package]]
+name = "itertools"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f56a2d0bc861f9165be4eb3442afd3c236d8a98afd426f65d92324ae1091a484"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440"
+
+[[package]]
+name = "js-sys"
+version = "0.3.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49409df3e3bf0856b916e2ceaca09ee28e6871cf7d9ce97a692cacfdb2a25a47"
+dependencies = [
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
+[[package]]
+name = "libc"
+version = "0.2.139"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79"
+
+[[package]]
+name = "libdbus-sys"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2264f9d90a9b4e60a2dc722ad899ea0374f03c2e96e755fe22a8f551d4d5fb3c"
+dependencies = [
+ "pkg-config",
+]
+
+[[package]]
+name = "log"
+version = "0.4.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "lxd"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "918a314b8eb7d4e19c3d154b4069b12aa37c25a68bae4f2c2a69f50bf47c7c5a"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "memchr"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+
+[[package]]
+name = "mime"
+version = "0.3.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d"
+
+[[package]]
+name = "mio"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5d732bc30207a6423068df043e3d02e0735b155ad7ce1a6f76fe2baa5b158de"
+dependencies = [
+ "libc",
+ "log",
+ "wasi",
+ "windows-sys",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "num_cpus"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fac9e2da13b5eb447a6ce3d392f23a29d8694bff781bf03a16cd9ac8697593b"
+dependencies = [
+ "hermit-abi 0.2.6",
+ "libc",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f61fba1741ea2b3d6a1e3178721804bb716a68a6aeba1149b5d52e3d464ea66"
+
+[[package]]
+name = "opaque-debug"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+
+[[package]]
+name = "openssl"
+version = "0.10.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b102428fd03bc5edf97f62620f7298614c45cedf287c271e7ed450bbaf83f2e1"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23bbbf7854cd45b83958ebe919f0e8e516793727652e27fda10a8384cfc790b7"
+dependencies = [
+ "autocfg",
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "os_str_bytes"
+version = "6.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b7820b9daea5457c9f21c69448905d723fbd21136ccf521748f23fd49e723ee"
+
+[[package]]
+name = "percent-encoding"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkg-config"
+version = "0.3.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
+
+[[package]]
+name = "plain"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+
+[[package]]
+name = "proc-macro-error"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+dependencies = [
+ "proc-macro-error-attr",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro-error-attr"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.50"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ef7d57beacfaf2d8aee5937dab7b7f28de3cb8b1828479bb5de2a7106f2bae2"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "rand"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293"
+dependencies = [
+ "fuchsia-cprng",
+ "libc",
+ "rand_core 0.3.1",
+ "rdrand",
+ "winapi",
+]
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b"
+dependencies = [
+ "rand_core 0.4.2",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rdrand"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
+dependencies = [
+ "rand_core 0.3.1",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "remove_dir_all"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "reqwest"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "21eed90ec8570952d53b772ecf8f206aa1ec9a3d76b2521c56c42973f2d91ee9"
+dependencies = [
+ "base64",
+ "bytes",
+ "encoding_rs",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "hyper",
+ "hyper-tls",
+ "ipnet",
+ "js-sys",
+ "log",
+ "mime",
+ "native-tls",
+ "once_cell",
+ "percent-encoding",
+ "pin-project-lite",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "winreg",
+]
+
+[[package]]
+name = "rust-lzma"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "895dc04daeaeee338bb96e229797902ed3f0675bfc59d5b42e0f0b0c13ac54da"
+dependencies = [
+ "pkg-config",
+]
+
+[[package]]
+name = "ryu"
+version = "1.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b4b9743ed687d4b4bcedf9ff5eaa7398495ae14e61cba0a295704edbc7decde"
+
+[[package]]
+name = "schannel"
+version = "0.1.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3"
+dependencies = [
+ "windows-sys",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a332be01508d814fed64bf28f798a146d73792121129962fdf335bb3c49a4254"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "31c9bb296072e961fcbd8853511dd39c2d8be2deb1e17c6860b1d30732b323b4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "serde"
+version = "1.0.152"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.152"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883"
+dependencies = [
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha2"
+version = "0.9.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+dependencies = [
+ "block-buffer 0.9.0",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.9.0",
+ "opaque-debug",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.10.6",
+]
+
+[[package]]
+name = "shrinkwraprs"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e63e6744142336dfb606fe2b068afa2e1cca1ee6a5d8377277a92945d81fa331"
+dependencies = [
+ "bitflags",
+ "itertools",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "slab"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4614a76b2a8be0058caa9dbbaf66d988527d86d003c11a94fbd335d7661edcef"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "socket2"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02e2d2db9033d13a1567121ddd7a095ee144db4e1ca1b1bda3419bc0da294ebd"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "sodalite"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41784a359d15c58bba298cccb7f30a847a1a42d0620c9bdaa0aa42fdb3c280e0"
+dependencies = [
+ "index-fixed",
+]
+
+[[package]]
+name = "strsim"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
+
+[[package]]
+name = "syn"
+version = "1.0.107"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "system76-firmware"
+version = "1.0.50"
+dependencies = [
+ "anyhow",
+ "bincode",
+ "buildchain",
+ "clap",
+ "ecflash",
+ "libc",
+ "plain",
+ "rust-lzma",
+ "serde",
+ "serde_json",
+ "sha2 0.9.9",
+ "system76_ectool",
+ "tar",
+ "tempdir",
+ "uuid",
+]
+
+[[package]]
+name = "system76-firmware-daemon"
+version = "0.1.0"
+dependencies = [
+ "dbus",
+ "dbus-crossroads",
+ "enum_derive",
+ "libc",
+ "serde",
+ "serde_json",
+ "shrinkwraprs",
+ "system76-firmware",
+ "thiserror",
+]
+
+[[package]]
+name = "system76_ectool"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c957fdd329e017031dbd261ff48fad01296660a9c237942c226cff064bd0610a"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "tar"
+version = "0.4.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d779dc6aeff029314570f666ec83f19df7280bb36ef338442cfa8c604021b80"
+dependencies = [
+ "filetime",
+ "libc",
+ "xattr",
+]
+
+[[package]]
+name = "tempdir"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8"
+dependencies = [
+ "rand 0.4.6",
+ "remove_dir_all",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4"
+dependencies = [
+ "cfg-if",
+ "fastrand",
+ "libc",
+ "redox_syscall",
+ "remove_dir_all",
+ "winapi",
+]
+
+[[package]]
+name = "termcolor"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "textwrap"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d"
+
+[[package]]
+name = "thiserror"
+version = "1.0.38"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a9cd18aa97d5c45c6603caea1da6628790b37f7a34b6ca89522331c5180fed0"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.38"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fb327af4685e4d03fa8cbcf1716380da910eeb2bb8be417e7f9fd3fb164f36f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
+
+[[package]]
+name = "tokio"
+version = "1.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8e00990ebabbe4c14c08aca901caed183ecd5c09562a12c824bb53d3c3fd3af"
+dependencies = [
+ "autocfg",
+ "bytes",
+ "libc",
+ "memchr",
+ "mio",
+ "num_cpus",
+ "pin-project-lite",
+ "socket2",
+ "windows-sys",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bb2e075f03b3d66d8d8785356224ba688d2906a371015e225beeb65ca92c740"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "tower-service"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
+
+[[package]]
+name = "tracing"
+version = "0.1.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8"
+dependencies = [
+ "cfg-if",
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24eb03ba0eab1fd845050058ce5e616558e8f8d8fca633e6b163fe25c797213a"
+dependencies = [
+ "once_cell",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed"
+
+[[package]]
+name = "typenum"
+version = "1.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d54675592c1dbefd78cbd98db9bacd89886e1ca50692a0692baefffdeb92dd58"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc"
+
+[[package]]
+name = "unicode-normalization"
+version = "0.1.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
+dependencies = [
+ "tinyvec",
+]
+
+[[package]]
+name = "url"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+]
+
+[[package]]
+name = "uuid"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "want"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0"
+dependencies = [
+ "log",
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eaf9f5aceeec8be17c128b2e93e031fb8a4d469bb9c4ae2d7dc1888b26887268"
+dependencies = [
+ "cfg-if",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c8ffb332579b0557b52d268b91feab8df3615f265d5270fec2a8c95b17c1142"
+dependencies = [
+ "bumpalo",
+ "log",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23639446165ca5a5de86ae1d8896b737ae80319560fbaa4c2887b7da6e7ebd7d"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "052be0f94026e6cbc75cdefc9bae13fd6052cdcaf532fa6c45e7ae33a1e6c810"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07bc0c051dc5f23e307b13285f9d75df86bfdf816c5721e573dec1f9b8aa193c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f"
+
+[[package]]
+name = "web-sys"
+version = "0.3.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bcda906d8be16e728fd5adc5b729afad4e444e106ab28cd1c7256e54fa61510f"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-util"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows-sys"
+version = "0.42.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c9864e83243fdec7fc9c5444389dcbbfd258f745e7853198f365e3c4968a608"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c8b1b673ffc16c47a9ff48570a9d85e25d265735c503681332589af6253c6c7"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de3887528ad530ba7bdbb1faa8275ec7a1155a45ffa57c37993960277145d640"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf4d1122317eddd6ff351aa852118a2418ad4214e6613a50e0191f7004372605"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1040f221285e17ebccbc2591ffdc2d44ee1f9186324dd3e84e99ac68d699c45"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "628bfdf232daa22b0d64fdb62b09fcc36bb01f05a3939e20ab73aaf9470d0463"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "447660ad36a13288b1db4d4248e857b510e8c3a225c822ba4fb748c0aafecffd"
+
+[[package]]
+name = "winreg"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "xattr"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d1526bbe5aaeb5eb06885f4d987bcdfa5e23187055de9b83fe00156a821fabc"
+dependencies = [
+ "libc",
+]
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
new file mode 100644
index 000000000000..d28372a465d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
@@ -0,0 +1,44 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
+rustPlatform.buildRustPackage rec {
+  pname = "system76-firmware";
+  # Check Makefile when updating, make sure postInstall matches make install
+  version = "1.0.50";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-nLbDhs+FxIcoVK66bwUAxAubikic5NT8yOA/mH/irgQ=";
+  };
+
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+
+  buildInputs = [ xz openssl dbus ];
+
+  cargoBuildFlags = [ "--workspace" ];
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "ecflash-0.1.0" = "sha256-W613wbW54R65/rs6oiPAH/qov2OVEjMMszpUJdX4TxI=";
+    };
+  };
+
+  # Purposefully don't install systemd unit file, that's for NixOS
+  postInstall = ''
+    install -D -m -0644 data/system76-firmware-daemon.conf $out/etc/dbus-1/system.d/system76-firmware-daemon.conf
+
+    for bin in $out/bin/system76-firmware-*
+    do
+      wrapProgram $bin --prefix PATH : "${efibootmgr}/bin"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Tools for managing firmware updates for system76 devices";
+    homepage = "https://github.com/pop-os/system76-firmware";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ shlevy ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix
new file mode 100644
index 000000000000..444585189434
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix
@@ -0,0 +1,34 @@
+{ stdenvNoCC, lib, fetchurl, cabextract }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "xow_dongle-firmware";
+  version = "2017-07";
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  src = fetchurl {
+    url = "http://download.windowsupdate.com/c/msdownload/update/driver/drvs/2017/07/1cd6a87c-623f-4407-a52d-c31be49e925c_e19f60808bdcbfbd3c3df6be3e71ffc52e43261e.cab";
+    sha256 = "013g1zngxffavqrk5jy934q3bdhsv6z05ilfixdn8dj0zy26lwv5";
+  };
+
+  nativeBuildInputs = [ cabextract ];
+
+  sourceRoot = ".";
+
+  unpackCmd = ''
+    cabextract -F FW_ACC_00U.bin ${src}
+  '';
+
+  installPhase = ''
+    install -Dm644 FW_ACC_00U.bin ${placeholder "out"}/lib/firmware/xow_dongle.bin
+  '';
+
+  meta = with lib; {
+    description = "Xbox One wireless dongle firmware";
+    homepage = "https://www.xbox.com/en-NZ/accessories/adapters/wireless-adapter-windows";
+    license = licenses.unfree;
+    maintainers = with lib.maintainers; [ rhysmdnz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix
new file mode 100644
index 000000000000..6b86277ebc6e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix
@@ -0,0 +1,30 @@
+{ stdenvNoCC
+, lib
+, fetchurl
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "zd1211-firmware";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/zd1211/${pname}-${version}.tar.bz2";
+    hash = "sha256-8R04ENf3KDOZf2NFhKWG3M7XGjU/llq/gQYuxDHQKxI=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/zd1211
+    cp * $out/lib/firmware/zd1211
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip";
+    homepage = "https://sourceforge.net/projects/zd1211/";
+    license = "GPL";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix b/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix
new file mode 100644
index 000000000000..619aea69aa64
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "flashbench-unstable";
+  version = "2020-01-23";
+
+  src = fetchFromGitHub {
+    owner = "bradfa";
+    repo = "flashbench";
+    rev = "d783b1bd2443812c6deadc31b081f043e43e4c1a";
+    sha256 = "045j1kpay6x2ikz8x54ph862ymfy1nzpbmmqpf3nkapiv32fjqw5";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -d -m755 $out/bin $out/share/doc/flashbench
+    install -v -m755 flashbench $out/bin
+    install -v -m755 erase $out/bin/flashbench-erase
+    install -v -m644 README $out/share/doc/flashbench
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Testing tool for flash based memory devices";
+    homepage = "https://github.com/bradfa/flashbench";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix b/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix
new file mode 100644
index 000000000000..fabfd47bca12
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix
@@ -0,0 +1,30 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fnotifystat";
+  version = "0.02.10";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-bcb1kSpNZV7eTcEIcaoiqxB68kTc0TGFMIr1Aehy/Rc=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "File activity monitoring tool";
+    homepage = "https://github.com/ColinIanKing/fnotifystat";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix b/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix
new file mode 100644
index 000000000000..c8a3276f5d81
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "forkstat";
+  version = "0.03.01";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-T7O+PIWmFC4wi4nnmNsAH8H0SazixBoCx5ZdBV2wL+E=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Process fork/exec/exit monitoring tool";
+    homepage = "https://github.com/ColinIanKing/forkstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/forktty/default.nix b/nixpkgs/pkgs/os-specific/linux/forktty/default.nix
new file mode 100644
index 000000000000..7dc1f0c3b2e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/forktty/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "forktty";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "mirror://ibiblioPubLinux/utils/terminal/${pname}-${version}.tgz";
+    hash = "sha256-6xc5eshCuCIOsDh0r2DizKAeypGH0TRRotZ4itsvpVk=";
+  };
+
+  preBuild = ''
+    sed -e s@/usr/bin/ginstall@install@g -i Makefile
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/bin"
+    mkdir -p "$out/share/man/man8"
+  '';
+
+  makeFlags = [ "prefix=$(out)" "manprefix=$(out)/share/" ];
+
+  meta = with lib; {
+    description = "Tool to detach from controlling TTY and attach to another";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/freefall/default.nix b/nixpkgs/pkgs/os-specific/linux/freefall/default.nix
new file mode 100644
index 000000000000..683b599e5beb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/freefall/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  inherit (kernel) version src;
+
+  pname = "freefall";
+
+  postPatch = ''
+    cd tools/laptop/freefall
+
+    # Default time-out is a little low, probably because the AC/lid status
+    # functions were never implemented. Because no-one still uses HDDs, right?
+    substituteInPlace freefall.c --replace "alarm(2)" "alarm(5)"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    inherit (kernel.meta) homepage license;
+
+    description = "Free-fall protection for spinning HP/Dell laptop hard drives";
+    longDescription = ''
+      Provides a shock protection facility in modern laptops with spinning hard
+      drives, by stopping all input/output operations on the internal hard drive
+      and parking its heads on the ramp when critical situations are anticipated.
+      Requires support for the ATA/ATAPI-7 IDLE IMMEDIATE command with unload
+      feature, which should cause the drive to switch to idle mode and unload the
+      disk heads, and an accelerometer device. It has no effect on SSD devices!
+    '';
+
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/freeipa/default.nix b/nixpkgs/pkgs/os-specific/linux/freeipa/default.nix
new file mode 100644
index 000000000000..99d8527fc1d8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/freeipa/default.nix
@@ -0,0 +1,172 @@
+{ stdenv
+, lib
+, fetchurl
+, pkg-config
+, autoconf
+, automake
+, kerberos
+, openldap
+, popt
+, sasl
+, curl
+, xmlrpc_c
+, ding-libs
+, p11-kit
+, gettext
+, nspr
+, nss
+, _389-ds-base
+, svrcore
+, libuuid
+, talloc
+, tevent
+, samba
+, libunistring
+, libverto
+, libpwquality
+, systemd
+, python3
+, bind
+, sssd
+, jre
+, rhino
+, lesscpy
+, jansson
+, runtimeShell
+}:
+
+let
+  pathsPy = ./paths.py;
+
+  pythonInputs = with python3.pkgs; [
+    six
+    python-ldap
+    dnspython
+    netaddr
+    netifaces
+    gssapi
+    dogtag-pki
+    pyasn1
+    sssd
+    cffi
+    lxml
+    dbus-python
+    cryptography
+    python-memcached
+    qrcode
+    pyusb
+    yubico
+    setuptools
+    jinja2
+    augeas
+    samba
+  ];
+in
+stdenv.mkDerivation rec {
+  pname = "freeipa";
+  version = "4.11.0";
+
+  src = fetchurl {
+    url = "https://releases.pagure.org/freeipa/freeipa-${version}.tar.gz";
+    sha256 = "sha256-l/e2Dq/ako41QWEZyJCD+PA44PzTnzC8B7jYAm/Tt6Q=";
+  };
+
+  nativeBuildInputs = [
+    python3.pkgs.wrapPython
+    jre
+    rhino
+    lesscpy
+    automake
+    autoconf
+    gettext
+    pkg-config
+  ];
+
+  buildInputs = [
+    kerberos
+    openldap
+    popt
+    sasl
+    curl
+    xmlrpc_c
+    ding-libs
+    p11-kit
+    python3
+    nspr
+    nss
+    _389-ds-base
+    svrcore
+    libuuid
+    talloc
+    tevent
+    samba
+    libunistring
+    libverto
+    systemd
+    bind
+    libpwquality
+    jansson
+  ] ++ pythonInputs;
+
+  postPatch = ''
+    patchShebangs makeapi makeaci install/ui/util
+
+    substituteInPlace ipaplatform/setup.py \
+      --replace 'ipaplatform.debian' 'ipaplatform.nixos'
+
+    substituteInPlace ipasetup.py.in \
+      --replace 'int(v)' 'int(v.replace("post", ""))'
+
+    substituteInPlace client/ipa-join.c \
+      --replace /usr/sbin/ipa-getkeytab $out/bin/ipa-getkeytab
+
+    cp -r ipaplatform/{fedora,nixos}
+    substitute ${pathsPy} ipaplatform/nixos/paths.py \
+      --subst-var out \
+      --subst-var-by bind ${bind.dnsutils} \
+      --subst-var-by curl ${curl} \
+      --subst-var-by kerberos ${kerberos}
+  '';
+
+  NIX_CFLAGS_COMPILE = "-I${_389-ds-base}/include/dirsrv";
+  pythonPath = pythonInputs;
+
+  # Building and installing the server fails with silent Rhino errors, skipping
+  # for now. Need a newer Rhino version.
+  #buildFlags = [ "client" "server" ]
+
+  configureFlags = [
+    "--with-systemdsystemunitdir=$out/lib/systemd/system"
+    "--with-ipaplatform=nixos"
+    "--disable-server"
+  ];
+
+  postInstall = ''
+    echo "
+     #!${runtimeShell}
+     echo 'ipa-client-install is not available on NixOS. Please see security.ipa, instead.'
+     exit 1
+    " > $out/sbin/ipa-client-install
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+    rm -rf $out/etc/ipa $out/var/lib/ipa-client/sysrestore
+  '';
+
+  meta = with lib; {
+    description = "Identity, Policy and Audit system";
+    longDescription = ''
+      IPA is an integrated solution to provide centrally managed Identity (users,
+      hosts, services), Authentication (SSO, 2FA), and Authorization
+      (host access control, SELinux user roles, services). The solution provides
+      features for further integration with Linux based clients (SUDO, automount)
+      and integration with Active Directory based infrastructures (Trusts).
+    '';
+    homepage = "https://www.freeipa.org/";
+    license = licenses.gpl3Plus;
+    maintainers = [ maintainers.s1341 ];
+    platforms = platforms.linux;
+    mainProgram = "ipa";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/freeipa/paths.py b/nixpkgs/pkgs/os-specific/linux/freeipa/paths.py
new file mode 100644
index 000000000000..36c0cc0c7403
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/freeipa/paths.py
@@ -0,0 +1,13 @@
+from ipaplatform.fedora.paths import FedoraPathNamespace
+
+class NixOSPathNamespace(FedoraPathNamespace):
+    SBIN_IPA_JOIN = "@out@/bin/ipa-join"
+    IPA_GETCERT = "@out@/bin/ipa-getcert"
+    IPA_RMKEYTAB = "@out@/bin/ipa-rmkeytab"
+    IPA_GETKEYTAB = "@out@/bin/ipa-getkeytab"
+    NSUPDATE = "@bind@/bin/nsupdate"
+    BIN_CURL = "@curl@/bin/curl"
+    KINIT = "@kerberos@/bin/kinit"
+    KDESTROY = "@kerberos@/bin/kdestroy"
+
+paths = NixOSPathNamespace()
diff --git a/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix b/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix
new file mode 100644
index 000000000000..fd925ab654fa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix
@@ -0,0 +1,55 @@
+{ lib, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
+
+# Don't use this for anything important yet!
+
+buildGoModule rec {
+  pname = "fscrypt";
+  version = "0.3.4";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscrypt";
+    rev = "v${version}";
+    hash = "sha256-4Im3YWhLs5Q+o4DtpSuSMuKtKqXaICL9/EB0q5um6mQ=";
+  };
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace 'TAG_VERSION := $(shell git describe --tags)' "" \
+      --replace "/usr/local" "$out"
+  '';
+
+  vendorHash = "sha256-APW0XM6fTQOCw4tE1NA5VNN3fBUmsvn99NqqJnB3Q0s=";
+
+  doCheck = false;
+
+  nativeBuildInputs = [ gnum4 ];
+  buildInputs = [ pam ];
+
+  buildPhase = ''
+    runHook preBuild
+    make
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    make install
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description =
+      "A high-level tool for the management of Linux filesystem encryption";
+    longDescription = ''
+      This tool manages metadata, key generation, key wrapping, PAM integration,
+      and provides a uniform interface for creating and modifying encrypted
+      directories.
+    '';
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscrypt/releases/tag/v${version}";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix b/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix
new file mode 100644
index 000000000000..2a2a9b41c9c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "1.0.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v${version}";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix
new file mode 100644
index 000000000000..c5bed075338f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix
@@ -0,0 +1,51 @@
+{ stdenv
+, lib
+, fetchgit
+, openssl
+, enableShared ? !stdenv.hostPlatform.isStatic
+, enableManpages ? false
+, pandoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fsverity-utils";
+  version = "1.5";
+
+  outputs = [ "out" "lib" "dev" ] ++ lib.optional enableManpages "man";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git";
+    rev = "v${version}";
+    sha256 = "sha256-ygBOkp2PBe8Z2ak6SXEJ6HHuT4NRKmIsbJDHcY+h8PQ=";
+  };
+
+  patches = lib.optionals (!enableShared) [
+    ./remove-dynamic-libs.patch
+  ];
+
+  enableParallelBuilding = true;
+  strictDeps = true;
+
+  nativeBuildInputs = lib.optional enableManpages pandoc;
+  buildInputs = [ openssl ];
+
+  makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ] ++ lib.optional enableShared "USE_SHARED_LIB=1";
+
+  doCheck = true;
+
+  installTargets = [ "install" ] ++ lib.optional enableManpages "install-man";
+
+  postInstall = ''
+    mkdir -p $lib
+    mv $out/lib $lib/lib
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#userspace-utility";
+    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/NEWS.md";
+    description = "A set of userspace utilities for fs-verity";
+    license = licenses.mit;
+    maintainers = with maintainers; [ jk ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch
new file mode 100644
index 000000000000..95635cbccdb8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch
@@ -0,0 +1,27 @@
+diff --git a/Makefile b/Makefile
+index 2304a21..697ccd4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -149,13 +149,11 @@ libfsverity.so.$(SOVERSION):$(SHARED_LIB_OBJ)
+ 	$(QUIET_CCLD) $(CC) -o $@ -Wl,-soname=$@ -shared $+ \
+ 		$(CFLAGS) $(LDFLAGS) $(LDLIBS)
+ 
+-DEFAULT_TARGETS += libfsverity.so.$(SOVERSION)
+ 
+ # Create the symlink libfsverity.so => libfsverity.so.$(SOVERSION)
+ libfsverity.so:libfsverity.so.$(SOVERSION)
+ 	$(QUIET_LN) ln -sf $+ $@
+ 
+-DEFAULT_TARGETS += libfsverity.so
+ 
+ ##############################################################################
+ 
+@@ -263,8 +261,6 @@ install:all
+ 	install -d $(DESTDIR)$(LIBDIR)/pkgconfig $(DESTDIR)$(INCDIR) $(DESTDIR)$(BINDIR)
+ 	install -m755 $(FSVERITY) $(DESTDIR)$(BINDIR)
+ 	install -m644 libfsverity.a $(DESTDIR)$(LIBDIR)
+-	install -m755 libfsverity.so.$(SOVERSION) $(DESTDIR)$(LIBDIR)
+-	ln -sf libfsverity.so.$(SOVERSION) $(DESTDIR)$(LIBDIR)/libfsverity.so
+ 	install -m644 include/libfsverity.h $(DESTDIR)$(INCDIR)
+ 	sed -e "s|@PREFIX@|$(PREFIX)|" \
+ 		-e "s|@LIBDIR@|$(LIBDIR)|" \
diff --git a/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix b/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix
new file mode 100644
index 000000000000..678e0d428419
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl, libv4l, gd }:
+
+stdenv.mkDerivation rec {
+  pname = "fswebcam";
+  version = "20200725";
+
+  src = fetchurl {
+    url = "https://www.sanslogic.co.uk/fswebcam/files/fswebcam-${version}.tar.gz";
+    sha256 = "1dazsrcaw9s30zz3jpxamk9lkff5dkmflp1s0jjjvdbwa0k6k6ii";
+  };
+
+  buildInputs =
+    [ libv4l gd ];
+
+  meta = {
+    description = "Neat and simple webcam app";
+    homepage = "http://www.sanslogic.co.uk/fswebcam";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/default.nix b/nixpkgs/pkgs/os-specific/linux/ftop/default.nix
new file mode 100644
index 000000000000..abd6d7884619
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "ftop";
+  version = "1.0";
+
+  src = fetchurl {
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ftop/${pname}-${version}.tar.bz2";
+    sha256 = "3a705f4f291384344cd32c3dd5f5f6a7cd7cea7624c83cb7e923966dbcd47f82";
+  };
+
+  buildInputs = [ ncurses ];
+
+  patches = [
+    ./ftop-fix_buffer_overflow.patch
+    ./ftop-fix_printf_format.patch
+  ];
+  patchFlags = [ "-p0" ];
+
+  postPatch = ''
+    substituteInPlace configure --replace "curses" "ncurses"
+  '';
+
+  meta = with lib; {
+    description = "Show progress of open files and file systems";
+    homepage = "https://code.google.com/archive/p/ftop/";
+    license = licenses.gpl3Plus;
+    longDescription = ''
+      ftop is to files what top is to processes. The progress of all open files
+      and file systems can be monitored. If run as a regular user, the set of
+      open files will be limited to those in that user's processes (which is
+      generally all that is of interest to the user).
+      As with top, the items are displayed in order from most to least active.
+    '';
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch
new file mode 100644
index 000000000000..f10fa6a33b85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch
@@ -0,0 +1,11 @@
+--- src/ftop.c.orig	2010-06-15 21:42:15.000000000 +0200
++++ src/ftop.c	2010-06-15 21:45:38.000000000 +0200
+@@ -935,7 +935,7 @@
+     {
+         if (bar_used > 0)
+         {
+-            snprintf(rate_buf, bar_used + 1, "%s", tmp_buf);
++            snprintf(rate_buf, bar_used >= sizeof(rate_buf) ? sizeof(rate_buf) : bar_used + 1, "%s", tmp_buf);
+             p_attron(p, A_REVERSE);
+             p_printf(p, "%s", rate_buf);
+             if (bar_used > bytes)
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch
new file mode 100644
index 000000000000..afb04306428a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch
@@ -0,0 +1,20 @@
+--- src/ftop.c.orig	2010-06-15 23:14:50.000000000 +0200
++++ src/ftop.c	2010-06-15 23:15:52.000000000 +0200
+@@ -222,7 +222,7 @@
+     p_eol(p, part);
+ 
+     cols = snprintf(tmp_buf, sizeof(tmp_buf),
+-                    "Processes:  %u total, %u unreadable",
++                    "Processes:  %zu total, %zu unreadable",
+                     s->num_processes + s->num_unreadable_processes,
+                     s->num_unreadable_processes);
+ 
+@@ -244,7 +244,7 @@
+     p_eol(p, part);
+ 
+     snprintf(tmp_buf, sizeof(tmp_buf),
+-             "Open Files: %u regular, %u dir, %u chr, %u blk, %u pipe, %u sock, %u misc",
++             "Open Files: %zu regular, %zu dir, %zu chr, %zu blk, %zu pipe, %zu sock, %zu misc",
+              s->num_reg, s->num_dir, s->num_chr, s->num_blk, s->num_pipe,
+              s->num_sock, s->num_misc);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/common.nix b/nixpkgs/pkgs/os-specific/linux/fuse/common.nix
new file mode 100644
index 000000000000..f4b8bfc5661a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/common.nix
@@ -0,0 +1,108 @@
+{ version, hash }:
+
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, fusePackages, util-linux, gettext, shadow
+, meson, ninja, pkg-config
+, autoreconfHook
+, python3Packages, which
+}:
+
+let
+  isFuse3 = lib.hasPrefix "3" version;
+in stdenv.mkDerivation rec {
+  pname = "fuse";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "libfuse";
+    repo = "libfuse";
+    rev = "${pname}-${version}";
+    inherit hash;
+  };
+
+  preAutoreconf = "touch config.rpath";
+
+  patches =
+    lib.optional
+      (!isFuse3 && (stdenv.isAarch64 || stdenv.hostPlatform.isLoongArch64))
+      (fetchpatch {
+        url = "https://github.com/libfuse/libfuse/commit/914871b20a901e3e1e981c92bc42b1c93b7ab81b.patch";
+        sha256 = "1w4j6f1awjrycycpvmlv0x5v9gprllh4dnbjxl4dyl2jgbkaw6pa";
+      })
+    ++ (if isFuse3
+      then [ ./fuse3-install.patch ./fuse3-Do-not-set-FUSERMOUNT_DIR.patch ]
+      else [
+        ./fuse2-Do-not-set-FUSERMOUNT_DIR.patch
+        (fetchpatch {
+          url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-fs/fuse/files/fuse-2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9";
+          sha256 = "sha256-ELYBW/wxRcSMssv7ejCObrpsJHtOPJcGq33B9yHQII4=";
+        })
+      ]);
+
+  nativeBuildInputs = if isFuse3
+    then [ meson ninja pkg-config ]
+    else [ autoreconfHook gettext ];
+
+  outputs = [ "out" ] ++ lib.optional isFuse3 "common";
+
+  mesonFlags = lib.optionals isFuse3 [
+    "-Dudevrulesdir=/udev/rules.d"
+    "-Duseroot=false"
+    "-Dinitscriptdir="
+  ];
+
+  preConfigure = ''
+    export MOUNT_FUSE_PATH=$out/sbin
+    export INIT_D_PATH=$TMPDIR/etc/init.d
+    export UDEV_RULES_PATH=$out/etc/udev/rules.d
+
+    # Ensure that FUSE calls the setuid wrapper, not
+    # $out/bin/fusermount. It falls back to calling fusermount in
+    # $PATH, so it should also work on non-NixOS systems.
+    export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
+
+    substituteInPlace lib/mount_util.c --replace "/bin/" "${util-linux}/bin/"
+    '' + (if isFuse3 then ''
+      # The configure phase will delete these files (temporary workaround for
+      # ./fuse3-install_man.patch)
+      install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
+      install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
+    '' else ''
+      substituteInPlace util/mount.fuse.c --replace '"su"' '"${shadow.su}/bin/su"'
+      sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
+      ./makeconf.sh
+    '');
+
+  nativeCheckInputs = [ which ] ++ (with python3Packages; [ python pytest ]);
+
+  checkPhase = ''
+    python3 -m pytest test/
+  '';
+
+  doCheck = false; # v2: no tests, v3: all tests get skipped in a sandbox
+
+  postFixup = "cd $out\n" + (if isFuse3 then ''
+    install -D -m444 etc/fuse.conf $common/etc/fuse.conf
+    install -D -m444 etc/udev/rules.d/99-fuse3.rules $common/etc/udev/rules.d/99-fuse.rules
+  '' else ''
+    cp ${fusePackages.fuse_3.common}/etc/fuse.conf etc/fuse.conf
+    cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
+  '');
+
+  meta = with lib; {
+    description = "Library that allows filesystems to be implemented in user space";
+    longDescription = ''
+      FUSE (Filesystem in Userspace) is an interface for userspace programs to
+      export a filesystem to the Linux kernel. The FUSE project consists of two
+      components: The fuse kernel module (maintained in the regular kernel
+      repositories) and the libfuse userspace library (this package). libfuse
+      provides the reference implementation for communicating with the FUSE
+      kernel module.
+    '';
+    homepage = "https://github.com/libfuse/libfuse";
+    changelog = "https://github.com/libfuse/libfuse/releases/tag/fuse-${version}";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2Only lgpl21Only ];
+    maintainers = [ maintainers.primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/default.nix b/nixpkgs/pkgs/os-specific/linux/fuse/default.nix
new file mode 100644
index 000000000000..f692c2fb41c7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/default.nix
@@ -0,0 +1,17 @@
+{ callPackage, util-linux }:
+
+let
+  mkFuse = args: callPackage (import ./common.nix args) {
+    inherit util-linux;
+  };
+in {
+  fuse_2 = mkFuse {
+    version = "2.9.9";
+    hash = "sha256-dgjM6M7xk5MHi9xPyCyvF0vq0KM8UCsEYBcMhkrdvfs=";
+  };
+
+  fuse_3 = mkFuse {
+    version = "3.16.2";
+    hash = "sha256-QO9s+IkR0rkqIYNqt2IYST6AVBkCr56jcuuz5nKJuA4=";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch
new file mode 100644
index 000000000000..8ff40f34f938
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch
@@ -0,0 +1,11 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,7 +1,7 @@
+ ## Process this file with automake to produce Makefile.in
+ 
+ AUTOMAKE_OPTIONS = subdir-objects
+-AM_CPPFLAGS = -I$(top_srcdir)/include -DFUSERMOUNT_DIR=\"$(bindir)\" \
++AM_CPPFLAGS = -I$(top_srcdir)/include \
+  -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DFUSE_USE_VERSION=26
+ 
+ lib_LTLIBRARIES = libfuse.la libulockmgr.la
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch
new file mode 100644
index 000000000000..582d3eb0dec8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch
@@ -0,0 +1,13 @@
+diff --git a/lib/meson.build b/lib/meson.build
+--- a/lib/meson.build
++++ b/lib/meson.build
+@@ -37,8 +37,7 @@ libfuse = library('fuse3', libfuse_sources, version: meson.project_version(),
+                   soversion: '3', include_directories: include_dirs,
+                   dependencies: deps, install: true,
+                   link_depends: 'fuse_versionscript',
+-                  c_args: [ '-DFUSE_USE_VERSION=312',
+-                            '-DFUSERMOUNT_DIR="@0@"'.format(fusermount_path) ],
++                  c_args: [ '-DFUSE_USE_VERSION=312' ],
+                   link_args: ['-Wl,--version-script,' + meson.current_source_dir()
+                               + '/fuse_versionscript' ])
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch
new file mode 100644
index 000000000000..769e3088664c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch
@@ -0,0 +1,27 @@
+--- a/util/install_helper.sh	2023-08-26 22:12:11.028651669 +0200
++++ b/util/install_helper.sh	2023-08-26 22:38:03.165058694 +0200
+@@ -39,12 +39,12 @@
+ 
+ if [ "${udevrulesdir}" != "" ]; then
+     install -D -m 644 "${MESON_SOURCE_ROOT}/util/udev.rules" \
+-        "${DESTDIR}${udevrulesdir}/99-fuse3.rules"
++        "${sysconfdir}${udevrulesdir}/99-fuse3.rules"
+ fi
+ 
+ if [ "$initscriptdir" != "" ]; then
+     install -D -m 755 "${MESON_SOURCE_ROOT}/util/init_script" \
+-            "${DESTDIR}${initscriptdir}/fuse3"
++            "${sysconfdir}${initscriptdir}/fuse3"
+ 
+     if test -x /usr/sbin/update-rc.d && test -z "${DESTDIR}"; then
+         /usr/sbin/update-rc.d fuse3 start 34 S . start 41 0 6 . || /bin/true
+diff --git a/util/meson.build b/util/meson.build
+index aa0e734..06d4378 100644
+--- a/util/meson.build
++++ b/util/meson.build
+@@ -1,4 +1,4 @@
+-fuseconf_path = join_paths(get_option('prefix'), get_option('sysconfdir'), 'fuse.conf')
++fuseconf_path = join_paths('/', get_option('sysconfdir'), 'fuse.conf')
+ 
+ executable('fusermount3', ['fusermount.c', '../lib/mount_util.c'],
+            include_directories: include_dirs,
diff --git a/nixpkgs/pkgs/os-specific/linux/fw-ectool/default.nix b/nixpkgs/pkgs/os-specific/linux/fw-ectool/default.nix
new file mode 100644
index 000000000000..a73cc1896ecd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fw-ectool/default.nix
@@ -0,0 +1,41 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, pkg-config
+, hostname
+}:
+
+stdenv.mkDerivation {
+  pname = "fw-ectool";
+  version = "unstable-2022-12-03";
+
+  src = fetchFromGitHub {
+    owner = "DHowett";
+    repo = "fw-ectool";
+    rev = "54c140399bbc3e6a3dce6c9f842727c4128367be";
+    hash = "sha256-2teJFz4zcA+USpbVPXMEIHLdmMLem8ik7YrmrSxr/n0=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    hostname
+  ];
+
+  buildPhase = ''
+    patchShebangs util
+    make out=out utils
+  '';
+
+  installPhase = ''
+    install -D out/util/ectool $out/bin/ectool
+  '';
+
+  meta = with lib; {
+    description = "EC-Tool adjusted for usage with framework embedded controller";
+    homepage = "https://github.com/DHowett/framework-ec";
+    license = licenses.bsd3;
+    maintainers = [ maintainers.mkg20001 ];
+    platforms = platforms.linux;
+    mainProgram = "ectool";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fwts/default.nix b/nixpkgs/pkgs/os-specific/linux/fwts/default.nix
new file mode 100644
index 000000000000..43f7ed5cb3a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fwts/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchzip, autoreconfHook, pkg-config, gnumake42, glib, pcre
+, json_c, flex, bison, dtc, pciutils, dmidecode, acpica-tools, libbsd }:
+
+stdenv.mkDerivation rec {
+  pname = "fwts";
+  version = "23.07.00";
+
+  src = fetchzip {
+    url = "https://fwts.ubuntu.com/release/${pname}-V${version}.tar.gz";
+    sha256 = "sha256-Fo5qdb0eT8taYfPAf5LQu0toNXcoVjNoDgeeAlUfbs4=";
+    stripRoot = false;
+  };
+
+  # fails with make 4.4
+  nativeBuildInputs = [ autoreconfHook pkg-config gnumake42 ];
+  buildInputs = [ glib pcre json_c flex bison dtc pciutils dmidecode acpica-tools libbsd ];
+
+  postPatch = ''
+    substituteInPlace src/lib/include/fwts_binpaths.h \
+      --replace "/usr/bin/lspci"      "${pciutils}/bin/lspci" \
+      --replace "/usr/sbin/dmidecode" "${dmidecode}/bin/dmidecode" \
+      --replace "/usr/bin/iasl"       "${acpica-tools}/bin/iasl"
+
+    substituteInPlace src/lib/src/fwts_devicetree.c \
+                      src/devicetree/dt_base/dt_base.c \
+      --replace "dtc -I" "${dtc}/bin/dtc -I"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://wiki.ubuntu.com/FirmwareTestSuite";
+    description = "Firmware Test Suite";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ tadfisher ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fwts/module.nix b/nixpkgs/pkgs/os-specific/linux/fwts/module.nix
new file mode 100644
index 000000000000..a4083d275465
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fwts/module.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fwts, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "fwts-efi-runtime";
+  version = "${fwts.version}-${kernel.version}";
+
+  inherit (fwts) src;
+
+  sourceRoot = "${src.name}/efi_runtime";
+
+  postPatch = ''
+    substituteInPlace Makefile --replace \
+      '/lib/modules/$(KVER)/build' \
+      '${kernel.dev}/lib/modules/${kernel.modDirVersion}/build'
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    inherit (fwts.meta) homepage license;
+    description = fwts.meta.description + "(efi-runtime kernel module)";
+    maintainers = with maintainers; [ dtzWill ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fxload/default.nix b/nixpkgs/pkgs/os-specific/linux/fxload/default.nix
new file mode 100644
index 000000000000..e8b9d0648bd8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fxload/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, stdenv
+, libusb1
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fxload";
+  version = libusb1.version;
+  dontUnpack = true;
+  dontBuild = true;
+  dontConfigure = true;
+  dontInstall = true;
+  dontPatch = true;
+  dontPatchELF = true;
+
+  # fxload binary exist inside the `examples/bin` directory of `libusb1`
+  postFixup = ''
+    mkdir -p $out/bin
+    ln -s ${passthru.libusb}/examples/bin/fxload $out/bin/fxload
+  '';
+
+  passthru.libusb = libusb1.override { withExamples = true; };
+
+  meta = with lib; {
+    homepage = "https://github.com/libusb/libusb";
+    description = "Tool to upload firmware to into an21, fx, fx2, fx2lp and fx3 ez-usb devices";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ realsnick ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix b/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix
new file mode 100644
index 000000000000..823f523db242
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix
@@ -0,0 +1,93 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchurl
+, fetchpatch
+, patchelf
+, freetype
+, libusb-compat-0_1
+}:
+let
+  license = lib.licenses.gpl2;
+  maintainers = with lib.maintainers; [ peterhoeg ];
+
+  g15src = { pname, version, sha256 }: fetchurl {
+    url = "mirror://sourceforge/g15tools/${pname}/${version}/${pname}-${version}.tar.bz2";
+    inherit sha256;
+  };
+
+  libg15 = stdenv.mkDerivation rec {
+    pname = "libg15";
+    version = "1.2.7";
+
+    src = g15src {
+      inherit pname version;
+      sha256 = "1mkrf622n0cmz57lj8w9q82a9dcr1lmyyxbnrghrxzb6gvifnbqk";
+    };
+
+    buildInputs = [ libusb-compat-0_1 ];
+
+    enableParallelBuilding = true;
+
+    meta = {
+      description = "Provides low-level access to Logitech G11/G15 keyboards and Z10 speakers";
+      inherit license maintainers;
+    };
+  };
+
+  libg15render = stdenv.mkDerivation rec {
+    pname = "libg15render";
+    version = "1.2";
+
+    src = g15src {
+      inherit pname version;
+      sha256 = "03yjb78j1fnr2fwklxy54sdljwi0imvp29m8kmwl9v0pdapka8yj";
+    };
+
+    buildInputs = [ libg15 ];
+
+    enableParallelBuilding = true;
+
+    meta = {
+      description = "A small graphics library optimised for drawing on an LCD";
+      inherit license maintainers;
+    };
+  };
+in
+stdenv.mkDerivation rec {
+  pname = "g15daemon";
+  version = "1.9.5.3";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/${pname}/G15Daemon%201.9x/${version}/${pname}-${version}.tar.bz2";
+    sha256 = "1613gsp5dgilwbshqxxhiyw73ksngnam7n1iw6yxdjkp9fyd2a3d";
+  };
+
+  patches = let
+    patch = fname: sha256: fetchurl rec {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/c0b0b6d4d6d7b79eca68123b20e0c9fb82e1c6e1/g15daemon/trunk/${pname}-${version}-${fname}.patch";
+      name = "${fname}.patch";
+      inherit sha256;
+    };
+  in
+    [
+      (patch "uinput" "1misfff7a1vg0qgfk3n25y7drnm86a4gq96iflpcwr5x3lw7q0h7")
+      (patch "config-write" "0jkrbqvzqrvxr14h5qi17cb4d32caq7vw9kzlz3qwpxdgxjrjvy2")
+      (patch "recv-oob-answer" "1f67iqpj5hcgpakagi7gbw1xviwhy5vizs546l9bfjimx8r2d29g")
+      ./pid_location.patch
+    ];
+
+  buildInputs = [ libg15 libg15render ];
+
+  # Workaround build failure on -fno-common toolchains like upstream gcc-10:
+  #  ld: g15_plugins.o:/build/g15daemon-1.9.5.3/g15daemon/./g15daemon.h:218:
+  #   multiple definition of `lcdlist_mutex'; utility_funcs.o:g15daemon.h:218: first defined here
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "A daemon that makes it possible to use the Logitech keyboard G-Buttons and draw on various Logitech LCDs";
+    inherit license maintainers;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch b/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch
new file mode 100644
index 000000000000..f88c4a809626
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch
@@ -0,0 +1,25 @@
+diff --git a/g15daemon/main.c b/g15daemon/main.c
+index e674475..97b8242 100644
+--- a/g15daemon/main.c
++++ b/g15daemon/main.c
+@@ -574,7 +574,7 @@ exitnow:
+     g15daemon_quit_refresh();
+     uf_conf_write(lcdlist,"/etc/g15daemon.conf");
+     uf_conf_free(lcdlist);
+-    unlink("/var/run/g15daemon.pid");
++    unlink("/run/g15daemon/g15daemon.pid");
+     }
+     return 0;
+ }
+diff --git a/g15daemon/utility_funcs.c b/g15daemon/utility_funcs.c
+index c93d164..2e9c679 100644
+--- a/g15daemon/utility_funcs.c
++++ b/g15daemon/utility_funcs.c
+@@ -48,7 +48,7 @@
+
+ extern unsigned int g15daemon_debug;
+ extern volatile int leaving;
+-#define G15DAEMON_PIDFILE "/var/run/g15daemon.pid"
++#define G15DAEMON_PIDFILE "/run/g15daemon/g15daemon.pid"
+
+ pthread_cond_t lcd_refresh = PTHREAD_COND_INITIALIZER;
diff --git a/nixpkgs/pkgs/os-specific/linux/game-devices-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/game-devices-udev-rules/default.nix
new file mode 100644
index 000000000000..daaf23db6ce2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/game-devices-udev-rules/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchFromGitea
+, bash
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "game-devices-udev-rules";
+  version = "0.22";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "fabiscafe";
+    repo = "game-devices-udev";
+    rev = finalAttrs.version;
+    hash = "sha256-1aOb8pJxB+/PM7spcvZcy/cwdEolHQ4+lwBLij+6iDk=";
+  };
+
+  postInstall = ''
+    install -Dm444 -t "$out/lib/udev/rules.d" *.rules
+    substituteInPlace $out/lib/udev/rules.d/71-powera-controllers.rules \
+    --replace "/bin/sh" "${bash}/bin/bash"
+  '';
+
+  meta = with lib; {
+    description = "Udev rules to make supported controllers available with user-grade permissions";
+    homepage = "https://codeberg.org/fabiscafe/game-devices-udev";
+    license = licenses.mit;
+    longDescription = ''
+      These udev rules are intended to be used as a package under 'services.udev.packages'.
+      They will not be activated if installed as 'environment.systemPackages' or 'users.user.<user>.packages'.
+
+      Additionally, you may need to enable 'hardware.uinput'.
+    '';
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ keenanweaver ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/gasket/default.nix b/nixpkgs/pkgs/os-specific/linux/gasket/default.nix
new file mode 100644
index 000000000000..c0790ae6a278
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gasket/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "gasket";
+  version = "1.0-18";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "gasket-driver";
+    rev = "97aeba584efd18983850c36dcf7384b0185284b3";
+    sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
+  };
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(PWD)"
+  ];
+  buildFlags = [ "modules" ];
+
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  sourceRoot = "${src.name}/src";
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  meta = with lib; {
+    description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
+    homepage = "https://github.com/google/gasket-driver";
+    license = licenses.gpl2;
+    maintainers = [ lib.maintainers.kylehendricks ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix b/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
new file mode 100644
index 000000000000..1f0265207dfb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, fetchFromGitHub
+, kernel
+, kmod
+}:
+
+let
+  kerneldir = "lib/modules/${kernel.modDirVersion}";
+in stdenv.mkDerivation rec {
+  pname = "gcadapter-oc-kmod";
+  version = "unstable-2021-12-11";
+
+  src = fetchFromGitHub {
+    owner = "HannesMann";
+    repo = pname;
+    rev = "d4ddf15deb74c51dbdfc814d481ef127c371f444";
+    sha256 = "sha256-bHA1611rcO8/d48b1CHsiurEt3/n+5WErtHXAU7Eh1o=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL_SOURCE_DIR=${kernel.dev}/${kerneldir}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  installPhase = ''
+    install -D {,$out/${kerneldir}/extra/}gcadapter_oc.ko
+  '';
+
+  meta = with lib; {
+    description = "Kernel module for overclocking the Nintendo Wii U/Mayflash GameCube adapter";
+    homepage = "https://github.com/HannesMann/gcadapter-oc-kmod";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ r-burns ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix b/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix
new file mode 100644
index 000000000000..608ca8e58cc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix
@@ -0,0 +1,33 @@
+{lib, stdenv, fetchFromGitHub, linuxHeaders}:
+
+stdenv.mkDerivation rec {
+  version = "1.4";
+  pname = "gfxtablet-uinput-driver";
+
+  buildInputs = [
+    linuxHeaders
+  ];
+
+  src = fetchFromGitHub {
+    owner = "rfc2822";
+    repo = "GfxTablet";
+    rev = "android-app-${version}";
+    sha256 = "1i2m98yypfa9phshlmvjlgw7axfisxmldzrvnbzm5spvv5s4kvvb";
+  };
+
+  preBuild = "cd driver-uinput";
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    cp networktablet "$out/bin"
+    mkdir -p "$out/share/doc/gfxtablet/"
+    cp ../*.md "$out/share/doc/gfxtablet/"
+  '';
+
+  meta = {
+    description = "Uinput driver for Android GfxTablet tablet-as-input-device app";
+    license = lib.licenses.mit ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix b/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix
new file mode 100644
index 000000000000..2b251242119c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gobi_loader";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "https://www.codon.org.uk/~mjg59/gobi_loader/download/${pname}-${version}.tar.gz";
+    sha256 = "0jkmpqkiddpxrzl2s9s3kh64ha48m00nn53f82m1rphw8maw5gbq";
+  };
+
+  postPatch = ''
+    substituteInPlace 60-gobi.rules --replace "gobi_loader" "${placeholder "out"}/lib/udev/gobi_loader"
+    substituteInPlace 60-gobi.rules --replace "/lib/firmware" "/run/current-system/firmware"
+  '';
+
+  makeFlags = [ "prefix=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Firmware loader for Qualcomm Gobi USB chipsets";
+    homepage = "https://www.codon.org.uk/~mjg59/gobi_loader/";
+    license = with licenses; [ gpl2 ];
+    maintainers = with maintainers; [ _0x4A6F ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix b/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix
new file mode 100644
index 000000000000..fcf75ac7821a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, lib, fetchFromGitHub, autoreconfHook, pam, qrencode }:
+
+stdenv.mkDerivation rec {
+  pname = "google-authenticator-libpam";
+  version = "1.09";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "google-authenticator-libpam";
+    rev = version;
+    hash = "sha256-DS0h6FWMNKnSSj039bH6iyWrERa5M7LBSkbyig6pyxY=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ pam ];
+
+  preConfigure = ''
+    sed -i "s|libqrencode.so.4|${qrencode.out}/lib/libqrencode.so.4|" src/google-authenticator.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/security
+    cp ./.libs/pam_google_authenticator.so $out/lib/security
+    cp google-authenticator $out/bin
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/google/google-authenticator-libpam";
+    description = "Two-step verification, with pam module";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ aneeshusa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix b/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix
new file mode 100644
index 000000000000..17452a5e2446
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "gpu-switch-unstable";
+  version = "2017-04-28";
+  src = fetchFromGitHub {
+    owner = "0xbb";
+    repo = "gpu-switch";
+    rev = "a365f56d435c8ef84c4dd2ab935ede4992359e31";
+    sha256 = "1jnh43nijkqd83h7piq7225ixziggyzaalabgissyxdyz6szcn0r";
+  };
+  installPhase = ''
+    mkdir -p $out/bin
+    cp gpu-switch $out/bin/
+  '';
+  meta = with lib; {
+    description = "Application that allows to switch between the graphic cards of dual-GPU MacBook Pro models";
+    homepage = "https://github.com/0xbb/gpu-switch";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.msiedlarek ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gradm/default.nix b/nixpkgs/pkgs/os-specific/linux/gradm/default.nix
new file mode 100644
index 000000000000..cd99dfa5db8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gradm/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchurl
+, bison, flex
+, pam
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gradm";
+  version = "3.1-202102241600";
+
+  src  = fetchurl {
+    url    = "https://grsecurity.net/stable/${pname}-${version}.tar.gz";
+    sha256 = "02ni34hpggv00140p9gvh0lqi173zdddd2qhfi96hyr1axd5pl50";
+  };
+
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ pam ];
+
+  enableParallelBuilding = true;
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "LEX=${flex}/bin/flex"
+    "MANDIR=/share/man"
+    "MKNOD=true"
+  ];
+
+  preBuild = ''
+    substituteInPlace Makefile \
+      --replace "/usr/bin/" "" \
+      --replace "/usr/include/security/pam_" "${pam}/include/security/pam_"
+
+    substituteInPlace gradm_defs.h \
+      --replace "/sbin/grlearn" "$out/bin/grlearn" \
+      --replace "/sbin/gradm" "$out/bin/gradm" \
+      --replace "/sbin/gradm_pam" "$out/bin/gradm_pam"
+
+    echo 'inherit-learn /nix/store' >>learn_config
+
+    mkdir -p "$out/etc/udev/rules.d"
+  '';
+
+  postInstall = "rmdir $out/dev";
+
+  meta = with lib; {
+    description = "grsecurity RBAC administration and policy analysis utility";
+    homepage    = "https://grsecurity.net";
+    license     = licenses.gpl2Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gt/default.nix b/nixpkgs/pkgs/os-specific/linux/gt/default.nix
new file mode 100644
index 000000000000..85897b72585e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gt/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchFromGitHub, cmake, bash-completion, pkg-config, libconfig
+, asciidoc
+, libusbgx
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "gt";
+  version = "unstable-2022-05-08";
+
+  src = fetchFromGitHub {
+    owner = "linux-usb-gadgets";
+    repo = "gt";
+    rev = "7f9c45d98425a27444e49606ce3cf375e6164e8e";
+    sha256 = "sha256-km4U+t4Id2AZx6GpH24p2WNmvV5RVjJ14sy8tWLCQsk=";
+  };
+
+  sourceRoot = "${finalAttrs.src.name}/source";
+
+  preConfigure = ''
+    cmakeFlagsArray+=("-DBASH_COMPLETION_COMPLETIONSDIR=$out/share/bash-completions/completions")
+  '';
+
+  nativeBuildInputs = [ cmake pkg-config asciidoc ];
+
+  buildInputs = [ bash-completion libconfig libusbgx];
+
+  meta = {
+    description = "Linux command line tool for setting up USB gadgets using configfs";
+    license = with lib.licenses; [ asl20 ];
+    maintainers = with lib.maintainers; [ lheckemann ];
+    platforms = lib.platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix b/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix
new file mode 100644
index 000000000000..6e073662c4e6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix
@@ -0,0 +1,78 @@
+{ config
+, lib, stdenv
+, fetchurl
+, intltool
+, pkg-config
+, portaudio
+, SDL2
+, ffmpeg_4
+, udev
+, libusb1
+, libv4l
+, alsa-lib
+, gsl
+, libpng
+, sfml
+, pulseaudioSupport ? config.pulseaudio or stdenv.isLinux
+, libpulseaudio ? null
+, useQt ? false
+, qtbase ? null
+, wrapQtAppsHook ? null
+# can be turned off if used as a library
+, useGtk ? true
+, gtk3 ? null
+, wrapGAppsHook ? null
+}:
+
+assert pulseaudioSupport -> libpulseaudio != null;
+
+stdenv.mkDerivation rec {
+  version = "2.0.6";
+  pname = "guvcview";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/guvcview/source/guvcview-src-${version}.tar.gz";
+    sha256 = "11byyfpkcik7wvf2qic77zjamfr2rhji97dpj1gy2fg1bvpiqf4m";
+  };
+
+  nativeBuildInputs = [
+    intltool
+    pkg-config
+  ]
+    ++ lib.optionals (useGtk) [ wrapGAppsHook ]
+    ++ lib.optionals (useQt) [ wrapQtAppsHook ]
+  ;
+
+  buildInputs = [
+    SDL2
+    alsa-lib
+    ffmpeg_4
+    libusb1
+    libv4l
+    portaudio
+    udev
+    gsl
+    libpng
+    sfml
+  ]
+    ++ lib.optionals (pulseaudioSupport) [ libpulseaudio ]
+    ++ lib.optionals (useGtk) [ gtk3 ]
+    ++ lib.optionals (useQt) [
+      qtbase
+    ]
+  ;
+  configureFlags = [
+    "--enable-sfml"
+  ]
+    ++ lib.optionals (useGtk) [ "--enable-gtk3" ]
+    ++ lib.optionals (useQt) [ "--enable-qt5" ]
+  ;
+
+  meta = with lib; {
+    description = "A simple interface for devices supported by the linux UVC driver";
+    homepage = "https://guvcview.sourceforge.net";
+    maintainers = [ maintainers.coconnor ];
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix b/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix
new file mode 100644
index 000000000000..13cb397b1798
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix
@@ -0,0 +1,29 @@
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "hd-idle";
+  version = "1.21";
+
+  src = fetchFromGitHub {
+    owner = "adelolmo";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-WHJcysTN9LHI1WnDuFGTyTirxXirpLpJIeNDj4sZGY0=";
+  };
+
+  vendorHash = null;
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  postInstall = ''
+    installManPage debian/hd-idle.8
+  '';
+
+  meta = with lib; {
+    description = "Spins down external disks after a period of idle time";
+    homepage = "https://github.com/adelolmo/hd-idle";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.rycee ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix b/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix
new file mode 100644
index 000000000000..959fa9ac6e8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "hdapsd";
+  version = "20141203";
+
+  src = fetchurl {
+    url = "https://github.com/evgeni/hdapsd/releases/download/${version}/hdapsd-${version}.tar.gz";
+    sha256 = "0ppgrfabd0ivx9hyny3c3rv4rphjyxcdsd5svx5pgfai49mxnl36";
+  };
+
+  postInstall = builtins.readFile ./postInstall.sh;
+
+  meta = with lib;
+    { description = "Hard Drive Active Protection System Daemon";
+      homepage = "http://hdaps.sf.net/";
+      license = licenses.gpl2;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.ehmry ];
+    };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh b/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh
new file mode 100644
index 000000000000..37867817bf63
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh
@@ -0,0 +1,7 @@
+mkdir -p $out/lib/udev/rules.d $out/lib/systemd/system
+cp misc/hdapsd.rules $out/lib/udev/rules.d
+SBIN_REWRITE="s|@sbindir@|$out/bin|g"
+for i in misc/*.service.in
+do sed $SBIN_REWRITE "$i" > "$out/lib/systemd/system/$(basename ${i%.in})"
+done
+
diff --git a/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix b/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix
new file mode 100644
index 000000000000..12938dbac89a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "hdparm";
+  version = "9.65";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/hdparm/hdparm-${version}.tar.gz";
+    sha256 = "sha256-0Ukp+RDQYJMucX6TgkJdR8LnFEI1pTcT1VqU995TWks=";
+  };
+
+  preBuild = ''
+    makeFlagsArray=(sbindir=$out/sbin manprefix=$out)
+    '';
+
+  meta = with lib; {
+    description = "A tool to get/set ATA/SATA drive parameters under Linux";
+    homepage = "https://sourceforge.net/projects/hdparm/";
+    platforms = platforms.linux;
+    license = licenses.bsd2;
+    maintainers = [ ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/health-check/default.nix b/nixpkgs/pkgs/os-specific/linux/health-check/default.nix
new file mode 100644
index 000000000000..9e85281ea4c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/health-check/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchFromGitHub, json_c, libbsd }:
+
+stdenv.mkDerivation rec {
+  pname = "health-check";
+  version = "0.03.11";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-QLa/7kA0juefzOba7ELopDmOVfiGJReo4LCfhnxW1tk=";
+  };
+
+  buildInputs = [ json_c libbsd ];
+
+  makeFlags = [ "JSON_OUTPUT=y" "FNOTIFY=y" ];
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Process monitoring tool";
+    homepage = "https://github.com/ColinIanKing/health-check";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix b/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix
new file mode 100644
index 000000000000..1a7dd01e9771
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, gawk }:
+
+let version = "2.0";
+in
+  stdenv.mkDerivation {
+    pname = "hibernate";
+    inherit version;
+    src = fetchurl {
+      url = "http://tuxonice.nigelcunningham.com.au/files/hibernate-script-${version}.tar.gz";
+      sha256 = "0ib5bac3spbcwmhf8f9apjbll8x7fgqj4k1s5q3srijh793rfifh";
+    };
+
+    patches = [ ./install.patch ./gen-manpages.patch ./hibernate.patch ];
+
+    buildInputs = [ gawk ];
+
+    installPhase = ''
+      # FIXME: Storing config files under `$out/etc' is not very useful.
+
+      substituteInPlace "hibernate.sh" --replace \
+        'SWSUSP_D="/etc/hibernate"' "SWSUSP_D=\"$out/etc/hibernate\""
+
+      # Remove all references to `/bin' and `/sbin'.
+      for i in scriptlets.d/*
+      do
+        substituteInPlace "$i" --replace "/bin/" "" --replace "/sbin/" ""
+      done
+
+      PREFIX="$out" CONFIG_PREFIX="$out" ./install.sh
+
+      ln -s "$out/share/hibernate/scriptlets.d" "$out/etc/hibernate"
+    '';
+
+    meta = {
+      description = "The `hibernate' script for swsusp and Tux-on-Ice";
+      longDescription = ''
+        This package provides the `hibernate' script, a command-line utility
+        that saves the computer's state to disk and switches it off, turning
+        it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
+      '';
+
+      license = lib.licenses.gpl2Plus;
+      homepage = "http://www.tuxonice.net/";
+      platforms = lib.platforms.linux;
+    };
+  }
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch
new file mode 100644
index 000000000000..cdbacc86bafa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch
@@ -0,0 +1,11 @@
+--- hibernate-script-1.98.1/gen-manpages.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/gen-manpages.sh	2008-04-01 15:58:11.000000000 +0200
+@@ -254,7 +254,7 @@ BEGIN {
+ }
+ 
+ # Create a copy of hibernate.sh with only the help items
+-TMPF=`mktemp /tmp/tmp.hibernate.XXXXXX`
++TMPF=`mktemp "$TMPDIR/tmp.hibernate.XXXXXX"`
+ awk '{
+     if ((substr($0, 1, 1) != "#") && (match($0, "AddConfigHelp") || match($0, "AddOptionHelp")) && (match($0, "\\(\\)") == 0)) {
+         print $0;
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch
new file mode 100644
index 000000000000..24de1637d3ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch
@@ -0,0 +1,37 @@
+--- hibernate-script-1.98.1/hibernate.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/hibernate.sh	2008-04-01 18:24:23.000000000 +0200
+@@ -224,7 +224,7 @@ FindXServer() {
+ 
+ 	    xauth="`get_env_var_of_process $xpid XAUTHORITY`"
+ 	    xhome="`get_env_var_of_process $xpid HOME`"
+-	    xuser=`/bin/ls -ld /proc/$xpid/ | awk '{print $3}'`
++	    xuser=`ls -ld /proc/$xpid/ | awk '{print $3}'`
+ 	    [ -z $xauth ] && [ -n $xhome ] && [ -f $xhome/.Xauthority ] && xauth=$xhome/.Xauthority
+ 
+ 	    [ -z $xauth ] && continue
+@@ -273,14 +273,14 @@ UsingSuspendMethod() {
+ # chain.
+ SortSuspendBits() {
+     # explicit path required to be ash compatible.
+-    /bin/echo -ne "$SUSPEND_BITS" | sort -n
++    echo -ne "$SUSPEND_BITS" | sort -n
+ }
+ 
+ # SortResumeBits: Returns a list of functions registered in the correct order
+ # to call for resuming, prefixed by their position number.
+ SortResumeBits() {
+     # explicit path required to be ash compatible.
+-    /bin/echo -ne "$RESUME_BITS" | sort -rn
++    echo -ne "$RESUME_BITS" | sort -rn
+ }
+ 
+ # WrapHelpText: takes text from stdin, wraps it with an indent of 5 and width
+@@ -557,7 +557,7 @@ LoadScriptlets() {
+     CURRENT_SOURCED_SCRIPTLET=""
+     for scriptlet_dir in $SCRIPTLET_PATH ; do
+ 	[ -d "$scriptlet_dir" ] || continue
+-	[ -z "`/bin/ls -1 $scriptlet_dir`" ] && continue
++	[ -z "`ls -1 $scriptlet_dir`" ] && continue
+ 	for scriptlet in $scriptlet_dir/* ; do
+ 	    # Avoid editor backup files.
+ 	    case "$scriptlet" in *~|*.bak) continue ;; esac
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch
new file mode 100644
index 000000000000..ae296b955ac8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch
@@ -0,0 +1,11 @@
+--- hibernate-script-1.98.1/install.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/install.sh	2008-04-01 15:50:46.000000000 +0200
+@@ -63,7 +63,7 @@ fi
+ cp -a blacklisted-modules $BLACKLIST
+ 
+ # Test if they have anything in there, and warn them
+-if /bin/ls $OLD_SCRIPTLET_DIR/* > /dev/null 2>&1 ; then
++if ls $OLD_SCRIPTLET_DIR/* > /dev/null 2>&1 ; then
+     echo "  **"
+     echo "  ** You have scriptlets already installed in $OLD_SCRIPTLET_DIR"
+     echo "  ** Since version 0.95, these have moved to $SCRIPTLET_DIR."
diff --git a/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix b/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix
new file mode 100644
index 000000000000..d4f69c734ac0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-ite8291r3";
+  version = "unstable-2022-06-01";
+
+  src = fetchFromGitHub {
+    owner = "pobrn";
+    repo = "hid-ite8291r3";
+    rev = "48e04cb96517f8574225ebabb286775feb942ef5";
+    hash = "sha256-/69vvVbAVULDW8rwDYSj5706vrqJ6t4s/T6s3vmG9wk=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D hid-ite8291r3.ko -t $out/lib/modules/${kernel.modDirVersion}/extra
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for the ITE 8291 RGB keyboard backlight controller";
+    homepage = "https://github.com/pobrn/hid-ite8291r3/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.9";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hid-tmff2/default.nix b/nixpkgs/pkgs/os-specific/linux/hid-tmff2/default.nix
new file mode 100644
index 000000000000..ac297c78e10e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hid-tmff2/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation {
+  pname = "hid-tmff2";
+  # https://github.com/Kimplul/hid-tmff2/blob/ca168637fbfb085ebc9ade0c47fa0653dac5d25b/dkms/dkms-install.sh#L12
+  version = "0.81";
+
+  src = fetchFromGitHub {
+    owner = "Kimplul";
+    repo = "hid-tmff2";
+    rev = "ca168637fbfb085ebc9ade0c47fa0653dac5d25b";
+    hash = "sha256-Nm5m5xjwJGy+ia4nTkvPZynIxUj6MVGGbSNmIcIpziM=";
+    # For hid-tminit. Source: https://github.com/scarburato/hid-tminit
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installFlags = [
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  postPatch = "sed -i '/depmod -A/d' Makefile";
+
+  meta = with lib; {
+    description = "A linux kernel module for Thrustmaster T300RS, T248 and TX(experimental)";
+    homepage = "https://github.com/Kimplul/hid-tmff2";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.rayslash ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix b/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix
new file mode 100644
index 000000000000..e4b41f3a0c82
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix
@@ -0,0 +1,109 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl, openssl, sqlite ? null }:
+
+stdenv.mkDerivation rec {
+  pname = "hostapd";
+  version = "2.10";
+
+  src = fetchurl {
+    url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl openssl sqlite ];
+
+  patches = [
+    (fetchurl {
+      # Note: fetchurl seems to be unhappy with openwrt git
+      # server's URLs containing semicolons. Using the github mirror instead.
+      url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";
+      sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";
+    })
+  ];
+
+  outputs = [ "out" "man" ];
+
+  # Based on hostapd's defconfig. Only differences are tracked.
+  extraConfig = ''
+    # Use epoll(7) instead of select(2) on linux
+    CONFIG_ELOOP_EPOLL=y
+
+    # Drivers
+    CONFIG_DRIVER_WIRED=y
+    CONFIG_DRIVER_NONE=y
+
+    # Integrated EAP server
+    CONFIG_EAP_SIM=y
+    CONFIG_EAP_AKA=y
+    CONFIG_EAP_AKA_PRIME=y
+    CONFIG_EAP_PAX=y
+    CONFIG_EAP_PSK=y
+    CONFIG_EAP_PWD=y
+    CONFIG_EAP_SAKE=y
+    CONFIG_EAP_GPSK=y
+    CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_EAP_FAST=y
+    CONFIG_EAP_IKEV2=y
+    CONFIG_EAP_TNC=y
+    CONFIG_EAP_EKE=y
+
+    CONFIG_TLS=openssl
+    CONFIG_TLSV11=y
+    CONFIG_TLSV12=y
+
+    CONFIG_SAE=y
+    CONFIG_SAE_PK=y
+
+    CONFIG_OWE=y
+    CONFIG_OCV=y
+
+    # TKIP is considered insecure and upstream support will be removed in the future
+    CONFIG_NO_TKIP=y
+
+    # Misc
+    CONFIG_RADIUS_SERVER=y
+    CONFIG_FULL_DYNAMIC_VLAN=y
+    CONFIG_VLAN_NETLINK=y
+    CONFIG_GETRANDOM=y
+    CONFIG_INTERWORKING=y
+    CONFIG_HS20=y
+    CONFIG_FST=y
+    CONFIG_FST_TEST=y
+    CONFIG_ACS=y
+    CONFIG_WNM=y
+    CONFIG_MBO=y
+
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211W=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_IEEE80211AX=y
+  '' + lib.optionalString (sqlite != null) ''
+    CONFIG_SQLITE=y
+  '';
+
+  passAsFile = [ "extraConfig" ];
+
+  configurePhase = ''
+    cd hostapd
+    cp -v defconfig .config
+    cat $extraConfigPath >> .config
+    cat -n .config
+    substituteInPlace Makefile --replace /usr/local $out
+    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"
+  '';
+
+  preInstall = "mkdir -p $out/bin";
+  postInstall = ''
+    install -vD hostapd.8 -t $man/share/man/man8
+    install -vD hostapd_cli.1 -t $man/share/man/man1
+  '';
+
+  meta = with lib; {
+    homepage = "https://w1.fi/hostapd/";
+    description = "A user space daemon for access point and authentication servers";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ hexa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix b/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix
new file mode 100644
index 000000000000..5bfdf61dff6b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "hwdata";
+  version = "0.376";
+
+  src = fetchFromGitHub {
+    owner = "vcrhonek";
+    repo = "hwdata";
+    rev = "v${version}";
+    hash = "sha256-M1uBamN09XepOembDAcHXO/UvnM9s/OiN+eNzChF5Tw=";
+  };
+
+  postPatch = ''
+    patchShebangs ./configure
+  '';
+
+  configureFlags = [ "--datadir=${placeholder "out"}/share" ];
+
+  doCheck = false; # this does build machine-specific checks (e.g. enumerates PCI bus)
+
+  meta = {
+    homepage = "https://github.com/vcrhonek/hwdata";
+    description = "Hardware Database, including Monitors, pci.ids, usb.ids, and video cards";
+    license = lib.licenses.gpl2Plus;
+    maintainers = with lib.maintainers; [ pedrohlc ];
+    platforms = lib.platforms.all;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix b/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix
new file mode 100644
index 000000000000..12033063c165
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix
@@ -0,0 +1,111 @@
+{ stdenv, lib, python2, python3, kernel, makeWrapper, writeText
+, gawk, iproute2 }:
+
+let
+  libexec = "libexec/hypervkvpd";
+
+  daemons = stdenv.mkDerivation rec {
+    pname = "hyperv-daemons-bin";
+    inherit (kernel) src version;
+
+    nativeBuildInputs = [ makeWrapper ];
+    buildInputs = [ (if lib.versionOlder version "4.19" then python2 else python3) ];
+
+    # as of 4.9 compilation will fail due to -Werror=format-security
+    hardeningDisable = [ "format" ];
+
+    postPatch = ''
+      cd tools/hv
+      substituteInPlace hv_kvp_daemon.c \
+        --replace /usr/libexec/hypervkvpd/ $out/${libexec}/
+    '';
+
+    # We don't actually need the hv_get_{dhcp,dns}_info scripts on NixOS in
+    # their current incarnation but with them in place, we stop the spam of
+    # errors in the log.
+    installPhase = ''
+      runHook preInstall
+
+      for f in fcopy kvp vss ; do
+        install -Dm755 hv_''${f}_daemon -t $out/bin
+      done
+
+      install -Dm755 lsvmbus             $out/bin/lsvmbus
+      install -Dm755 hv_get_dhcp_info.sh $out/${libexec}/hv_get_dhcp_info
+      install -Dm755 hv_get_dns_info.sh  $out/${libexec}/hv_get_dns_info
+
+      runHook postInstall
+    '';
+
+    postFixup = ''
+      wrapProgram $out/bin/hv_kvp_daemon \
+        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute2 ]}
+    '';
+  };
+
+  service = bin: title: check:
+    writeText "hv-${bin}.service" ''
+      [Unit]
+      Description=Hyper-V ${title} daemon
+      ConditionVirtualization=microsoft
+      ${lib.optionalString (check != "") ''
+        ConditionPathExists=/dev/vmbus/${check}
+      ''}
+      [Service]
+      ExecStart=@out@/hv_${bin}_daemon -n
+      Restart=on-failure
+      PrivateTmp=true
+      Slice=hyperv.slice
+
+      [Install]
+      WantedBy=hyperv-daemons.target
+    '';
+
+in stdenv.mkDerivation {
+  pname = "hyperv-daemons";
+  inherit (kernel) version;
+
+  # we just stick the bins into out as well as it requires "out"
+  outputs = [ "bin" "lib" "out" ];
+
+  buildInputs = [ daemons ];
+
+  buildCommand = ''
+    system=$lib/lib/systemd/system
+
+    install -Dm444 ${service "fcopy" "file copy (FCOPY)"        "hv_fcopy" } $system/hv-fcopy.service
+    install -Dm444 ${service "kvp"   "key-value pair (KVP)"     "hv_kvp"   } $system/hv-kvp.service
+    install -Dm444 ${service "vss"   "volume shadow copy (VSS)" "hv_vss"   } $system/hv-vss.service
+
+    cat > $system/hyperv-daemons.target <<EOF
+    [Unit]
+    Description=Hyper-V Daemons
+    Wants=hv-fcopy.service hv-kvp.service hv-vss.service
+    EOF
+
+    for f in $lib/lib/systemd/system/*.service ; do
+      substituteInPlace $f --replace @out@ ${daemons}/bin
+    done
+
+    # we need to do both $out and $bin as $out is required
+    for d in $out/bin $bin/bin ; do
+      # make user binaries available
+      mkdir -p $d
+      ln -s ${daemons}/bin/lsvmbus $d/lsvmbus
+    done
+  '';
+
+  meta = with lib; {
+    description = "Integration Services for running NixOS under HyperV";
+    longDescription = ''
+      This packages contains the daemons that are used by the Hyper-V hypervisor
+      on the host.
+
+      Microsoft calls their guest agents "Integration Services" which is why
+      we use that name here.
+    '';
+    homepage = "https://kernel.org";
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = kernel.meta.platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix
new file mode 100644
index 000000000000..556bc2d89787
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, stdenv
+, fetchgit
+, perl
+, read-edid
+}:
+
+stdenv.mkDerivation rec {
+  pname = "i2c-tools";
+  version = "4.3";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git";
+    rev = "v${version}";
+    sha256 = "sha256-HlmIocum+HZEKNiS5BUwEIswRfTMUhD1vCPibAuAK0Q=";
+  };
+
+  buildInputs = [ perl ];
+
+  postPatch = ''
+    substituteInPlace eeprom/decode-edid \
+      --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid"
+
+    substituteInPlace stub/i2c-stub-from-dump \
+      --replace "/sbin/" ""
+  '';
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  outputs = [ "out" "man" ];
+
+  postInstall = ''
+    rm -rf $out/include/linux/i2c-dev.h # conflics with kernel headers
+  '';
+
+  meta = with lib; {
+    description = "Set of I2C tools for Linux";
+    homepage = "https://i2c.wiki.kernel.org/index.php/I2C_Tools";
+    # library is LGPL 2.1 or later; "most tools" GPL 2 or later
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i7z/default.nix b/nixpkgs/pkgs/os-specific/linux/i7z/default.nix
new file mode 100644
index 000000000000..9af2aba3d806
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i7z/default.nix
@@ -0,0 +1,57 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, ncurses
+, withGui ? false, qtbase }:
+
+stdenv.mkDerivation rec {
+  pname = "i7z";
+  version = "0.27.4";
+
+  src = fetchFromGitHub {
+    owner = "DimitryAndric";
+    repo = "i7z";
+    rev = "v${version}";
+    sha256 = "00c4ng30ry88hcya4g1i9dngiqmz3cs31x7qh1a10nalxn1829xy";
+  };
+
+  buildInputs = [ ncurses ] ++ lib.optional withGui qtbase;
+
+  patches = [
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/fix-insecure-tempfile.patch";
+      sha256 = "0ifg06xjw14y4fnzzgkhqm4sv9mcdzgi8m2wffq9z8b1r0znya3s";
+    })
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/nehalem.patch";
+      sha256 = "1ys6sgm01jkqb6d4y7qc3h89dzph8jjjcfya5c5jcm7dkxlzjq8a";
+    })
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/hyphen-used-as-minus-sign.patch";
+      sha256 = "1ji2qvdyq0594cpqz0dlsfggvw3rm63sygh0jxvwjgxpnhykhg1p";
+    })
+    ./qt5.patch
+  ];
+
+  enableParallelBuilding = true;
+
+  postBuild = lib.optionalString withGui ''
+      cd GUI
+      qmake
+      make clean
+      make
+      cd ..
+  '';
+
+  makeFlags = [ "prefix=${placeholder "out"}" ];
+
+  postInstall = lib.optionalString withGui ''
+    install -Dm755 GUI/i7z_GUI $out/bin/i7z-gui
+  '';
+
+  meta = with lib; {
+    description = "A better i7 (and now i3, i5) reporting tool for Linux";
+    homepage = "https://github.com/DimitryAndric/i7z";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ bluescreen303 ];
+    # broken on ARM
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch b/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch
new file mode 100644
index 000000000000..9e9b162d9e85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch
@@ -0,0 +1,13 @@
+diff -Naur a/GUI/i7z_GUI.pro b/GUI/i7z_GUI.pro
+--- a/GUI/i7z_GUI.pro	2013-10-12 21:59:19.000000000 +0100
++++ b/GUI/i7z_GUI.pro	2016-11-05 13:54:30.118655672 +0000
+@@ -3,7 +3,8 @@
+ ######################################################################
+ 
+ TEMPLATE = app
+-TARGET = 
++TARGET = i7z_GUI
++QT += widgets
+ DEPENDPATH += .
+ INCLUDEPATH += .
+ CONFIG += debug
diff --git a/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix b/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix
new file mode 100644
index 000000000000..3a202ca08e96
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchurl, pciutils }:
+
+stdenv.mkDerivation {
+  pname = "i810switch";
+  version = "0.6.5";
+
+  installPhase = "
+    sed -i -e 's+/usr++' Makefile
+    sed -i -e 's+^\\(.*putenv(\"PATH=\\).*$+\\1${pciutils}/sbin\");+' i810switch.c
+    make clean
+    make install DESTDIR=\${out}
+  ";
+
+  src = fetchurl {
+    url = "http://www16.plala.or.jp/mano-a-mano/i810switch/i810switch-0.6.5.tar.gz";
+    sha256 = "d714840e3b14e1fa9c432c4be0044b7c008d904dece0d611554655b979cad4c3";
+  };
+
+  meta = with lib; {
+    description = "A utility for switching between the LCD and external VGA display on Intel graphics cards";
+    homepage = "http://www16.plala.or.jp/mano-a-mano/i810switch.html";
+    maintainers = with maintainers; [ ];
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix b/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix
new file mode 100644
index 000000000000..d23fc101bcc0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ifenslave";
+  version = "1.1.0";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/i/ifenslave-2.6/ifenslave-2.6_${version}.orig.tar.gz";
+    sha256 = "0h9hrmy19zdksl7ys250r158b943ihbgkb95n8p4k8l0vqsby5vr";
+  };
+
+  buildPhase = ''
+    gcc -o ifenslave ifenslave.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a ifenslave $out/bin
+  '';
+
+  hardeningDisable = [ "format" ];
+
+  meta = {
+    description = "Utility for enslaving networking interfaces under a bond";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix b/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix
new file mode 100644
index 000000000000..d4672b9be21b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, lynx }:
+
+stdenv.mkDerivation rec {
+  pname = "ifmetric";
+  version = "0.3";
+
+  src = fetchurl {
+    url = "http://0pointer.de/lennart/projects/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "1v0s5x81jzwnnl7hr254d4nkyc8qcv983pzr6vqmbr9l9q553a0g";
+  };
+
+  buildInputs = [ lynx ];
+
+  patches = [
+    # Fixes an issue related to the netlink API.
+    # Upstream is largely inactive; this is a Debian patch.
+    (fetchurl {
+      url = "https://launchpadlibrarian.net/85974387/10_netlink_fix.patch";
+      sha256 = "1pnlcr0qvk0bd5243wpg14i387zp978f4xhwwkcqn1cir91x7fbc";
+    })
+  ];
+
+  meta = with lib; {
+    description = "Tool for setting IP interface metrics";
+    longDescription = ''
+      ifmetric is a Linux tool for setting the metrics of all IPv4 routes
+      attached to a given network interface at once. This may be used to change
+      the priority of routing IPv4 traffic over the interface. Lower metrics
+      correlate with higher priorities.
+    '';
+    homepage = "http://0pointer.de/lennart/projects/ifmetric";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.anna328p ];
+    platforms = platforms.linux;
+    mainProgram = "ifmetric";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
new file mode 100644
index 000000000000..3da9396d618e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, glib
+, cmake
+, libxml2
+, meson
+, ninja
+, pkg-config
+, libgudev
+, systemd
+, polkit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iio-sensor-proxy";
+  version = "3.5";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = pname;
+    rev = version;
+    hash = "sha256-pFu+nJzj45s7yIKoLWLeiv2AT5vLf6JpdWWQ0JZfnvY=";
+  };
+
+  postPatch = ''
+    # upstream meson.build currently doesn't have an option to change the default polkit dir
+    substituteInPlace data/meson.build \
+      --replace 'polkit_policy_directory' "'$out/share/polkit-1/actions'"
+  '';
+
+  buildInputs = [
+    libgudev
+    systemd
+    polkit
+  ];
+
+  nativeBuildInputs = [
+    meson
+    cmake
+    glib
+    libxml2
+    ninja
+    pkg-config
+  ];
+
+  mesonFlags = [
+    (lib.mesonOption "udevrulesdir" "${placeholder "out"}/lib/udev/rules.d")
+    (lib.mesonOption "systemdsystemunitdir" "${placeholder "out"}/lib/systemd/system")
+  ];
+
+  meta = with lib; {
+    description = "Proxy for sending IIO sensor data to D-Bus";
+    homepage = "https://gitlab.freedesktop.org/hadess/iio-sensor-proxy";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ _999eagle ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix
new file mode 100644
index 000000000000..34889783034c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix
@@ -0,0 +1,46 @@
+{ lib
+, stdenv
+, fetchgit
+, autoreconfHook
+, pkg-config
+, openssl
+, keyutils
+, asciidoc
+, libxslt
+, docbook_xsl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ima-evm-utils";
+  version = "1.5";
+
+  src = fetchgit {
+    url = "git://git.code.sf.net/p/linux-ima/ima-evm-utils";
+    rev = "v${version}";
+    sha256 = "sha256-WPBG7v29JHZ+ZGeLgA2gtLzZmaG0Xdvpq+BZ6NriY+A=";
+  };
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    asciidoc
+    libxslt
+  ];
+
+  buildInputs = [
+    openssl
+    keyutils
+  ];
+
+  env.MANPAGE_DOCBOOK_XSL = "${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl";
+
+  meta = {
+    description = "evmctl utility to manage digital signatures of the Linux kernel integrity subsystem (IMA/EVM)";
+    homepage = "https://sourceforge.net/projects/linux-ima/";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ nickcao ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix
new file mode 100644
index 000000000000..36a203a47c76
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, linuxHeaders }:
+
+stdenv.mkDerivation rec {
+  pname = "input-utils";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://www.kraxel.org/releases/input/input-${version}.tar.gz";
+    sha256 = "11w0pp20knx6qpgzmawdbk1nj2z3fzp8yd6nag6s8bcga16w6hli";
+  };
+
+  prePatch = ''
+    # Use proper include path for kernel include files.
+    substituteInPlace ./name.sh --replace "/usr/include/linux/" "${linuxHeaders}/include/linux/"
+    substituteInPlace ./lirc.sh --replace "/usr/include/linux/" "${linuxHeaders}/include/linux/"
+  '';
+
+  makeFlags = [
+    "prefix=$(out)"
+    "STRIP="
+  ];
+
+  meta = with lib; {
+    description = "Input layer utilities, includes lsinput";
+    homepage    = "https://www.kraxel.org/blog/linux/input/";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ samueldr ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix
new file mode 100644
index 000000000000..62e6149b6f13
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "23.11";
+  pname = "intel-cmt-cat";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-cmt-cat";
+    rev = "v${version}";
+    sha256 = "sha256-/OSU/7QR8NAjcAIo+unVQfORvCH5VpjfRn5sIrCxwbE=";
+  };
+
+  enableParallelBuilding = true;
+
+  makeFlags = [ "PREFIX=$(out)" "NOLDCONFIG=y" ];
+
+  meta = with lib; {
+    description = "User space software for Intel(R) Resource Director Technology";
+    homepage = "https://github.com/intel/intel-cmt-cat";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ arkivm ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix
new file mode 100644
index 000000000000..dacfb76eb9af
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, pkg-config
+, intel-gmmlib
+, intel-graphics-compiler
+, level-zero
+, libva
+}:
+
+stdenv.mkDerivation rec {
+  pname = "intel-compute-runtime";
+  version = "23.30.26918.20";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "compute-runtime";
+    rev = version;
+    hash = "sha256-dEznHRgAcJa/BBTD/AWJHlA7fNj2IXHHrYcKM4M+/1o=";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+
+  buildInputs = [ intel-gmmlib intel-graphics-compiler libva level-zero ];
+
+  cmakeFlags = [
+    "-DSKIP_UNIT_TESTS=1"
+    "-DIGC_DIR=${intel-graphics-compiler}"
+    "-DOCL_ICD_VENDORDIR=${placeholder "out"}/etc/OpenCL/vendors"
+    # The install script assumes this path is relative to CMAKE_INSTALL_PREFIX
+    "-DCMAKE_INSTALL_LIBDIR=lib"
+  ];
+
+  outputs = [ "out" "drivers" ];
+
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
+  postInstall = ''
+    # Avoid clash with intel-ocl
+    mv $out/etc/OpenCL/vendors/intel.icd $out/etc/OpenCL/vendors/intel-neo.icd
+
+    mkdir -p $drivers/lib
+    mv -t $drivers/lib $out/lib/libze_intel*
+  '';
+
+  postFixup = ''
+    patchelf --set-rpath ${lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
+      $out/lib/intel-opencl/libigdrcl.so
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/intel/compute-runtime";
+    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond";
+    license = licenses.mit;
+    platforms = [ "x86_64-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix
new file mode 100644
index 000000000000..b1451421d69b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "intel-ocl";
+  version = "5.0-63503";
+
+  src = fetchzip {
+    # https://github.com/NixOS/nixpkgs/issues/166886
+    urls = [
+      "https://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+      "http://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+      "https://web.archive.org/web/20190526190814/http://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+    ];
+    sha256 = "0qbp63l74s0i80ysh9ya8x7r79xkddbbz4378nms9i7a0kprg9p2";
+    stripRoot = false;
+  };
+
+  buildInputs = [ rpmextract ];
+
+  sourceRoot = ".";
+
+  libPath = lib.makeLibraryPath [
+    stdenv.cc.cc.lib
+    ncurses5
+    numactl
+    zlib
+  ];
+
+  postUnpack = ''
+    # Extract the RPMs contained within the source ZIP.
+    rpmextract source/intel-opencl-r${version}.x86_64.rpm
+    rpmextract source/intel-opencl-cpu-r${version}.x86_64.rpm
+  '';
+
+  patchPhase = ''
+    runHook prePatch
+
+    # Remove libOpenCL.so, since we use ocl-icd's libOpenCL.so instead and this would cause a clash.
+    rm opt/intel/opencl/libOpenCL.so*
+
+    # Patch shared libraries.
+    for lib in opt/intel/opencl/*.so; do
+      patchelf --set-rpath "${libPath}:$out/lib/intel-ocl" $lib || true
+    done
+
+    runHook postPatch
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    # Create ICD file, which just contains the path of the corresponding shared library.
+    echo "$out/lib/intel-ocl/libintelocl.so" > intel.icd
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m 0755 opt/intel/opencl/*.so* -t $out/lib/intel-ocl
+    install -D -m 0644 opt/intel/opencl/*.{o,rtl,bin} -t $out/lib/intel-ocl
+    install -D -m 0644 opt/intel/opencl/{LICENSE,NOTICES} -t $out/share/doc/intel-ocl
+    install -D -m 0644 intel.icd -t $out/etc/OpenCL/vendors
+
+    runHook postInstall
+  '';
+
+  dontStrip = true;
+
+  meta = {
+    description = "Official OpenCL runtime for Intel CPUs";
+    homepage = "https://software.intel.com/en-us/articles/opencl-drivers";
+    license = lib.licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ lib.maintainers.kierdavis ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix
new file mode 100644
index 000000000000..2caad335d57c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  pname = "intel-speed-select";
+  inherit (kernel) src version;
+
+  makeFlags = [ "bindir=${placeholder "out"}/bin" ];
+
+  postPatch = ''
+    cd tools/power/x86/intel-speed-select
+    sed -i 's,/usr,,g' Makefile
+  '';
+
+  meta = with lib; {
+    description = "Tool to enumerate and control the Intel Speed Select Technology features";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix b/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix
new file mode 100644
index 000000000000..0084a397d075
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchurl }:
+
+let version = "0.7";
+in stdenv.mkDerivation {
+  pname = "iomelt";
+  inherit version;
+  src = fetchurl {
+    url = "http://iomelt.com/s/iomelt-${version}.tar.gz";
+    sha256 = "1jhrdm5b7f1bcbrdwcc4yzg26790jxl4d2ndqiwd9brl2g5537im";
+  };
+
+  preBuild = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1
+
+    substituteInPlace Makefile \
+      --replace /usr $out
+  '';
+
+  meta = with lib; {
+    description = "A simple yet effective way to benchmark disk IO in Linux systems";
+    homepage    = "http://www.iomelt.com";
+    maintainers = with maintainers; [ ];
+    license = licenses.artistic2;
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ioport/default.nix b/nixpkgs/pkgs/os-specific/linux/ioport/default.nix
new file mode 100644
index 000000000000..6da154648fc2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ioport/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, perl, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ioport";
+  version = "1.2";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/rjones/ioport/files/ioport-${version}.tar.gz";
+    sha256 = "1h4d5g78y7kla0zl25jgyrk43wy3m3bygqg0blki357bc55irb3z";
+  };
+
+  buildInputs = [ perl ];
+
+  meta = with lib; {
+    description = "Direct access to I/O ports from the command line";
+    homepage = "https://people.redhat.com/rjones/ioport/";
+    license = licenses.gpl2Plus;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = [ maintainers.cleverca22 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix b/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix
new file mode 100644
index 000000000000..1d7dc9e4d112
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix
@@ -0,0 +1,31 @@
+{stdenv, fetchFromGitHub, lib, ncurses, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "iotop-c";
+  version = "1.25";
+
+  src = fetchFromGitHub {
+    owner = "Tomas-M";
+    repo = "iotop";
+    rev = "v${version}";
+    sha256 = "sha256-ZIvWdNxGSUmQtMKB/MVHEZ0fJ8b//zSXz+1r/P9ZDkE=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses ];
+  makeFlags = [ "DESTDIR=$(out)" "TARGET=iotop-c" ];
+
+  postInstall = ''
+    mv $out/usr/share/man/man8/{iotop,iotop-c}.8
+    ln -s $out/usr/sbin $out/bin
+    ln -s $out/usr/share $out/share
+  '';
+
+  meta = with lib; {
+    description = "iotop identifies processes that use high amount of input/output requests on your machine";
+    homepage = "https://github.com/Tomas-M/iotop";
+    maintainers = [ maintainers.arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iotop/default.nix b/nixpkgs/pkgs/os-specific/linux/iotop/default.nix
new file mode 100644
index 000000000000..0376ff1a55ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iotop/default.nix
@@ -0,0 +1,28 @@
+{ lib, fetchurl, python3Packages, fetchpatch }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "iotop";
+  version = "0.6";
+
+  src = fetchurl {
+    url = "http://guichaz.free.fr/iotop/files/iotop-${version}.tar.bz2";
+    sha256 = "0nzprs6zqax0cwq8h7hnszdl3d2m4c2d4vjfxfxbnjfs9sia5pis";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://repo.or.cz/iotop.git/patch/99c8d7cedce81f17b851954d94bfa73787300599";
+      sha256 = "0rdgz6xpmbx77lkr1ixklliy1aavdsjmfdqvzwrjylbv0xh5wc8z";
+    })
+  ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A tool to find out the processes doing the most IO";
+    homepage = "http://guichaz.free.fr/iotop";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ipp-usb/default.nix b/nixpkgs/pkgs/os-specific/linux/ipp-usb/default.nix
new file mode 100644
index 000000000000..6dc63a7295b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipp-usb/default.nix
@@ -0,0 +1,42 @@
+{ buildGoModule, avahi, libusb1, pkg-config, lib, fetchFromGitHub, ronn }:
+buildGoModule rec {
+  pname = "ipp-usb";
+  version = "0.9.23";
+
+  src = fetchFromGitHub {
+    owner = "openprinting";
+    repo = "ipp-usb";
+    rev = version;
+    sha256 = "sha256-sbPQWKqkTaD3kLNs0noVIzAN9cwDEaULsqO7SMQH2Jo=";
+  };
+
+  postPatch = ''
+    # rebuild with patched paths
+    rm ipp-usb.8
+    substituteInPlace Makefile --replace "install: all" "install: man"
+    substituteInPlace systemd-udev/ipp-usb.service --replace "/sbin" "$out/bin"
+    for i in Makefile paths.go ipp-usb.8.md; do
+      substituteInPlace $i --replace "/usr" "$out"
+      substituteInPlace $i --replace "/var/ipp-usb" "/var/lib/ipp-usb"
+    done
+  '';
+
+  nativeBuildInputs = [ pkg-config ronn ];
+  buildInputs = [ libusb1 avahi ];
+
+  vendorHash = "sha256-KwW6KgopjF4tVo8eB4OtpXF5R8jfrJ9nibNmaN8U4l8=";
+
+  postInstall = ''
+    # to accomodate the makefile
+    cp $out/bin/ipp-usb .
+    make install DESTDIR=$out
+  '';
+
+  meta = {
+    description = "Daemon to use the IPP everywhere protocol with USB printers";
+    homepage = "https://github.com/OpenPrinting/ipp-usb";
+    maintainers = [ lib.maintainers.symphorien ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.bsd2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iproute/default.nix b/nixpkgs/pkgs/os-specific/linux/iproute/default.nix
new file mode 100644
index 000000000000..a86af7e6db26
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iproute/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenv, fetchurl
+, buildPackages, bison, flex, pkg-config
+, db, iptables, libelf, libmnl
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iproute2";
+  version = "6.5.0";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
+    hash = "sha256-pwF5CF+huW08M7BAyAm3XitXVjrcUFpK0F4mCd83NGM=";
+  };
+
+  postPatch = ''
+    # Don't try to create /var/lib/arpd:
+    sed -e '/ARPDDIR/d' -i Makefile
+
+    substituteInPlace Makefile \
+      --replace "CC := gcc" "CC ?= $CC"
+  '';
+
+  outputs = [ "out" "dev" ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/sbin"
+    "DOCDIR=$(TMPDIR)/share/doc/${pname}" # Don't install docs
+    "HDRDIR=$(dev)/include/iproute2"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "SHARED_LIBS=n"
+    # all build .so plugins:
+    "TC_CONFIG_NO_XT=y"
+  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+    "HOSTCC=$(CC_FOR_BUILD)"
+  ];
+
+  buildFlags = [
+    "CONFDIR=/etc/iproute2"
+  ];
+
+  installFlags = [
+    "CONFDIR=$(out)/etc/iproute2"
+  ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ]; # netem requires $HOSTCC
+  nativeBuildInputs = [ bison flex pkg-config ];
+  buildInputs = [ db iptables libelf libmnl ];
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = gitUpdater {
+    # No nicer place to find latest release.
+    url = "https://git.kernel.org/pub/scm/network/iproute2/iproute2.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    homepage = "https://wiki.linuxfoundation.org/networking/iproute2";
+    description = "A collection of utilities for controlling TCP/IP networking and traffic control in Linux";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ primeos eelco fpletz globin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ipset/default.nix b/nixpkgs/pkgs/os-specific/linux/ipset/default.nix
new file mode 100644
index 000000000000..8326ef1c4614
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipset/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchurl, pkg-config, libmnl }:
+
+stdenv.mkDerivation rec {
+  pname = "ipset";
+  version = "7.19";
+
+  src = fetchurl {
+    url = "https://ipset.netfilter.org/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-m8H7pI1leG4+C2Pca2aahmgj13hAxpkMDGsjB47CxNY=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libmnl ];
+
+  configureFlags = [ "--with-kmod=no" ];
+
+  meta = with lib; {
+    homepage = "https://ipset.netfilter.org/";
+    description = "Administration tool for IP sets";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iptables/default.nix b/nixpkgs/pkgs/os-specific/linux/iptables/default.nix
new file mode 100644
index 000000000000..b82484514e5f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iptables/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl
+, autoreconfHook, pkg-config, pruneLibtoolFiles, flex, bison
+, libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap
+, nftablesCompat ? true
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.8.10";
+  pname = "iptables";
+
+  src = fetchurl {
+    url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.xz";
+    sha256 = "XMJVwYk1bjF9BwdVzpNx62Oht4PDRJj7jDAmTzzFnJw=";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  nativeBuildInputs = [
+    autoreconfHook pkg-config pruneLibtoolFiles flex bison
+  ];
+
+  buildInputs = [ libmnl libnetfilter_conntrack libnfnetlink libnftnl libpcap ];
+
+  configureFlags = [
+    "--enable-bpf-compiler"
+    "--enable-devel"
+    "--enable-libipq"
+    "--enable-nfsynproxy"
+    "--enable-shared"
+  ] ++ lib.optional (!nftablesCompat) "--disable-nftables";
+
+  enableParallelBuilding = true;
+
+  postInstall = lib.optionalString nftablesCompat ''
+    rm $out/sbin/{iptables,iptables-restore,iptables-save,ip6tables,ip6tables-restore,ip6tables-save}
+    ln -sv xtables-nft-multi $out/bin/iptables
+    ln -sv xtables-nft-multi $out/bin/iptables-restore
+    ln -sv xtables-nft-multi $out/bin/iptables-save
+    ln -sv xtables-nft-multi $out/bin/ip6tables
+    ln -sv xtables-nft-multi $out/bin/ip6tables-restore
+    ln -sv xtables-nft-multi $out/bin/ip6tables-save
+  '';
+
+  passthru = {
+    updateScript = gitUpdater {
+      url = "https://git.netfilter.org/iptables";
+      rev-prefix = "v";
+    };
+  };
+
+  meta = with lib; {
+    description = "A program to configure the Linux IP packet filtering ruleset";
+    homepage = "https://www.netfilter.org/projects/iptables/index.html";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fpletz ];
+    license = licenses.gpl2;
+    downloadPage = "https://www.netfilter.org/projects/iptables/files/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix b/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix
new file mode 100644
index 000000000000..4e3693aba6f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "iptstate";
+  version = "2.2.7";
+
+  src = fetchurl {
+    url = "https://github.com/jaymzh/iptstate/releases/download/v${version}/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-iW3wYCiFRWomMfeV1jT8ITEeUF+MkQNI5jEoYPIJeVU=";
+  };
+
+  buildInputs = [ libnetfilter_conntrack ncurses ];
+
+  meta = with lib; {
+    description = "Conntrack top like tool";
+    homepage = "https://github.com/jaymzh/iptstate";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ trevorj ];
+    downloadPage = "https://github.com/jaymzh/iptstate/releases";
+    license = licenses.zlib;
+  };
+
+  installPhase = ''
+    install -m755 -D iptstate $out/bin/iptstate
+  '';
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/ipu6-drivers/default.nix b/nixpkgs/pkgs/os-specific/linux/ipu6-drivers/default.nix
new file mode 100644
index 000000000000..bc85ffd9aa32
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipu6-drivers/default.nix
@@ -0,0 +1,53 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, ivsc-driver
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "ipu6-drivers";
+  version = "unstable-2023-08-28";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipu6-drivers";
+    rev = "7c3d6ab1e9e234563a0af51286b0a8d60445f2a3";
+    hash = "sha256-D782v6hIqAl2EO1+zKeakURD3UGVP3c7p3ba/61yfW4=";
+  };
+
+  postPatch = ''
+    cp --no-preserve=mode --recursive --verbose \
+      ${ivsc-driver.src}/backport-include \
+      ${ivsc-driver.src}/drivers \
+      ${ivsc-driver.src}/include \
+      .
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_SRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  enableParallelBuilding = true;
+
+  preInstall = ''
+    sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," Makefile
+  '';
+
+  installTargets = [
+    "modules_install"
+  ];
+
+  meta = {
+    homepage = "https://github.com/intel/ipu6-drivers";
+    description = "IPU6 kernel driver";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ hexa ];
+    platforms = [ "x86_64-linux" ];
+    # requires 6.1.7 https://github.com/intel/ipu6-drivers/pull/84
+    broken = kernel.kernelOlder "6.1.7";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iputils/default.nix b/nixpkgs/pkgs/os-specific/linux/iputils/default.nix
new file mode 100644
index 000000000000..8396fd5e3d33
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iputils/default.nix
@@ -0,0 +1,84 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, pkg-config
+, gettext
+, libxslt
+, docbook_xsl_ns
+, libcap
+, libidn2
+, iproute2
+, apparmorRulesFromClosure
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iputils";
+  version = "20221126";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    hash = "sha256-XVoQhdjBmEK8TbCpaKLjebPw7ZT8iEvyLJDTCkzezeE=";
+  };
+
+  outputs = [ "out" "apparmor" ];
+
+  # We don't have the required permissions inside the build sandbox:
+  # /build/source/build/ping/ping: socket: Operation not permitted
+  doCheck = false;
+
+  mesonFlags = [
+    "-DNO_SETCAP_OR_SUID=true"
+    "-Dsystemdunitdir=etc/systemd/system"
+    "-DINSTALL_SYSTEMD_UNITS=true"
+    "-DSKIP_TESTS=${lib.boolToString (!doCheck)}"
+  ]
+  # Disable idn usage w/musl (https://github.com/iputils/iputils/pull/111):
+  ++ lib.optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
+
+  nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];
+  buildInputs = [ libcap ]
+    ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;
+  nativeCheckInputs = [ iproute2 ];
+
+  postInstall = ''
+    mkdir $apparmor
+    cat >$apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure { name = "ping"; }
+       ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/iputils/iputils";
+    changelog = "https://github.com/iputils/iputils/releases/tag/${version}";
+    description = "A set of small useful utilities for Linux networking";
+    longDescription = ''
+      A set of small useful utilities for Linux networking including:
+
+      - arping: send ARP REQUEST to a neighbour host
+      - clockdiff: measure clock difference between hosts
+      - ping: send ICMP ECHO_REQUEST to network hosts
+      - tracepath: traces path to a network host discovering MTU along this path
+    '';
+    license = with licenses; [ gpl2Plus bsd3 ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos lheckemann ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix b/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix
new file mode 100644
index 000000000000..c98816746918
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl, popt, gnugrep }:
+
+stdenv.mkDerivation rec {
+  pname = "ipvsadm";
+  version = "1.31";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/kernel/ipvsadm/${pname}-${version}.tar.xz";
+    sha256 = "1nyzpv1hx75k9lh0vfxfhc0p2fpqaqb38xpvs8sn88m1nljmw2hs";
+  };
+
+  postPatch = ''
+    substituteInPlace Makefile --replace "-lnl" "$(pkg-config --libs libnl-genl-3.0)"
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl popt ];
+
+  # Disable parallel build, errors:
+  #  *** No rule to make target 'libipvs/libipvs.a', needed by 'ipvsadm'.  Stop.
+  enableParallelBuilding = false;
+
+  preBuild = ''
+    makeFlagsArray+=(
+      INCLUDE=$(pkg-config --cflags libnl-genl-3.0)
+      BUILD_ROOT=$out
+      MANDIR=share/man
+    )
+  '';
+
+  postInstall = ''
+    sed -i -e "s|^PATH=.*|PATH=$out/bin:${gnugrep}/bin|" $out/sbin/ipvsadm-{restore,save}
+  '';
+
+  meta = with lib; {
+    description = "Linux Virtual Server support programs";
+    homepage = "http://www.linuxvirtualserver.org/software/ipvs.html";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix b/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix
new file mode 100644
index 000000000000..585c1661b8af
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, glib, ncurses, libcap_ng }:
+
+stdenv.mkDerivation rec {
+  pname = "irqbalance";
+  version = "1.9.2";
+
+  src = fetchFromGitHub {
+    owner = "irqbalance";
+    repo = "irqbalance";
+    rev = "v${version}";
+    sha256 = "sha256-dk5gdDCXNELTlbZ34gUOVwPHvXF3N07v/ZqeNVfGTGw=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ glib ncurses libcap_ng ];
+
+  LDFLAGS = "-lncurses";
+
+  postInstall =
+    ''
+      # Systemd service
+      mkdir -p $out/lib/systemd/system
+      grep -vi "EnvironmentFile" misc/irqbalance.service >$out/lib/systemd/system/irqbalance.service
+      substituteInPlace $out/lib/systemd/system/irqbalance.service \
+        --replace /usr/sbin/irqbalance $out/bin/irqbalance \
+        --replace ' $IRQBALANCE_ARGS' ""
+    '';
+
+  meta = with lib; {
+    homepage = "https://github.com/Irqbalance/irqbalance";
+    changelog = "https://github.com/Irqbalance/irqbalance/releases/tag/v${version}";
+    description = "A daemon to help balance the cpu load generated by interrupts across all of a systems cpus";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/isgx/default.nix b/nixpkgs/pkgs/os-specific/linux/isgx/default.nix
new file mode 100644
index 000000000000..c49a0a7b913d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/isgx/default.nix
@@ -0,0 +1,45 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "isgx-${version}-${kernel.version}";
+  version = "2.14";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx-driver";
+    rev = "sgx_diver_${version}"; # Typo is upstream's.
+    sha256 = "0kbbf2inaywp44lm8ig26mkb36jq3smsln0yp6kmrirdwc3c53mi";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D isgx.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/intel/sgx
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel SGX Linux Driver";
+    longDescription = ''
+      The linux-sgx-driver project (isgx) hosts an out-of-tree driver
+      for the Linux* Intel(R) SGX software stack, which would be used
+      until the driver upstreaming process is complete (before 5.11.0).
+
+      It is used to support Enhanced Privacy Identification (EPID)
+      based attestation on the platforms without Flexible Launch Control.
+    '';
+    homepage = "https://github.com/intel/linux-sgx-driver";
+    license = with licenses; [ bsd3 /* OR */ gpl2Only ];
+    maintainers = [ ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/it87/default.nix b/nixpkgs/pkgs/os-specific/linux/it87/default.nix
new file mode 100644
index 000000000000..aa51626986e7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/it87/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "it87-${version}-${kernel.version}";
+  version = "unstable-2022-02-26";
+
+  # Original is no longer maintained.
+  # This is the same upstream as the AUR uses.
+  src = fetchFromGitHub {
+    owner = "frankcrawford";
+    repo = "it87";
+    rev = "c93d61adadecb009c92f3258cd3ff14a66efb193";
+    sha256 = "sha256-wVhs//iwZUUGRTk1DpV/SnA7NZ7cFyYbsUbtazlxb6Q=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|depmod|#depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "TARGET=${kernel.modDirVersion}"
+    "KERNEL_MODULES=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "MODDESTDIR=$(out)/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
+  ];
+
+  meta = with lib; {
+    description = "Patched module for IT87xx superio chip sensors support";
+    homepage = "https://github.com/hannesha/it87";
+    license = licenses.gpl2Plus;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = teams.lumiguide.members;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ithc/default.nix b/nixpkgs/pkgs/os-specific/linux/ithc/default.nix
new file mode 100644
index 000000000000..69b202e7e201
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ithc/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "ithc";
+  version = "unstable-2022-06-07";
+
+  src = fetchFromGitHub {
+    owner = "quo";
+    repo = "ithc-linux";
+    rev = "5af2a2213d2f3d944b19ec7ccdb96f16d56adddb";
+    hash = "sha256-p4TooWUOWPfNdePE18ESmRJezPDAl9nLb55LQtkJiSg=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  postPatch = ''
+    sed -i ./Makefile -e '/depmod/d'
+  '';
+
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Linux driver for Intel Touch Host Controller";
+    homepage = "https://github.com/quo/ithc-linux";
+    license = licenses.publicDomain;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.9";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ivsc-driver/default.nix b/nixpkgs/pkgs/os-specific/linux/ivsc-driver/default.nix
new file mode 100644
index 000000000000..0491b1d548b4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ivsc-driver/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "ivsc-driver";
+  version = "unstable-2023-03-10";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ivsc-driver";
+    rev = "c8db12b907e2e455d4d5586e5812d1ae0eebd571";
+    hash = "sha256-OM9PljvaMKrk72BFeSCqaABFeAws+tOdd3oC2jyNreE=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_SRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  enableParallelBuilding = true;
+
+  preInstall = ''
+    sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," Makefile
+  '';
+
+  installTargets = [
+    "modules_install"
+  ];
+
+  meta = {
+    homepage = "https://github.com/intel/ivsc-driver";
+    description = "Intel Vision Sensing Controller kernel driver";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ hexa ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "5.15";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iw/default.nix b/nixpkgs/pkgs/os-specific/linux/iw/default.nix
new file mode 100644
index 000000000000..bf7cb025bc1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iw/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
+
+stdenv.mkDerivation rec {
+  pname = "iw";
+  version = "5.19";
+
+  src = fetchurl {
+    url = "https://www.kernel.org/pub/software/network/${pname}/${pname}-${version}.tar.xz";
+    sha256 = "sha256-8We76UfdU7uevAwdzvXbatc6wdYITyxvk3bFw2DMTU4=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl ];
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = {
+    description = "Tool to use nl80211";
+    longDescription = ''
+      iw is a new nl80211 based CLI configuration utility for wireless devices.
+      It supports all new drivers that have been added to the kernel recently.
+      The old tool iwconfig, which uses Wireless Extensions interface, is
+      deprecated and it's strongly recommended to switch to iw and nl80211.
+    '';
+    homepage = "https://wireless.wiki.kernel.org/en/users/Documentation/iw";
+    license = lib.licenses.isc;
+    maintainers = with lib.maintainers; [ viric primeos ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iwd/default.nix b/nixpkgs/pkgs/os-specific/linux/iwd/default.nix
new file mode 100644
index 000000000000..1b983bb90e1e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iwd/default.nix
@@ -0,0 +1,97 @@
+{ lib, stdenv
+, fetchgit
+, autoreconfHook
+, pkg-config
+, ell
+, coreutils
+, docutils
+, readline
+, openssl
+, python3Packages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iwd";
+  version = "2.8";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
+    rev = version;
+    sha256 = "sha256-i+2R8smgLXooApj0Z5e03FybhYgw1X/kIsJkrDzW8y4=";
+  };
+
+  outputs = [ "out" "man" "doc" ]
+    ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test";
+
+  nativeBuildInputs = [
+    autoreconfHook
+    docutils
+    pkg-config
+    python3Packages.wrapPython
+  ];
+
+  buildInputs = [
+    ell
+    python3Packages.python
+    readline
+  ];
+
+  nativeCheckInputs = [ openssl ];
+
+  # wrapPython wraps the scripts in $test. They pull in gobject-introspection,
+  # which doesn't cross-compile.
+  pythonPath = lib.optionals (stdenv.hostPlatform == stdenv.buildPlatform) [
+    python3Packages.dbus-python
+    python3Packages.pygobject3
+  ];
+
+  configureFlags = [
+    "--enable-external-ell"
+    "--enable-wired"
+    "--localstatedir=/var/"
+    "--with-dbus-busdir=${placeholder "out"}/share/dbus-1/system-services/"
+    "--with-dbus-datadir=${placeholder "out"}/share/"
+    "--with-systemd-modloaddir=${placeholder "out"}/etc/modules-load.d/" # maybe
+    "--with-systemd-unitdir=${placeholder "out"}/lib/systemd/system/"
+    "--with-systemd-networkdir=${placeholder "out"}/lib/systemd/network/"
+  ];
+
+  postUnpack = ''
+    mkdir -p iwd/ell
+    ln -s ${ell.src}/ell/useful.h iwd/ell/useful.h
+    ln -s ${ell.src}/ell/asn1-private.h iwd/ell/asn1-private.h
+    patchShebangs .
+  '';
+
+  doCheck = true;
+
+  postInstall = ''
+    mkdir -p $doc/share/doc
+    cp -a doc $doc/share/doc/iwd
+    cp -a README AUTHORS TODO $doc/share/doc/iwd
+  '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+    mkdir -p $test/bin
+    cp -a test/* $test/bin/
+  '';
+
+  preFixup = ''
+    wrapPythonPrograms
+  '';
+
+  postFixup = ''
+    substituteInPlace $out/share/dbus-1/system-services/net.connman.ead.service \
+      --replace /bin/false ${coreutils}/bin/false
+    substituteInPlace $out/share/dbus-1/system-services/net.connman.iwd.service \
+      --replace /bin/false ${coreutils}/bin/false
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
+    description = "Wireless daemon for Linux";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill fpletz amaxine ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix b/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix
new file mode 100644
index 000000000000..6a748c470190
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  name = "ixgbevf-${version}-${kernel.version}";
+  version = "4.6.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/e1000/ixgbevf-${version}.tar.gz";
+    sha256 = "0h8a2g4hm38wmr13gvi2188r7nlv2c5rx6cal9gkf1nh6sla181c";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  configurePhase = ''
+    cd src
+    makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man)
+    substituteInPlace common.mk --replace /sbin/depmod ${kmod}/bin/depmod
+    # prevent host system kernel introspection
+    substituteInPlace common.mk --replace /boot/System.map /not-exists
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel 82599 Virtual Function Driver";
+    homepage = "https://sourceforge.net/projects/e1000/files/ixgbevf%20stable/";
+    license = licenses.gpl2;
+    priority = 20;
+    # kernels ship ixgbevf driver for a long time already, maybe switch to a newest kernel?
+    broken = versionAtLeast kernel.version "5.2";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/cli.nix b/nixpkgs/pkgs/os-specific/linux/jool/cli.nix
new file mode 100644
index 000000000000..ee5ee1128a86
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/cli.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, nixosTests
+, autoreconfHook, pkg-config, libnl, iptables
+}:
+
+let
+  sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
+in
+
+stdenv.mkDerivation {
+  pname = "jool-cli";
+  version = sourceAttrs.version;
+
+  src = sourceAttrs.src;
+
+  patches = [
+    ./validate-config.patch
+  ];
+
+  outputs = [
+    "out"
+    "man"
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libnl iptables ];
+
+  makeFlags = [ "-C" "src/usr" ];
+
+  prePatch = ''
+    sed -e 's%^XTABLES_SO_DIR = .*%XTABLES_SO_DIR = '"$out"'/lib/xtables%g' -i src/usr/iptables/Makefile
+  '';
+
+  passthru.tests = { inherit (nixosTests) jool; };
+
+  meta = with lib; {
+    homepage = "https://www.jool.mx/";
+    description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/default.nix b/nixpkgs/pkgs/os-specific/linux/jool/default.nix
new file mode 100644
index 000000000000..91276cbc11b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel, nixosTests }:
+
+let
+  sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
+in
+
+stdenv.mkDerivation {
+  name = "jool-${sourceAttrs.version}-${kernel.version}";
+
+  src = sourceAttrs.src;
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" ];
+
+  prePatch = ''
+    sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i src/mod/*/Makefile
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C src/mod"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  installTargets = "modules_install";
+
+  passthru.tests = { inherit (nixosTests) jool; };
+
+  meta = with lib; {
+    homepage = "https://www.jool.mx/";
+    description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/source.nix b/nixpkgs/pkgs/os-specific/linux/jool/source.nix
new file mode 100644
index 000000000000..d98747d890ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/source.nix
@@ -0,0 +1,11 @@
+{ fetchFromGitHub }:
+
+rec {
+  version = "4.1.10";
+  src = fetchFromGitHub {
+    owner = "NICMx";
+    repo = "Jool";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-98XbBdSmgcepPZxX6hoPim+18lHLbrjqlbipB92nyAc=";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/validate-config.patch b/nixpkgs/pkgs/os-specific/linux/jool/validate-config.patch
new file mode 100644
index 000000000000..8841b6fb14f3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/validate-config.patch
@@ -0,0 +1,193 @@
+From df0a1cf61188b5b7bb98675d746cb63d9300f148 Mon Sep 17 00:00:00 2001
+From: rnhmjoj <rnhmjoj@inventati.org>
+Date: Sat, 1 Jul 2023 18:47:05 +0200
+Subject: [PATCH] Add mode to validate the atomic configuration
+
+---
+ src/usr/argp/main.c       |  6 ++++++
+ src/usr/argp/wargp/file.c | 26 +++++++++++++++++++++++++-
+ src/usr/argp/wargp/file.h |  1 +
+ src/usr/nl/file.c         | 32 ++++++++++++++++++++++----------
+ src/usr/nl/file.h         |  3 ++-
+ 5 files changed, 56 insertions(+), 12 deletions(-)
+
+diff --git a/src/usr/argp/main.c b/src/usr/argp/main.c
+index 744a6df0..d04917da 100644
+--- a/src/usr/argp/main.c
++++ b/src/usr/argp/main.c
+@@ -238,6 +238,12 @@ static struct cmd_option file_ops[] = {
+ 			.handler = handle_file_update,
+ 			.handle_autocomplete = autocomplete_file_update,
+ 		},
++		{
++			.label = "check",
++			.xt = XT_ANY,
++			.handler = handle_file_check,
++			.handle_autocomplete = autocomplete_file_update,
++		},
+ 		{ 0 },
+ };
+ 
+diff --git a/src/usr/argp/wargp/file.c b/src/usr/argp/wargp/file.c
+index 0951b544..27ee3e64 100644
+--- a/src/usr/argp/wargp/file.c
++++ b/src/usr/argp/wargp/file.c
+@@ -26,6 +26,30 @@ static struct wargp_option update_opts[] = {
+ 	{ 0 },
+ };
+ 
++int handle_file_check(char *iname, int argc, char **argv, void const *arg)
++{
++	struct update_args uargs = { 0 };
++	struct joolnl_socket sk = { 0 };
++	struct jool_result result;
++
++	result.error = wargp_parse(update_opts, argc, argv, &uargs);
++	if (result.error)
++		return result.error;
++
++	if (!uargs.file_name.value) {
++		struct requirement reqs[] = {
++				{ false, "a file name" },
++				{ 0 }
++		};
++		return requirement_print(reqs);
++	}
++
++	result = joolnl_file_parse(&sk, xt_get(), iname, uargs.file_name.value,
++			uargs.force.value, true);
++
++	return pr_result(&result);
++}
++
+ int handle_file_update(char *iname, int argc, char **argv, void const *arg)
+ {
+ 	struct update_args uargs = { 0 };
+@@ -49,7 +73,7 @@ int handle_file_update(char *iname, int argc, char **argv, void const *arg)
+ 		return pr_result(&result);
+ 
+ 	result = joolnl_file_parse(&sk, xt_get(), iname, uargs.file_name.value,
+-			uargs.force.value);
++			uargs.force.value, false);
+ 
+ 	joolnl_teardown(&sk);
+ 	return pr_result(&result);
+diff --git a/src/usr/argp/wargp/file.h b/src/usr/argp/wargp/file.h
+index ce5de508..8ea4a4d2 100644
+--- a/src/usr/argp/wargp/file.h
++++ b/src/usr/argp/wargp/file.h
+@@ -2,6 +2,7 @@
+ #define SRC_USR_ARGP_WARGP_FILE_H_
+ 
+ int handle_file_update(char *iname, int argc, char **argv, void const *arg);
++int handle_file_check(char *iname, int argc, char **argv, void const *arg);
+ void autocomplete_file_update(void const *args);
+ 
+ #endif /* SRC_USR_ARGP_WARGP_FILE_H_ */
+diff --git a/src/usr/nl/file.c b/src/usr/nl/file.c
+index f9413236..51a668bd 100644
+--- a/src/usr/nl/file.c
++++ b/src/usr/nl/file.c
+@@ -29,6 +29,7 @@ static struct joolnl_socket sk;
+ static char const *iname;
+ static xlator_flags flags;
+ static __u8 force;
++static bool check;
+ 
+ struct json_meta {
+ 	char const *name; /* This being NULL signals the end of the array. */
+@@ -163,9 +164,11 @@ static struct jool_result handle_array(cJSON *json, int attrtype, char *name,
+ 				goto too_small;
+ 
+ 			nla_nest_end(msg, root);
+-			result = joolnl_request(&sk, msg, NULL, NULL);
+-			if (result.error)
+-				return result;
++			if (!check) {
++				result = joolnl_request(&sk, msg, NULL, NULL);
++				if (result.error)
++					return result;
++			}
+ 
+ 			msg = NULL;
+ 			json = json->prev;
+@@ -179,6 +182,8 @@ static struct jool_result handle_array(cJSON *json, int attrtype, char *name,
+ 		return result_success();
+ 
+ 	nla_nest_end(msg, root);
++	if (check)
++		return result_success();
+ 	return joolnl_request(&sk, msg, NULL, NULL);
+ 
+ too_small:
+@@ -244,6 +249,8 @@ static struct jool_result handle_global(cJSON *json)
+ 
+ 	nla_nest_end(msg, root);
+ 	free(meta);
++	if (check)
++		return result_success();
+ 	return joolnl_request(&sk, msg, NULL, NULL);
+ 
+ revert_meta:
+@@ -654,9 +661,11 @@ static struct jool_result send_ctrl_msg(bool init)
+ 	else
+ 		NLA_PUT(msg, JNLAR_ATOMIC_END, 0, NULL);
+ 
+-	result = joolnl_request(&sk, msg, NULL, NULL);
+-	if (result.error)
+-		return result;
++	if (!check) {
++		result = joolnl_request(&sk, msg, NULL, NULL);
++		if (result.error)
++			return result;
++	}
+ 
+ 	return result_success();
+ 
+@@ -683,9 +692,11 @@ static struct jool_result do_parsing(char const *iname, char *buffer)
+ 	if (result.error)
+ 		goto fail;
+ 
+-	result = send_ctrl_msg(true);
+-	if (result.error)
+-		goto fail;
++	if (!check) {
++		result = send_ctrl_msg(true);
++		if (result.error)
++			goto fail;
++	}
+ 
+ 	switch (xlator_flags2xt(flags)) {
+ 	case XT_SIIT:
+@@ -718,12 +729,13 @@ fail:
+ }
+ 
+ struct jool_result joolnl_file_parse(struct joolnl_socket *_sk, xlator_type xt,
+-		char const *iname, char const *file_name, bool _force)
++		char const *iname, char const *file_name, bool _force, bool _check)
+ {
+ 	char *buffer;
+ 	struct jool_result result;
+ 
+ 	sk = *_sk;
++	check = _check;
+ 	flags = xt;
+ 	force = _force ? JOOLNLHDR_FLAGS_FORCE : 0;
+ 
+diff --git a/src/usr/nl/file.h b/src/usr/nl/file.h
+index 51802aaf..8b4a66dd 100644
+--- a/src/usr/nl/file.h
++++ b/src/usr/nl/file.h
+@@ -9,7 +9,8 @@ struct jool_result joolnl_file_parse(
+ 	xlator_type xt,
+ 	char const *iname,
+ 	char const *file_name,
+-	bool force
++	bool force,
++	bool check
+ );
+ 
+ struct jool_result joolnl_file_get_iname(
+-- 
+2.40.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/joycond/default.nix b/nixpkgs/pkgs/os-specific/linux/joycond/default.nix
new file mode 100644
index 000000000000..e60e661f0c44
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/joycond/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libevdev, udev, acl }:
+
+stdenv.mkDerivation rec {
+  pname = "joycond";
+  version = "unstable-2021-07-30";
+
+  src = fetchFromGitHub {
+    owner = "DanielOgorchock";
+    repo = "joycond";
+    rev = "f9a66914622514c13997c2bf7ec20fa98e9dfc1d";
+    sha256 = "sha256-quw7yBHDDZk1+6uHthsfMCej7g5uP0nIAqzvI6436B8=";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libevdev udev ];
+
+  # CMake has hardcoded install paths
+  installPhase = ''
+    mkdir -p $out/{bin,etc/{systemd/system,udev/rules.d},lib/modules-load.d}
+
+    cp ./joycond $out/bin
+    cp $src/udev/{89,72}-joycond.rules $out/etc/udev/rules.d
+    cp $src/systemd/joycond.service $out/etc/systemd/system
+    cp $src/systemd/joycond.conf $out/lib/modules-load.d
+
+    substituteInPlace $out/etc/systemd/system/joycond.service --replace \
+      "ExecStart=/usr/bin/joycond" "ExecStart=$out/bin/joycond"
+
+    substituteInPlace $out/etc/udev/rules.d/89-joycond.rules --replace \
+      "/bin/setfacl"  "${acl}/bin/setfacl"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/DanielOgorchock/joycond";
+    description = "Userspace daemon to combine joy-cons from the hid-nintendo kernel driver";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix b/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix
new file mode 100644
index 000000000000..12e4c15e62c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl, linuxHeaders }:
+
+stdenv.mkDerivation rec {
+  pname = "jujuutils";
+  version = "0.2";
+
+  src = fetchurl {
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/jujuutils/jujuutils-${version}.tar.gz";
+    sha256 = "1r74m7s7rs9d6y7cffi7mdap3jf96qwm1v6jcw53x5cikgmfxn4x";
+  };
+
+  buildInputs = [ linuxHeaders ];
+
+  meta = {
+    homepage = "https://github.com/cladisch/linux-firewire-utils";
+    description = "Utilities around FireWire devices connected to a Linux computer";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kbd/default.nix b/nixpkgs/pkgs/os-specific/linux/kbd/default.nix
new file mode 100644
index 000000000000..9d97f73780d5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbd/default.nix
@@ -0,0 +1,99 @@
+{ lib
+, stdenv
+, fetchurl
+, nixosTests
+, autoreconfHook
+, pkg-config
+, flex
+, check
+, pam
+, coreutils
+, gzip
+, bzip2
+, xz
+, zstd
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "kbd";
+  version = "2.6.3";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
+    sha256 = "sha256-BJlsCNfRxGCWb7JEo9OIM1LCZ0t61SIAPZ9Oy4q0jes=";
+  };
+
+  # vlock is moved into its own output, since it depends on pam. This
+  # reduces closure size for most use cases.
+  outputs = [ "out" "vlock" "dev" ];
+
+  configureFlags = [
+    "--enable-optional-progs"
+    "--enable-libkeymap"
+    "--disable-nls"
+  ];
+
+  patches = [
+    ./search-paths.patch
+  ];
+
+  postPatch =
+    ''
+      # Renaming keymaps with name clashes, because loadkeys just picks
+      # the first keymap it sees. The clashing names lead to e.g.
+      # "loadkeys no" defaulting to a norwegian dvorak map instead of
+      # the much more common qwerty one.
+      pushd data/keymaps/i386
+      mv qwertz/cz{,-qwertz}.map
+      mv olpc/es{,-olpc}.map
+      mv olpc/pt{,-olpc}.map
+      mv fgGIod/trf{,-fgGIod}.map
+      mv colemak/{en-latin9,colemak}.map
+      popd
+
+      # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
+      substituteInPlace src/libkbdfile/kbdfile.c \
+        --replace 'gzip '  '${gzip}/bin/gzip ' \
+        --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
+        --replace 'xz '    '${xz.bin}/bin/xz ' \
+        --replace 'zstd '  '${zstd.bin}/bin/zstd '
+
+      sed -i '
+        1i prefix:=$(vlock)
+        1i bindir := $(vlock)/bin' \
+        src/vlock/Makefile.in \
+        src/vlock/Makefile.am
+    '';
+
+  postInstall = ''
+    for i in $out/bin/unicode_{start,stop}; do
+      substituteInPlace "$i" \
+        --replace /usr/bin/tty ${coreutils}/bin/tty
+    done
+  '';
+
+  buildInputs = [ check pam ];
+  NIX_LDFLAGS = lib.optional stdenv.hostPlatform.isStatic "-laudit";
+  nativeBuildInputs = [ autoreconfHook pkg-config flex ];
+
+  passthru.tests = {
+    inherit (nixosTests) keymap kbd-setfont-decompress kbd-update-search-paths-patch;
+  };
+  passthru = {
+    gzip = gzip;
+    updateScript = gitUpdater {
+       # No nicer place to find latest release.
+       url = "https://github.com/legionus/kbd.git";
+       rev-prefix = "v";
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://kbd-project.org/";
+    description = "Linux keyboard tools and keyboard maps";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ davidak ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch b/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch
new file mode 100644
index 000000000000..61e8918017c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch
@@ -0,0 +1,80 @@
+Add /etc/kbd to the list of directories to search for the console
+fonts, screen mappings, Unicode maps, keytable files, etc.
+
+Without this patch, kbd will only look inside
+/nix/store/<hash>-kbd-x.x.x/share.
+
+--- a/src/libkeymap/analyze.l
++++ b/src/libkeymap/analyze.l
+@@ -109,6 +109,9 @@ static const char *const include_dirpath1[] = {
+ 	NULL
+ };
+ static const char *const include_dirpath3[] = {
++	"/etc/kbd/" KEYMAPDIR "/include/",
++	"/etc/kbd/" KEYMAPDIR "/i386/include/",
++	"/etc/kbd/" KEYMAPDIR "/mac/include/",
+ 	DATADIR "/" KEYMAPDIR "/include/",
+ 	DATADIR "/" KEYMAPDIR "/i386/include/",
+ 	DATADIR "/" KEYMAPDIR "/mac/include/",
+--- a/src/libkfont/context.c
++++ b/src/libkfont/context.c
+@@ -13,5 +13,6 @@
+ /* search for the map file in these directories (with trailing /) */
+ static const char *const mapdirpath[]  = {
++	"/etc/kbd/" TRANSDIR "/",
+ 	DATADIR "/" TRANSDIR "/",
+ 	NULL
+ };
+@@ -28,5 +29,6 @@ static const char *const mapsuffixes[] = {
+ /* search for the font in these directories (with trailing /) */
+ static const char *const fontdirpath[]  = {
++	"/etc/kbd/" FONTDIR "/",
+ 	DATADIR "/" FONTDIR "/",
+ 	NULL
+ };
+@@ -42,5 +44,6 @@ static char const *const fontsuffixes[] = {
+ 
+ static const char *const unidirpath[]  = {
++	"/etc/kbd/" UNIMAPDIR "/",
+ 	DATADIR "/" UNIMAPDIR "/",
+ 	NULL
+ };
+@@ -55,5 +58,6 @@ static const char *const unisuffixes[] = {
+ /* hide partial fonts a bit - loading a single one is a bad idea */
+ const char *const partfontdirpath[]  = {
++	"/etc/kbd/" FONTDIR "/" PARTIALDIR "/",
+ 	DATADIR "/" FONTDIR "/" PARTIALDIR "/",
+ 	NULL
+ };
+--- a/src/loadkeys.c
++++ b/src/loadkeys.c
+@@ -27,5 +27,6 @@
+ 
+ static const char *const dirpath1[] = {
++	"/etc/kbd/" KEYMAPDIR "/**",
+ 	DATADIR "/" KEYMAPDIR "/**",
+ 	KERNDIR "/",
+ 	NULL
+--- a/src/resizecons.c
++++ b/src/resizecons.c
+@@ -104,6 +104,7 @@ static void vga_set_verticaldisplayend_lowbyte(int);
+ 
+ const char *const dirpath[]  = {
+ 	"",
++	"/etc/kbd/" VIDEOMODEDIR "/",
+ 	DATADIR "/" VIDEOMODEDIR "/",
+ 	NULL
+ };
+--- a/src/setfont.c
++++ b/src/setfont.c
+@@ -48,8 +48,8 @@ usage(void)
+ 	                    "    -v         Be verbose.\n"
+ 	                    "    -C <cons>  Indicate console device to be used.\n"
+ 	                    "    -V         Print version and exit.\n"
+-	                    "Files are loaded from the current directory or %s/*/.\n"),
+-	        DATADIR);
++	                    "Files are loaded from the current directory or %s/*/ or %s/*/.\n"),
++	        DATADIR, "/etc/kbd");
+ 	exit(EX_USAGE);
+ }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix b/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix
new file mode 100644
index 000000000000..0ed575b82546
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "kbdlight";
+  version = "1.3";
+
+  src = fetchFromGitHub {
+    owner = "hobarrera";
+    repo = "kbdlight";
+    rev = "v${version}";
+    sha256 = "1f08aid1xrbl4sb5447gkip9lnvkia1c4ap0v8zih5s9w8v72bny";
+  };
+
+  preConfigure = ''
+    substituteInPlace Makefile \
+      --replace /usr/local $out \
+      --replace 4755 0755
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/hobarrera/kbdlight";
+    description = "A very simple application that changes MacBooks' keyboard backlight level";
+    license = licenses.isc;
+    maintainers = [ maintainers.womfoo ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix b/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix
new file mode 100644
index 000000000000..e0a3c4319b8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -0,0 +1,128 @@
+{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header
+, bison, flex, rsync
+, writeTextFile
+}:
+
+let
+
+  # As part of building a hostPlatform=mips kernel, Linux creates and runs a
+  # tiny utility `arch/mips/boot/tools/relocs_main.c` for the buildPlatform.
+  # This utility references a glibc-specific header `byteswap.h`.  There is a
+  # compatibility header in gnulib for most BSDs, but not for Darwin, so we
+  # synthesize one here.
+  darwin-endian-h = writeTextFile {
+    name = "endian-h";
+    text = ''
+      #include <byteswap.h>
+    '';
+    destination = "/include/endian.h";
+  };
+  darwin-byteswap-h = writeTextFile {
+    name = "byteswap-h";
+    text = ''
+      #pragma once
+      #include <libkern/OSByteOrder.h>
+      #define bswap_16 OSSwapInt16
+      #define bswap_32 OSSwapInt32
+      #define bswap_64 OSSwapInt64
+    '';
+    destination = "/include/byteswap.h";
+  };
+
+  makeLinuxHeaders = { src, version, patches ? [] }: stdenvNoCC.mkDerivation {
+    inherit src;
+
+    pname = "linux-headers";
+    inherit version;
+
+    ARCH = stdenvNoCC.hostPlatform.linuxArch;
+
+    strictDeps = true;
+    enableParallelBuilding = true;
+
+    # It may look odd that we use `stdenvNoCC`, and yet explicit depend on a cc.
+    # We do this so we have a build->build, not build->host, C compiler.
+    depsBuildBuild = [ buildPackages.stdenv.cc ];
+    # `elf-header` is null when libc provides `elf.h`.
+    nativeBuildInputs = [
+      perl elf-header
+    ] ++ lib.optionals stdenvNoCC.hostPlatform.isAndroid [
+      bison flex rsync
+    ] ++ lib.optionals (stdenvNoCC.buildPlatform.isDarwin &&
+                        stdenvNoCC.hostPlatform.isMips) [
+      darwin-endian-h
+      darwin-byteswap-h
+    ];
+
+    extraIncludeDirs = lib.optionals (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"];
+
+    inherit patches;
+
+    hardeningDisable = lib.optional stdenvNoCC.buildPlatform.isDarwin "format";
+
+    makeFlags = [
+      "SHELL=bash"
+      # Avoid use of runtime build->host compilers for checks. These
+      # checks only cared to work around bugs in very old compilers, so
+      # these changes should be safe.
+      "cc-version:=9999"
+      "cc-fullversion:=999999"
+      # `$(..)` expanded by make alone
+      "HOSTCC:=$(CC_FOR_BUILD)"
+      "HOSTCXX:=$(CXX_FOR_BUILD)"
+    ];
+
+    # Skip clean on darwin, case-sensitivity issues.
+    buildPhase = lib.optionalString (!stdenvNoCC.buildPlatform.isDarwin) ''
+      make mrproper $makeFlags
+    '' + (if stdenvNoCC.hostPlatform.isAndroid then ''
+      make defconfig
+      make headers_install
+    '' else ''
+      make headers $makeFlags
+    '');
+
+    checkPhase = ''
+      make headers_check $makeFlags
+    '';
+
+    # The following command requires rsync:
+    #   make headers_install INSTALL_HDR_PATH=$out $makeFlags
+    # but rsync depends on popt which does not compile on aarch64 without
+    # updateAutotoolsGnuConfigScriptsHook which is not enabled in stage2,
+    # so we replicate it with cp. This also reduces bootstrap closure size.
+    installPhase = ''
+      mkdir -p $out
+      cp -r usr/include $out
+      find $out -type f ! -name '*.h' -delete
+    ''
+    # Some builds (e.g. KVM) want a kernel.release.
+    + ''
+      mkdir -p $out/include/config
+      echo "${version}-default" > $out/include/config/kernel.release
+    '';
+
+    meta = with lib; {
+      description = "Header files and scripts for Linux kernel";
+      license = licenses.gpl2;
+      platforms = platforms.linux;
+    };
+  };
+in {
+  inherit makeLinuxHeaders;
+
+  linuxHeaders = let version = "6.5"; in
+    makeLinuxHeaders {
+      inherit version;
+      src = fetchurl {
+        url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
+        hash = "sha256-eldLvCCALqdrUsp/rwcmf3IEXoYbGJFcUnKpjCer+IQ=";
+      };
+      patches = [
+        ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
+
+        # Fix regression turning `struct sockaddr_ll` flexible size.
+        ./revert-af_packet-flex.patch
+      ];
+    };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch b/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch
new file mode 100644
index 000000000000..32c88224b867
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch
@@ -0,0 +1,7 @@
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -231,3 +231,3 @@ endif
+ archscripts: scripts_basic
+-	$(Q)$(MAKE) $(build)=arch/x86/tools relocs
++	$(Q)$(MAKE) $(build)=arch/x86/tools
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel-headers/revert-af_packet-flex.patch b/nixpkgs/pkgs/os-specific/linux/kernel-headers/revert-af_packet-flex.patch
new file mode 100644
index 000000000000..ed6c8861d2fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel-headers/revert-af_packet-flex.patch
@@ -0,0 +1,31 @@
+Revert commit https://github.com/torvalds/linux/commit/a0ade8404c3bc2bf2631cb0f20d372eed22d9d96
+
+The change caused API regression by turning fixed size struct to
+flexible size struct. It was an unintentional change, broke `udp2raw`:
+    https://github.com/NixOS/nixpkgs/pull/252587#issuecomment-1744427473
+--- a/include/uapi/linux/if_packet.h
++++ b/include/uapi/linux/if_packet.h
+@@ -18,11 +18,7 @@ struct sockaddr_ll {
+ 	unsigned short	sll_hatype;
+ 	unsigned char	sll_pkttype;
+ 	unsigned char	sll_halen;
+-	union {
+-		unsigned char	sll_addr[8];
+-		/* Actual length is in sll_halen. */
+-		__DECLARE_FLEX_ARRAY(unsigned char, sll_addr_flex);
+-	};
++	unsigned char	sll_addr[8];
+ };
+ 
+ /* Packet types */
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3607,7 +3607,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ 	if (dev) {
+ 		sll->sll_hatype = dev->type;
+ 		sll->sll_halen = dev->addr_len;
+-		memcpy(sll->sll_addr_flex, dev->dev_addr, dev->addr_len);
++		memcpy(sll->sll_addr, dev->dev_addr, dev->addr_len);
+ 	} else {
+ 		sll->sll_hatype = 0;	/* Bad: we have no ARPHRD_UNSPEC */
+ 		sll->sll_halen = 0;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch b/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch
new file mode 100644
index 000000000000..70d0f944c2a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch
@@ -0,0 +1,13 @@
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index aea3d13..8fcbf81 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -39,7 +39,7 @@
+ #define BR_GROUPFWD_8021AD	0xB801u
+ 
+ /* Path to usermode spanning tree program */
+-#define BR_STP_PROG	"/sbin/bridge-stp"
++#define BR_STP_PROG	"/run/current-system/sw/bin/bridge-stp"
+ 
+ typedef struct bridge_id bridge_id;
+ typedef struct mac_addr mac_addr;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix
new file mode 100644
index 000000000000..2954ee8f78b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix
@@ -0,0 +1,1061 @@
+# WARNING/NOTE: whenever you want to add an option here you need to either
+# * mark it as an optional one with `option`,
+# * or make sure it works for all the versions in nixpkgs,
+# * or check for which kernel versions it will work (using kernel
+#   changelog, google or whatever) and mark it with `whenOlder` or
+#   `whenAtLeast`.
+# Then do test your change by building all the kernels (or at least
+# their configs) in Nixpkgs or else you will guarantee lots and lots
+# of pain to users trying to switch to an older kernel because of some
+# hardware problems with a new one.
+
+# Configuration
+{ lib, stdenv, version
+
+, features ? {}
+}:
+
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
+
+let
+
+
+  # configuration items have to be part of a subattrs
+  flattenKConf =  nested: mapAttrs (_: head) (zipAttrs (attrValues nested));
+
+  whenPlatformHasEBPFJit =
+    mkIf (stdenv.hostPlatform.isAarch32 ||
+          stdenv.hostPlatform.isAarch64 ||
+          stdenv.hostPlatform.isx86_64 ||
+          (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) ||
+          (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit));
+
+  options = {
+
+    debug = {
+      # Necessary for BTF
+      DEBUG_INFO                = mkMerge [
+        (whenOlder "5.2" (if (features.debug or false) then yes else no))
+        (whenBetween "5.2" "5.18" yes)
+      ];
+      DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes;
+      # Reduced debug info conflict with BTF and have been enabled in
+      # aarch64 defconfig since 5.13
+      DEBUG_INFO_REDUCED        = whenAtLeast "5.13" (option no);
+      DEBUG_INFO_BTF            = whenAtLeast "5.2" (option yes);
+      # Allow loading modules with mismatched BTFs
+      # FIXME: figure out how to actually make BTFs reproducible instead
+      # See https://github.com/NixOS/nixpkgs/pull/181456 for details.
+      MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes);
+      BPF_LSM                   = whenAtLeast "5.7" (option yes);
+      DEBUG_KERNEL              = yes;
+      DEBUG_DEVRES              = no;
+      DYNAMIC_DEBUG             = yes;
+      DEBUG_STACK_USAGE         = no;
+      RCU_TORTURE_TEST          = no;
+      SCHEDSTATS                = no;
+      DETECT_HUNG_TASK          = yes;
+      CRASH_DUMP                = option no;
+      # Easier debugging of NFS issues.
+      SUNRPC_DEBUG              = yes;
+      # Provide access to tunables like sched_migration_cost_ns
+      SCHED_DEBUG               = yes;
+    };
+
+    power-management = {
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+      CPU_FREQ_GOV_SCHEDUTIL           = yes;
+      PM_ADVANCED_DEBUG                = yes;
+      PM_WAKELOCKS                     = yes;
+      POWERCAP                         = yes;
+      # ACPI Firmware Performance Data Table Support
+      ACPI_FPDT                        = whenAtLeast "5.12" (option yes);
+      # ACPI Heterogeneous Memory Attribute Table Support
+      ACPI_HMAT                        = whenAtLeast "5.2" (option yes);
+      # ACPI Platform Error Interface
+      ACPI_APEI                        = (option yes);
+      # APEI Generic Hardware Error Source
+      ACPI_APEI_GHES                   = (option yes);
+
+      # Enable lazy RCUs for power savings:
+      # https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/
+      # RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL
+      # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT,
+      # so we can't force-enable this
+      RCU_LAZY                         = whenAtLeast "6.2" (option yes);
+    } // optionalAttrs (stdenv.hostPlatform.isx86) {
+      INTEL_IDLE                       = yes;
+      INTEL_RAPL                       = whenAtLeast "5.3" module;
+      X86_INTEL_LPSS                   = yes;
+      X86_INTEL_PSTATE                 = yes;
+      X86_AMD_PSTATE                   = whenAtLeast "5.17" yes;
+      # Intel DPTF (Dynamic Platform and Thermal Framework) Support
+      ACPI_DPTF                        = whenAtLeast "5.10" yes;
+
+      # Required to bring up some Bay Trail devices properly
+      I2C                              = yes;
+      I2C_DESIGNWARE_PLATFORM          = yes;
+      PMIC_OPREGION                    = whenAtLeast "5.10" yes;
+      INTEL_SOC_PMIC                   = whenAtLeast "5.10" yes;
+      BYTCRC_PMIC_OPREGION             = whenAtLeast "5.10" yes;
+      CHTCRC_PMIC_OPREGION             = whenAtLeast "5.10" yes;
+      XPOWER_PMIC_OPREGION             = whenAtLeast "5.10" yes;
+      BXT_WC_PMIC_OPREGION             = whenAtLeast "5.10" yes;
+      INTEL_SOC_PMIC_CHTWC             = whenAtLeast "5.10" yes;
+      CHT_WC_PMIC_OPREGION             = whenAtLeast "5.10" yes;
+      INTEL_SOC_PMIC_CHTDC_TI          = whenAtLeast "5.10" yes;
+      CHT_DC_TI_PMIC_OPREGION          = whenAtLeast "5.10" yes;
+      MFD_TPS68470                     = whenBetween "5.10" "5.13" yes;
+      TPS68470_PMIC_OPREGION           = whenAtLeast "5.10" yes;
+    };
+
+    external-firmware = {
+      # Support drivers that need external firmware.
+      STANDALONE = no;
+    };
+
+    proc-config-gz = {
+      # Make /proc/config.gz available
+      IKCONFIG      = yes;
+      IKCONFIG_PROC = yes;
+    };
+
+    optimization = {
+      # Optimize with -O2, not -Os
+      CC_OPTIMIZE_FOR_SIZE = no;
+    };
+
+    memory = {
+      DAMON = whenAtLeast "5.15" yes;
+      DAMON_VADDR = whenAtLeast "5.15" yes;
+      DAMON_PADDR = whenAtLeast "5.16" yes;
+      DAMON_SYSFS = whenAtLeast "5.18" yes;
+      DAMON_DBGFS = whenAtLeast "5.15" yes;
+      DAMON_RECLAIM = whenAtLeast "5.16" yes;
+      DAMON_LRU_SORT = whenAtLeast "6.0" yes;
+    };
+
+    memtest = {
+      MEMTEST = yes;
+    };
+
+    # Include the CFQ I/O scheduler in the kernel, rather than as a
+    # module, so that the initrd gets a good I/O scheduler.
+    scheduler = {
+      IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      BLK_CGROUP  = yes; # required by CFQ"
+      BLK_CGROUP_IOLATENCY = yes;
+      BLK_CGROUP_IOCOST = whenAtLeast "5.4" yes;
+      IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      MQ_IOSCHED_DEADLINE = yes;
+      BFQ_GROUP_IOSCHED = yes;
+      MQ_IOSCHED_KYBER = yes;
+      IOSCHED_BFQ = module;
+    };
+
+
+    timer = {
+      # Enable Full Dynticks System.
+      # NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT
+      NO_HZ_FULL = mkIf stdenv.is64bit yes;
+    };
+
+    # Enable NUMA.
+    numa = {
+      NUMA  = option yes;
+    };
+
+    networking = {
+      NET                = yes;
+      IP_ADVANCED_ROUTER = yes;
+      IP_PNP             = no;
+      IP_ROUTE_MULTIPATH = yes;
+      IP_VS_PROTO_TCP    = yes;
+      IP_VS_PROTO_UDP    = yes;
+      IP_VS_PROTO_ESP    = yes;
+      IP_VS_PROTO_AH     = yes;
+      IP_VS_IPV6         = yes;
+      IP_DCCP_CCID3      = no; # experimental
+      CLS_U32_PERF       = yes;
+      CLS_U32_MARK       = yes;
+      BPF_JIT            = whenPlatformHasEBPFJit yes;
+      BPF_JIT_ALWAYS_ON  = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304
+      HAVE_EBPF_JIT      = whenPlatformHasEBPFJit yes;
+      BPF_STREAM_PARSER  = yes;
+      XDP_SOCKETS        = yes;
+      XDP_SOCKETS_DIAG   = whenAtLeast "5.1" yes;
+      WAN                = yes;
+      TCP_CONG_ADVANCED  = yes;
+      TCP_CONG_CUBIC     = yes; # This is the default congestion control algorithm since 2.6.19
+      # Required by systemd per-cgroup firewalling
+      CGROUP_BPF                  = option yes;
+      CGROUP_NET_PRIO             = yes; # Required by systemd
+      IP_ROUTE_VERBOSE            = yes;
+      IP_MROUTE_MULTIPLE_TABLES   = yes;
+      IP_MULTICAST                = yes;
+      IP_MULTIPLE_TABLES          = yes;
+      IPV6                        = yes;
+      IPV6_ROUTER_PREF            = yes;
+      IPV6_ROUTE_INFO             = yes;
+      IPV6_OPTIMISTIC_DAD         = yes;
+      IPV6_MULTIPLE_TABLES        = yes;
+      IPV6_SUBTREES               = yes;
+      IPV6_MROUTE                 = yes;
+      IPV6_MROUTE_MULTIPLE_TABLES = yes;
+      IPV6_PIMSM_V2               = yes;
+      IPV6_FOU_TUNNEL             = module;
+      IPV6_SEG6_LWTUNNEL          = yes;
+      IPV6_SEG6_HMAC              = yes;
+      IPV6_SEG6_BPF               = yes;
+      NET_CLS_BPF                 = module;
+      NET_ACT_BPF                 = module;
+      NET_SCHED                   = yes;
+      L2TP_V3                     = yes;
+      L2TP_IP                     = module;
+      L2TP_ETH                    = module;
+      BRIDGE_VLAN_FILTERING       = yes;
+      BONDING                     = module;
+      NET_L3_MASTER_DEV           = option yes;
+      NET_FOU_IP_TUNNELS          = option yes;
+      IP_NF_TARGET_REDIRECT       = module;
+
+      PPP_MULTILINK = yes; # PPP multilink support
+      PPP_FILTER    = yes;
+
+      # needed for iwd WPS support (wpa_supplicant replacement)
+      KEY_DH_OPERATIONS = yes;
+
+      # needed for nftables
+      # Networking Options
+      NETFILTER                   = yes;
+      NETFILTER_ADVANCED          = yes;
+      # Core Netfilter Configuration
+      NF_CONNTRACK_ZONES          = yes;
+      NF_CONNTRACK_EVENTS         = yes;
+      NF_CONNTRACK_TIMEOUT        = yes;
+      NF_CONNTRACK_TIMESTAMP      = yes;
+      NETFILTER_NETLINK_GLUE_CT   = yes;
+      NF_TABLES_INET              = yes;
+      NF_TABLES_NETDEV            = yes;
+      NFT_REJECT_NETDEV           = whenAtLeast "5.11" module;
+
+      # IP: Netfilter Configuration
+      NF_TABLES_IPV4              = yes;
+      NF_TABLES_ARP               = yes;
+      # IPv6: Netfilter Configuration
+      NF_TABLES_IPV6              = yes;
+      # Bridge Netfilter Configuration
+      NF_TABLES_BRIDGE            = mkMerge [ (whenOlder "5.3" yes)
+                                              (whenAtLeast "5.3" module) ];
+
+      # needed for `dropwatch`
+      # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450
+      NET_DROP_MONITOR = yes;
+
+      # needed for ss
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
+      INET_DIAG         = mkDefault module;
+      INET_TCP_DIAG     = mkDefault module;
+      INET_UDP_DIAG     = mkDefault module;
+      INET_RAW_DIAG     = mkDefault module;
+      INET_DIAG_DESTROY = mkDefault yes;
+
+      # enable multipath-tcp
+      MPTCP           = whenAtLeast "5.6" yes;
+      MPTCP_IPV6      = whenAtLeast "5.6" yes;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
+
+      # Kernel TLS
+      TLS         = module;
+      TLS_DEVICE  = yes;
+
+      # infiniband
+      INFINIBAND = module;
+      INFINIBAND_IPOIB = module;
+      INFINIBAND_IPOIB_CM = yes;
+    };
+
+    wireless = {
+      CFG80211_WEXT               = option yes; # Without it, ipw2200 drivers don't build
+      IPW2100_MONITOR             = option yes; # support promiscuous mode
+      IPW2200_MONITOR             = option yes; # support promiscuous mode
+      HOSTAP_FIRMWARE             = option yes; # Support downloading firmware images with Host AP driver
+      HOSTAP_FIRMWARE_NVRAM       = option yes;
+      ATH9K_PCI                   = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus
+      ATH9K_AHB                   = option yes; # Ditto, AHB bus
+      # The description of this option makes it sound dangerous or even illegal
+      # But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55
+      # At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation
+      # for "certified devices"
+      EXPERT                      = option yes; # this is needed for offering the certification option
+      CFG80211_CERTIFICATION_ONUS = option yes;
+      # DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows
+      # you to use certain interesting frequency when your local regulatory domain mandates it.
+      # ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies.
+      # OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42
+      ATH9K_DFS_CERTIFIED         = option yes;
+      ATH10K_DFS_CERTIFIED        = option yes;
+      B43_PHY_HT                  = option yes;
+      BCMA_HOST_PCI               = option yes;
+      RTW88                       = whenAtLeast "5.2" module;
+      RTW88_8822BE                = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
+      RTW88_8822CE                = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
+    };
+
+    fb = {
+      FB                  = yes;
+      FB_EFI              = yes;
+      FB_NVIDIA_I2C       = yes; # Enable DDC Support
+      FB_RIVA_I2C         = yes;
+      FB_ATY_CT           = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support
+      FB_ATY_GX           = yes; # Mach64 GX support
+      FB_SAVAGE_I2C       = yes;
+      FB_SAVAGE_ACCEL     = yes;
+      FB_SIS_300          = yes;
+      FB_SIS_315          = yes;
+      FB_3DFX_ACCEL       = yes;
+      FB_VESA             = yes;
+      FRAMEBUFFER_CONSOLE = yes;
+      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
+      FRAMEBUFFER_CONSOLE_ROTATION = yes;
+      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes;
+      FB_GEODE            = mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
+      # On 5.14 this conflicts with FB_SIMPLE.
+      DRM_SIMPLEDRM = whenAtLeast "5.14" no;
+      DRM_FBDEV_EMULATION = yes;
+    };
+
+    fonts = {
+      FONTS = yes;
+      # Default fonts enabled if FONTS is not set
+      FONT_8x8 = yes;
+      FONT_8x16 = yes;
+      # High DPI font
+      FONT_TER16x32 = whenAtLeast "5.0" yes;
+    };
+
+    video = {
+      DRM_LEGACY = no;
+      NOUVEAU_LEGACY_CTX_SUPPORT = whenBetween "5.2" "6.3" no;
+
+      # Allow specifying custom EDID on the kernel command line
+      DRM_LOAD_EDID_FIRMWARE = yes;
+      VGA_SWITCHEROO         = yes; # Hybrid graphics support
+      DRM_GMA500             = whenAtLeast "5.12" module;
+      DRM_GMA600             = whenOlder "5.13" yes;
+      DRM_GMA3600            = whenOlder "5.12" yes;
+      DRM_VMWGFX_FBCON       = whenOlder "6.2" yes;
+      # (experimental) amdgpu support for verde and newer chipsets
+      DRM_AMDGPU_SI = yes;
+      # (stable) amdgpu support for bonaire and newer chipsets
+      DRM_AMDGPU_CIK = yes;
+      # Allow device firmware updates
+      DRM_DP_AUX_CHARDEV = yes;
+      # amdgpu display core (DC) support
+      DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes;
+      DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
+      DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
+      DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
+      DRM_AMD_DC_DCN = whenBetween "5.11" "6.4" yes;
+      DRM_AMD_DC_FP = whenAtLeast "6.4" yes;
+      DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes;
+      DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
+      # Intel GVT-g graphics virtualization supports 64-bit only
+      DRM_I915_GVT = yes;
+      DRM_I915_GVT_KVMGT = module;
+      # Enable Hyper-V Synthetic DRM Driver
+      DRM_HYPERV = whenAtLeast "5.14" module;
+    } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
+      # enable HDMI-CEC on RPi boards
+      DRM_VC4_HDMI_CEC = yes;
+    };
+
+    sound = {
+      SND_DYNAMIC_MINORS  = yes;
+      SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode
+      SND_HDA_INPUT_BEEP  = yes; # Support digital beep via input layer
+      SND_HDA_RECONFIG    = yes; # Support reconfiguration of jack functions
+      # Support configuring jack functions via fw mechanism at boot
+      SND_HDA_PATCH_LOADER = yes;
+      SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon
+      SND_OSSEMUL         = yes;
+      SND_USB_CAIAQ_INPUT = yes;
+    # Enable Sound Open Firmware support
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" &&
+                        versionAtLeast version "5.5") {
+      SND_SOC_INTEL_SOUNDWIRE_SOF_MACH       = whenAtLeast "5.10" module;
+      SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH
+      SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH
+      SND_SOC_SOF_TOPLEVEL              = yes;
+      SND_SOC_SOF_ACPI                  = module;
+      SND_SOC_SOF_PCI                   = module;
+      SND_SOC_SOF_APOLLOLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_CANNONLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_CANNONLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COFFEELAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COFFEELAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COMETLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COMETLAKE_H_SUPPORT   = whenOlder "5.8" yes;
+      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = whenOlder "5.12" yes;
+      SND_SOC_SOF_ELKHARTLAKE           = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = whenOlder "5.12" yes;
+      SND_SOC_SOF_GEMINILAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_GEMINILAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
+      SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
+      SND_SOC_SOF_HDA_LINK              = yes;
+      SND_SOC_SOF_ICELAKE               = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ICELAKE_SUPPORT       = whenOlder "5.12" yes;
+      SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
+      SND_SOC_SOF_JASPERLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_JASPERLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_MERRIFIELD            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_MERRIFIELD_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_TIGERLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
+    };
+
+    usb-serial = {
+      USB_SERIAL_GENERIC          = yes; # USB Generic Serial Driver
+    };
+
+    usb = {
+      USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators
+      USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling
+      USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies)
+    };
+
+    # Filesystem options - in particular, enable extended attributes and
+    # ACLs for all filesystems that support them.
+    filesystem = {
+      FANOTIFY                    = yes;
+      FANOTIFY_ACCESS_PERMISSIONS = yes;
+
+      TMPFS           = yes;
+      TMPFS_POSIX_ACL = yes;
+      FS_ENCRYPTION   = if (versionAtLeast version "5.1") then yes else option module;
+
+      EXT2_FS_XATTR     = yes;
+      EXT2_FS_POSIX_ACL = yes;
+      EXT2_FS_SECURITY  = yes;
+
+      EXT3_FS_POSIX_ACL = yes;
+      EXT3_FS_SECURITY  = yes;
+
+      EXT4_FS_POSIX_ACL = yes;
+      EXT4_FS_SECURITY  = yes;
+      EXT4_ENCRYPTION   = whenOlder "5.1" yes;
+
+      NTFS_FS            = whenAtLeast "5.15" no;
+      NTFS3_LZX_XPRESS   = whenAtLeast "5.15" yes;
+      NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes;
+
+      REISERFS_FS_XATTR     = option yes;
+      REISERFS_FS_POSIX_ACL = option yes;
+      REISERFS_FS_SECURITY  = option yes;
+
+      JFS_POSIX_ACL = option yes;
+      JFS_SECURITY  = option yes;
+
+      XFS_QUOTA     = option yes;
+      XFS_POSIX_ACL = option yes;
+      XFS_RT        = option yes; # XFS Realtime subvolume support
+      XFS_ONLINE_SCRUB = option yes;
+
+      OCFS2_DEBUG_MASKLOG = option no;
+
+      BTRFS_FS_POSIX_ACL = yes;
+
+      UBIFS_FS_ADVANCED_COMPR = option yes;
+
+      F2FS_FS             = module;
+      F2FS_FS_SECURITY    = option yes;
+      F2FS_FS_ENCRYPTION  = whenOlder "5.1" yes;
+      F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
+      UDF_FS              = module;
+
+      NFSD_V2_ACL            = whenOlder "6.2" yes;
+      NFSD_V3                = whenOlder "5.18" yes;
+      NFSD_V3_ACL            = yes;
+      NFSD_V4                = yes;
+      NFSD_V4_SECURITY_LABEL = yes;
+
+      NFS_FSCACHE           = yes;
+      NFS_SWAP              = yes;
+      NFS_V3_ACL            = yes;
+      NFS_V4_1              = yes;  # NFSv4.1 client support
+      NFS_V4_2              = yes;
+      NFS_V4_SECURITY_LABEL = yes;
+
+      CIFS_XATTR        = yes;
+      CIFS_POSIX        = option yes;
+      CIFS_FSCACHE      = yes;
+      CIFS_WEAK_PW_HASH = whenOlder "5.15" yes;
+      CIFS_UPCALL       = yes;
+      CIFS_ACL          = whenOlder "5.3" yes;
+      CIFS_DFS_UPCALL   = yes;
+
+      CEPH_FSCACHE      = yes;
+      CEPH_FS_POSIX_ACL = yes;
+
+      SQUASHFS_FILE_DIRECT         = yes;
+      SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes;
+      SQUASHFS_XATTR               = yes;
+      SQUASHFS_ZLIB                = yes;
+      SQUASHFS_LZO                 = yes;
+      SQUASHFS_XZ                  = yes;
+      SQUASHFS_LZ4                 = yes;
+      SQUASHFS_ZSTD                = yes;
+
+      # Native Language Support modules, needed by some filesystems
+      NLS              = yes;
+      NLS_DEFAULT      = freeform "utf8";
+      NLS_UTF8         = module;
+      NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option
+      NLS_ISO8859_1    = module; # VFAT default for the iocharset= mount option
+
+      # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64)
+      ISO9660_FS = module;
+
+      DEVTMPFS = yes;
+
+      UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
+    };
+
+    security = {
+      FORTIFY_SOURCE                   = option yes;
+
+      # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
+      DEBUG_LIST                       = yes;
+      HARDENED_USERCOPY                = yes;
+      RANDOMIZE_BASE                   = option yes;
+      STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
+      IO_STRICT_DEVMEM                 = mkDefault yes;
+      SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
+      # Prevent processes from ptracing non-children processes
+      SECURITY_YAMA                    = option yes;
+      # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
+      # This does not have any effect if a program does not support it
+      SECURITY_LANDLOCK                = whenAtLeast "5.13" yes;
+      DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
+
+      USER_NS                          = yes; # Support for user namespaces
+
+      SECURITY_APPARMOR                = yes;
+      DEFAULT_SECURITY_APPARMOR        = yes;
+
+      RANDOM_TRUST_CPU                 = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
+      RANDOM_TRUST_BOOTLOADER          = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG
+
+      MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
+      # Depends on MODULE_SIG and only really helps when you sign your modules
+      # and enforce signatures which we don't do by default.
+      SECURITY_LOCKDOWN_LSM = whenAtLeast "5.4" no;
+
+      # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis
+      PERSISTENT_KEYRINGS              = yes;
+      # enable temporary caching of the last request_key() result
+      KEYS_REQUEST_CACHE               = whenAtLeast "5.3" yes;
+      # randomized slab caches
+      RANDOM_KMALLOC_CACHES            = whenAtLeast "6.6" yes;
+
+      # NIST SP800-90A DRBG modes - enabled by most distributions
+      #   and required by some out-of-tree modules (ShuffleCake)
+      #   This does not include the NSA-backdoored Dual-EC mode from the same NIST publication.
+      CRYPTO_DRBG_HASH                 = yes;
+      CRYPTO_DRBG_CTR                  = yes;
+
+    } // optionalAttrs stdenv.hostPlatform.isx86_64 {
+      # Enable Intel SGX
+      X86_SGX     = whenAtLeast "5.11" yes;
+      # Allow KVM guests to load SGX enclaves
+      X86_SGX_KVM = whenAtLeast "5.13" yes;
+
+      # AMD Cryptographic Coprocessor (CCP)
+      CRYPTO_DEV_CCP  = yes;
+      # AMD SME
+      AMD_MEM_ENCRYPT = yes;
+      # AMD SEV and AMD SEV-SE
+      KVM_AMD_SEV     = yes;
+      # AMD SEV-SNP
+      SEV_GUEST       = whenAtLeast "5.19" module;
+      # Shadow stacks
+      X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes;
+    };
+
+    microcode = {
+      MICROCODE       = yes;
+      MICROCODE_INTEL = whenOlder "6.6" yes;
+      MICROCODE_AMD   = whenOlder "6.6" yes;
+      # Write Back Throttling
+      # https://lwn.net/Articles/682582/
+      # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655
+      BLK_WBT    = yes;
+      BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      BLK_WBT_MQ = yes;
+    };
+
+    container = {
+      NAMESPACES     = yes; #  Required by 'unshare' used by 'nixos-install'
+      RT_GROUP_SCHED = no;
+      CGROUP_DEVICE  = yes;
+      CGROUP_HUGETLB = yes;
+      CGROUP_PERF    = yes;
+      CGROUP_RDMA    = yes;
+
+      MEMCG                    = yes;
+      MEMCG_SWAP               = whenOlder "6.1" yes;
+
+      BLK_DEV_THROTTLING        = yes;
+      CFQ_GROUP_IOSCHED         = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      CGROUP_PIDS               = yes;
+    };
+
+    staging = {
+      # Enable staging drivers.  These are somewhat experimental, but
+      # they generally don't hurt.
+      STAGING = yes;
+    };
+
+    proc-events = {
+      # PROC_EVENTS requires that the netlink connector is not built
+      # as a module.  This is required by libcgroup's cgrulesengd.
+      CONNECTOR   = yes;
+      PROC_EVENTS = yes;
+    };
+
+    tracing = {
+      FTRACE                = yes;
+      KPROBES               = yes;
+      FUNCTION_TRACER       = yes;
+      FTRACE_SYSCALLS       = yes;
+      SCHED_TRACER          = yes;
+      STACK_TRACER          = yes;
+      UPROBE_EVENTS         = option yes;
+      BPF_SYSCALL           = yes;
+      BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes;
+      BPF_EVENTS            = yes;
+      FUNCTION_PROFILER     = yes;
+      RING_BUFFER_BENCHMARK = no;
+    };
+
+    perf = {
+      # enable AMD Zen branch sampling if available
+      PERF_EVENTS_AMD_BRS       = whenAtLeast "5.19" (option yes);
+    };
+
+    virtualisation = {
+      PARAVIRT = option yes;
+
+      HYPERVISOR_GUEST = yes;
+      PARAVIRT_SPINLOCKS  = option yes;
+
+      KVM_ASYNC_PF                      = yes;
+      KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes;
+      KVM_GUEST                         = yes;
+      KVM_MMIO                          = yes;
+      KVM_VFIO                          = yes;
+      KSM = yes;
+      VIRT_DRIVERS = yes;
+      # We need 64 GB (PAE) support for Xen guest support
+      HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
+
+      VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
+
+      # VirtualBox guest drivers in the kernel conflict with the ones in the
+      # official additions package and prevent the vboxsf module from loading,
+      # so disable them for now.
+      VBOXGUEST = option no;
+      DRM_VBOXVIDEO = option no;
+
+      XEN                         = option yes;
+      XEN_DOM0                    = option yes;
+      PCI_XEN                     = option yes;
+      HVC_XEN                     = option yes;
+      HVC_XEN_FRONTEND            = option yes;
+      XEN_SYS_HYPERVISOR          = option yes;
+      SWIOTLB_XEN                 = option yes;
+      XEN_BACKEND                 = option yes;
+      XEN_BALLOON                 = option yes;
+      XEN_BALLOON_MEMORY_HOTPLUG  = option yes;
+      XEN_EFI                     = option yes;
+      XEN_HAVE_PVMMU              = option yes;
+      XEN_MCE_LOG                 = option yes;
+      XEN_PVH                     = option yes;
+      XEN_PVHVM                   = option yes;
+      XEN_SAVE_RESTORE            = option yes;
+      XEN_SELFBALLOONING          = whenOlder "5.3" yes;
+
+      # Enable device detection on virtio-mmio hypervisors
+      VIRTIO_MMIO_CMDLINE_DEVICES = yes;
+    };
+
+    media = {
+      MEDIA_DIGITAL_TV_SUPPORT = yes;
+      MEDIA_CAMERA_SUPPORT     = yes;
+      MEDIA_CONTROLLER         = yes;
+      MEDIA_PCI_SUPPORT        = yes;
+      MEDIA_USB_SUPPORT        = yes;
+      MEDIA_ANALOG_TV_SUPPORT  = yes;
+      VIDEO_STK1160_COMMON     = whenOlder "6.5" module;
+    };
+
+    "9p" = {
+      # Enable the 9P cache to speed up NixOS VM tests.
+      "9P_FSCACHE"      = option yes;
+      "9P_FS_POSIX_ACL" = option yes;
+    };
+
+    huge-page = {
+      TRANSPARENT_HUGEPAGE         = option yes;
+      TRANSPARENT_HUGEPAGE_ALWAYS  = option no;
+      TRANSPARENT_HUGEPAGE_MADVISE = option yes;
+    };
+
+    zram = {
+      ZRAM           = module;
+      ZRAM_WRITEBACK = option yes;
+      ZSWAP          = option yes;
+      ZPOOL          = yes;
+      ZBUD           = option yes;
+    };
+
+    brcmfmac = {
+      # Enable PCIe and USB for the brcmfmac driver
+      BRCMFMAC_USB  = option yes;
+      BRCMFMAC_PCIE = option yes;
+    };
+
+    # Support x2APIC (which requires IRQ remapping)
+    x2apic = optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
+      X86_X2APIC = yes;
+      IRQ_REMAP  = yes;
+    };
+
+    # Disable various self-test modules that have no use in a production system
+    tests = {
+      # This menu disables all/most of them on >= 4.16
+      RUNTIME_TESTING_MENU = option no;
+    } // {
+      CRC32_SELFTEST           = option no;
+      CRYPTO_TEST              = option no;
+      EFI_TEST                 = option no;
+      GLOB_SELFTEST            = option no;
+      LOCK_TORTURE_TEST        = option no;
+      MTD_TESTS                = option no;
+      NOTIFIER_ERROR_INJECTION = option no;
+      RCU_PERF_TEST            = whenOlder "5.9" no;
+      RCU_SCALE_TEST           = whenAtLeast "5.10" no;
+      RCU_TORTURE_TEST         = option no;
+      TEST_ASYNC_DRIVER_PROBE  = option no;
+      WW_MUTEX_SELFTEST        = option no;
+      XZ_DEC_TEST              = option no;
+    };
+
+    criu = {
+      # Unconditionally enabled, because it is required for CRIU and
+      # it provides the kcmp() system call that Mesa depends on.
+      CHECKPOINT_RESTORE  = yes;
+    };
+
+    misc = let
+      # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
+      # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
+      useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
+    in {
+      KERNEL_XZ            = mkIf (!useZstd) yes;
+      KERNEL_ZSTD          = mkIf useZstd yes;
+
+      HID_BATTERY_STRENGTH = yes;
+      # enabled by default in x86_64 but not arm64, so we do that here
+      HIDRAW               = yes;
+
+      HID_ACRUX_FF       = yes;
+      DRAGONRISE_FF      = yes;
+      GREENASIA_FF       = yes;
+      HOLTEK_FF          = yes;
+      JOYSTICK_PSXPAD_SPI_FF = yes;
+      LOGIG940_FF        = yes;
+      NINTENDO_FF        = whenAtLeast "5.16" yes;
+      PLAYSTATION_FF     = whenAtLeast "5.12" yes;
+      SONY_FF            = yes;
+      SMARTJOYPLUS_FF    = yes;
+      THRUSTMASTER_FF    = yes;
+      ZEROPLUS_FF        = yes;
+
+      MODULE_COMPRESS    = whenOlder "5.13" yes;
+      MODULE_COMPRESS_XZ = yes;
+
+      SYSVIPC            = yes;  # System-V IPC
+
+      AIO                = yes;  # POSIX asynchronous I/O
+
+      UNIX               = yes;  # Unix domain sockets.
+
+      MD                 = yes;     # Device mapper (RAID, LVM, etc.)
+
+      # Enable initrd support.
+      BLK_DEV_INITRD    = yes;
+
+      PM_TRACE_RTC         = no; # Disable some expensive (?) features.
+      ACCESSIBILITY        = yes; # Accessibility support
+      AUXDISPLAY           = yes; # Auxiliary Display support
+      HIPPI                = yes;
+      MTD_COMPLEX_MAPPINGS = yes; # needed for many devices
+
+      SCSI_LOWLEVEL        = yes; # enable lots of SCSI devices
+      SCSI_LOWLEVEL_PCMCIA = yes;
+      SCSI_SAS_ATA         = yes; # added to enable detection of hard drive
+
+      SPI        = yes; # needed for many devices
+      SPI_MASTER = yes;
+
+      "8139TOO_8129" = yes;
+      "8139TOO_PIO"  = no; # PIO is slower
+
+      AIC79XX_DEBUG_ENABLE = no;
+      AIC7XXX_DEBUG_ENABLE = no;
+      AIC94XX_DEBUG = no;
+
+      BLK_DEV_INTEGRITY       = yes;
+
+      BLK_SED_OPAL = yes;
+
+      BSD_PROCESS_ACCT_V3 = yes;
+
+      SERIAL_DEV_BUS = yes; # enables support for serial devices
+      SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices
+
+      BT_HCIBTUSB_MTK = whenAtLeast "5.3" yes; # MediaTek protocol support
+      BT_HCIUART_QCA = yes; # Qualcomm Atheros protocol support
+      BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA
+      BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390)
+      BT_HCIUART_BCSP = option yes;
+      BT_HCIUART_H4   = option yes; # UART (H4) protocol support
+      BT_HCIUART_LL   = option yes;
+      BT_RFCOMM_TTY   = option yes; # RFCOMM TTY support
+      BT_QCA = module; # enables QCA6390 bluetooth
+
+      # Removed on 5.17 as it was unused
+      # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31
+      CLEANCACHE = whenOlder "5.17" (option yes);
+      CRASH_DUMP = option no;
+
+      FSCACHE_STATS = yes;
+
+      DVB_DYNAMIC_MINORS = option yes; # we use udev
+
+      EFI_STUB            = yes; # EFI bootloader in the bzImage itself
+      EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER =
+          whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI
+      CGROUPS             = yes; # used by systemd
+      FHANDLE             = yes; # used by systemd
+      SECCOMP             = yes; # used by systemd >= 231
+      SECCOMP_FILTER      = yes; # ditto
+      POSIX_MQUEUE        = yes;
+      FRONTSWAP           = whenOlder "6.6" yes;
+      FUSION              = yes; # Fusion MPT device support
+      IDE                 = whenOlder "5.14" no; # deprecated IDE support, removed in 5.14
+      IDLE_PAGE_TRACKING  = yes;
+
+      JOYSTICK_IFORCE_232 = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force Serial joysticks and wheels
+      JOYSTICK_IFORCE_USB = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force USB joysticks and wheels
+      JOYSTICK_XPAD_FF    = option yes; # X-Box gamepad rumble support
+      JOYSTICK_XPAD_LEDS  = option yes; # LED Support for Xbox360 controller 'BigX' LED
+
+      KEYBOARD_APPLESPI = whenAtLeast "5.3" module;
+
+      KEXEC_FILE      = option yes;
+      KEXEC_JUMP      = option yes;
+
+      PARTITION_ADVANCED    = yes; # Needed for LDM_PARTITION
+      # Windows Logical Disk Manager (Dynamic Disk) support
+      LDM_PARTITION         = yes;
+      LOGIRUMBLEPAD2_FF     = yes; # Logitech Rumblepad 2 force feedback
+      LOGO                  = no; # not needed
+      MEDIA_ATTACH          = yes;
+      MEGARAID_NEWGEN       = yes;
+
+      MLX5_CORE_EN       = option yes;
+
+      NVME_MULTIPATH = yes;
+
+      PSI = whenAtLeast "4.20" yes;
+
+      MOUSE_ELAN_I2C_SMBUS = yes;
+      MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension
+      MOUSE_PS2_VMMOUSE  = yes;
+      MTRR_SANITIZER     = yes;
+      NET_FC             = yes; # Fibre Channel driver support
+      # Needed for touchpads to work on some AMD laptops
+      PINCTRL_AMD        = whenAtLeast "5.19" yes;
+      # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks
+      PINCTRL_BAYTRAIL   = yes;
+      # GPIO for Braswell and Cherryview devices
+      # Needs to be built-in to for integrated keyboards to function properly
+      PINCTRL_CHERRYVIEW = yes;
+      # 8 is default. Modern gpt tables on eMMC may go far beyond 8.
+      MMC_BLOCK_MINORS   = freeform "32";
+
+      REGULATOR  = yes; # Voltage and Current Regulator Support
+      RC_DEVICES = option yes; # Enable IR devices
+      RC_DECODERS = option yes; # Required for IR devices to work
+
+      RT2800USB_RT53XX = yes;
+      RT2800USB_RT55XX = yes;
+
+      SCHED_AUTOGROUP  = yes;
+      CFS_BANDWIDTH    = yes;
+
+      SCSI_LOGGING = yes; # SCSI logging facility
+      SERIAL_8250  = yes; # 8250/16550 and compatible serial support
+
+      SLAB_FREELIST_HARDENED = yes;
+      SLAB_FREELIST_RANDOM   = yes;
+
+      SLIP_COMPRESSED = yes; # CSLIP compressed headers
+      SLIP_SMART      = yes;
+
+      HWMON         = yes;
+      THERMAL_HWMON = yes; # Hardware monitoring support
+      NVME_HWMON    = whenAtLeast "5.5" yes; # NVMe drives temperature reporting
+      UEVENT_HELPER = no;
+
+      USERFAULTFD   = yes;
+      X86_CHECK_BIOS_CORRUPTION = yes;
+      X86_MCE                   = yes;
+
+      RAS = yes; # Needed for EDAC support
+
+      # Our initrd init uses shebang scripts, so can't be modular.
+      BINFMT_SCRIPT = yes;
+      # For systemd-binfmt
+      BINFMT_MISC   = option yes;
+
+      # Disable the firmware helper fallback, udev doesn't implement it any more
+      FW_LOADER_USER_HELPER_FALLBACK = option no;
+
+      FW_LOADER_COMPRESS = option yes;
+
+      HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
+      HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
+
+      # Enable AMD's ROCm GPU compute stack
+      HSA_AMD =     mkIf stdenv.hostPlatform.is64bit (whenAtLeast "4.20" yes);
+      ZONE_DEVICE = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "5.3" yes);
+      HMM_MIRROR = whenAtLeast "5.3" yes;
+      DRM_AMDGPU_USERPTR = whenAtLeast "5.3" yes;
+
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+
+      X86_AMD_PLATFORM_DEVICE = yes;
+      X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
+      X86_PLATFORM_DRIVERS_HP = whenAtLeast "6.1" yes;
+
+      LIRC = yes;
+
+      SCHED_CORE = whenAtLeast "5.14" yes;
+
+      LRU_GEN = whenAtLeast "6.1"  yes;
+      LRU_GEN_ENABLED =  whenAtLeast "6.1" yes;
+
+      FSL_MC_UAPI_SUPPORT = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "5.12" yes);
+
+      ASHMEM =                 { optional = true; tristate = whenBetween "5.0" "5.18" "y";};
+      ANDROID =                { optional = true; tristate = whenBetween "5.0" "5.19" "y";};
+      ANDROID_BINDER_IPC =     { optional = true; tristate = whenAtLeast "5.0" "y";};
+      ANDROID_BINDERFS =       { optional = true; tristate = whenAtLeast "5.0" "y";};
+      ANDROID_BINDER_DEVICES = { optional = true; freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder";};
+
+      TASKSTATS = yes;
+      TASK_DELAY_ACCT = yes;
+      TASK_XACCT = yes;
+      TASK_IO_ACCOUNTING = yes;
+
+      # Fresh toolchains frequently break -Werror build for minor issues.
+      WERROR = whenAtLeast "5.15" no;
+
+      # > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production.
+      # https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html
+      KUNIT = whenAtLeast "5.5" no;
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
+      # Enable CPU/memory hotplug support
+      # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot
+      ACPI_HOTPLUG_CPU = yes;
+      ACPI_HOTPLUG_MEMORY = yes;
+      MEMORY_HOTPLUG = yes;
+      MEMORY_HOTREMOVE = yes;
+      HOTPLUG_CPU = yes;
+      MIGRATION = yes;
+      SPARSEMEM = yes;
+
+      # Bump the maximum number of CPUs to support systems like EC2 x1.*
+      # instances and Xeon Phi.
+      NR_CPUS = freeform "384";
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
+      # Enables support for the Allwinner Display Engine 2.0
+      SUN8I_DE2_CCU = yes;
+
+      # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
+      CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no;
+
+      # Distros should configure the default as a kernel option.
+      # We previously defined it on the kernel command line as cma=
+      # The kernel command line will override a platform-specific configuration from its device tree.
+      # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
+      CMA_SIZE_MBYTES = freeform "32";
+
+      # Many ARM SBCs hand off a pre-configured framebuffer.
+      # This always can can be replaced by the actual native driver.
+      # Keeping it a built-in ensures it will be used if possible.
+      FB_SIMPLE = yes;
+
+      # https://docs.kernel.org/arch/arm/mem_alignment.html
+      # tldr:
+      #  when buggy userspace code emits illegal misaligned LDM, STM,
+      #  LDRD and STRDs, the instructions trap, are caught, and then
+      #  are emulated by the kernel.
+      #
+      #  This is the default on armv7l, anyway, but it is explicitly
+      #  enabled here for the sake of providing context for the
+      #  aarch64 compat option which follows.
+      ALIGNMENT_TRAP = mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes;
+
+      # https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/
+      # tldr:
+      #  when encountering alignment faults under aarch64, this option
+      #  makes the kernel attempt to handle the fault by doing the
+      #  same style of misaligned emulation that is performed under
+      #  armv7l (see above option).
+      #
+      #  This minimizes the potential for aarch32 userspace to behave
+      #  differently when run under aarch64 kernels compared to when
+      #  it is run under an aarch32 kernel.
+      COMPAT_ALIGNMENT_FIXUPS = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "6.1" yes);
+    } // optionalAttrs (versionAtLeast version "5.4" && (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux")) {
+      # Required for various hardware features on Chrome OS devices
+      CHROME_PLATFORMS = yes;
+      CHROMEOS_TBMC = module;
+
+      CROS_EC = module;
+
+      CROS_EC_I2C = module;
+      CROS_EC_SPI = module;
+      CROS_EC_LPC = module;
+      CROS_EC_ISHTP = module;
+
+      CROS_KBD_LED_BACKLIGHT = module;
+
+      TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes;
+    } // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") {
+      CHROMEOS_LAPTOP = module;
+      CHROMEOS_PSTORE = module;
+    };
+  };
+in
+  flattenKConf options
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch b/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
new file mode 100644
index 000000000000..1d8ed6f712cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
@@ -0,0 +1,11 @@
+Export linux-rt (PREEMPT_RT) specific symbols needed by ZFS.
+(Regular kernel provides them static inline in linux/preempt.h.)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1812 +1812 @@ void migrate_disable(void)
+-EXPORT_SYMBOL_GPL(migrate_disable);
++EXPORT_SYMBOL(migrate_disable);
+@@ -1843 +1843 @@ void migrate_enable(void)
+-EXPORT_SYMBOL_GPL(migrate_enable);
++EXPORT_SYMBOL(migrate_enable);
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl b/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl
new file mode 100644
index 000000000000..7e12ca5d96a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -0,0 +1,154 @@
+# This script runs `make config' to generate a Linux kernel
+# configuration file.  For each question (i.e. kernel configuration
+# option), unless an override is provided, it answers "m" if possible,
+# and otherwise uses the default answer (as determined by the default
+# config for the architecture).  Overrides are read from the file
+# $KERNEL_CONFIG, which on each line contains an option name and an
+# answer, e.g. "EXT2_FS_POSIX_ACL y".  The script warns about ignored
+# options in $KERNEL_CONFIG, and barfs if `make config' selects
+# another answer for an option than the one provided in
+# $KERNEL_CONFIG.
+
+use strict;
+use IPC::Open2;
+use Cwd;
+
+# exported via nix
+my $debug = $ENV{'DEBUG'};
+my $autoModules = $ENV{'AUTO_MODULES'};
+my $preferBuiltin = $ENV{'PREFER_BUILTIN'};
+my $ignoreConfigErrors = $ENV{'ignoreConfigErrors'};
+my $buildRoot = $ENV{'BUILD_ROOT'};
+my $makeFlags = $ENV{'MAKE_FLAGS'};
+$SIG{PIPE} = 'IGNORE';
+
+# Read the answers.
+my %answers;
+my %requiredAnswers;
+open ANSWERS, "<$ENV{KERNEL_CONFIG}" or die "Could not open answer file";
+while (<ANSWERS>) {
+    chomp;
+    s/#.*//;
+    if (/^\s*([A-Za-z0-9_]+)(\?)?\s+(.*\S)\s*$/) {
+        $answers{$1} = $3;
+        $requiredAnswers{$1} = !(defined $2);
+    } elsif (!/^\s*$/) {
+        die "invalid config line: $_";
+    }
+}
+close ANSWERS;
+
+sub runConfig {
+
+    # Run `make config'.
+    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH} CC=$ENV{CC} HOSTCC=$ENV{HOSTCC} HOSTCXX=$ENV{HOSTCXX} $makeFlags");
+
+    # Parse the output, look for questions and then send an
+    # appropriate answer.
+    my $line = ""; my $s;
+    my %choices = ();
+
+    my ($prevQuestion, $prevName);
+
+    while (!eof IN) {
+        read IN, $s, 1 or next;
+        $line .= $s;
+
+        #print STDERR "LINE: $line\n";
+
+        if ($s eq "\n") {
+            print STDERR "GOT: $line" if $debug;
+
+            # Remember choice alternatives ("> 1. bla (FOO)" or " 2. bla (BAR) (NEW)").
+            if ($line =~ /^\s*>?\s*(\d+)\.\s+.*?\(([A-Za-z0-9_]+)\)(?:\s+\(NEW\))?\s*$/) {
+                $choices{$2} = $1;
+            } else {
+                # The list of choices has ended without us being
+                # asked. This happens for options where only one value
+                # is valid, for instance. The results can foul up
+                # later options, so forget about it.
+                %choices = ();
+            }
+
+            $line = "";
+        }
+
+        elsif ($line =~ /###$/) {
+            # The config program is waiting for an answer.
+
+            # Is this a regular question? ("bla bla (OPTION_NAME) [Y/n/m/...] ")
+            if ($line =~ /(.*) \(([A-Za-z0-9_]+)\) \[(.*)\].*###$/) {
+                my $question = $1; my $name = $2; my $alts = $3;
+                my $answer = "";
+                # Build everything as a module if possible.
+                $answer = "m" if $autoModules && $alts =~ qr{\A(\w/)+m/(\w/)*\?\z} && !($preferBuiltin && $alts =~ /Y/);
+                $answer = $answers{$name} if defined $answers{$name};
+                print STDERR "QUESTION: $question, NAME: $name, ALTS: $alts, ANSWER: $answer\n" if $debug;
+                print OUT "$answer\n";
+                die "repeated question: $question" if $prevQuestion && $prevQuestion eq $question && $name eq $prevName;
+                $prevQuestion = $question;
+                $prevName = $name;
+            }
+
+            # Is this a choice? ("choice[1-N]: ")
+            elsif ($line =~ /choice\[(.*)\]: ###$/) {
+                my $answer = "";
+                foreach my $name (keys %choices) {
+                    $answer = $choices{$name} if ($answers{$name} || "") eq "y";
+                }
+                print STDERR "CHOICE: $1, ANSWER: $answer\n" if $debug;
+                print OUT "$answer\n" if $1 =~ /-/;
+            }
+
+            # Some questions lack the option name ("bla bla [Y/n/m/...] ").
+            elsif ($line =~ /(.*) \[(.*)\] ###$/) {
+                print OUT "\n";
+            }
+
+            else {
+                warn "don't know how to answer this question: $line\n";
+                print OUT "\n";
+            }
+
+            $line = "";
+            %choices = ();
+        }
+    }
+
+    close IN;
+    waitpid $pid, 0;
+}
+
+# Run `make config' several times to converge on the desired result.
+# (Some options may only become available after other options are
+# set in a previous run.)
+runConfig;
+runConfig;
+
+# Read the final .config file and check that our answers are in
+# there.  `make config' often overrides answers if later questions
+# cause options to be selected.
+my %config;
+open CONFIG, "<$buildRoot/.config" or die "Could not read .config";
+while (<CONFIG>) {
+    chomp;
+    if (/^CONFIG_([A-Za-z0-9_]+)="(.*)"$/) {
+        # String options have double quotes, e.g. 'CONFIG_NLS_DEFAULT="utf8"' and allow escaping.
+        ($config{$1} = $2) =~ s/\\([\\"])/$1/g;
+    } elsif (/^CONFIG_([A-Za-z0-9_]+)=(.*)$/) {
+        $config{$1} = $2;
+    } elsif (/^# CONFIG_([A-Za-z0-9_]+) is not set$/) {
+        $config{$1} = "n";
+    }
+}
+close CONFIG;
+
+my $ret = 0;
+foreach my $name (sort (keys %answers)) {
+    my $f = $requiredAnswers{$name} && $ignoreConfigErrors ne "1"
+        ? sub { warn "error: " . $_[0]; $ret = -1; } : sub { warn "warning: " . $_[0]; };
+    &$f("unused option: $name\n") unless defined $config{$name};
+    &$f("option not set correctly: $name (wanted '$answers{$name}', got '$config{$name}')\n")
+        if $config{$name} && $config{$name} ne $answers{$name};
+}
+exit $ret;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix b/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix
new file mode 100644
index 000000000000..df67005dd816
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix
@@ -0,0 +1,234 @@
+{ buildPackages
+, callPackage
+, perl
+, bison ? null
+, flex ? null
+, gmp ? null
+, libmpc ? null
+, mpfr ? null
+, pahole
+, lib
+, stdenv
+
+, # The kernel source tarball.
+  src
+
+, # The kernel version.
+  version
+
+, # Allows overriding the default defconfig
+  defconfig ? null
+
+, # Legacy overrides to the intermediate kernel config, as string
+  extraConfig ? ""
+
+  # Additional make flags passed to kbuild
+, extraMakeFlags ? []
+
+, # enables the options in ./common-config.nix; if `false` then only
+  # `structuredExtraConfig` is used
+ enableCommonConfig ? true
+
+, # kernel intermediate config overrides, as a set
+ structuredExtraConfig ? {}
+
+, # The version number used for the module directory
+  # If unspecified, this is determined automatically from the version.
+  modDirVersion ? null
+
+, # An attribute set whose attributes express the availability of
+  # certain features in this kernel.  E.g. `{iwlwifi = true;}'
+  # indicates a kernel that provides Intel wireless support.  Used in
+  # NixOS to implement kernel-specific behaviour.
+  features ? {}
+
+, # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+  # automatically extended with extra per-version and per-config values.
+  randstructSeed ? ""
+
+, # A list of patches to apply to the kernel.  Each element of this list
+  # should be an attribute set {name, patch} where `name' is a
+  # symbolic name and `patch' is the actual patch.  The patch may
+  # optionally be compressed with gzip or bzip2.
+  kernelPatches ? []
+, ignoreConfigErrors ? stdenv.hostPlatform.linux-kernel.name != "pc"
+, extraMeta ? {}
+
+, isZen      ? false
+, isLibre    ? false
+, isHardened ? false
+
+# easy overrides to stdenv.hostPlatform.linux-kernel members
+, autoModules ? stdenv.hostPlatform.linux-kernel.autoModules
+, preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
+, kernelArch ? stdenv.hostPlatform.linuxArch
+, kernelTests ? []
+, nixosTests
+, ...
+}@args:
+
+# Note: this package is used for bootstrapping fetchurl, and thus
+# cannot use fetchpatch! All mutable patches (generated by GitHub or
+# cgit) that are needed here should be included directly in Nixpkgs as
+# files.
+
+assert stdenv.isLinux;
+
+let
+  # Dirty hack to make sure that `version` & `src` have
+  # `<nixpkgs/pkgs/os-specific/linux/kernel/linux-x.y.nix>` as position
+  # when using `builtins.unsafeGetAttrPos`.
+  #
+  # This is to make sure that ofborg actually detects changes in the kernel derivation
+  # and pings all maintainers.
+  #
+  # For further context, see https://github.com/NixOS/nixpkgs/pull/143113#issuecomment-953319957
+  basicArgs = builtins.removeAttrs
+    args
+    (lib.filter (x: ! (builtins.elem x [ "version" "src" ])) (lib.attrNames args));
+
+  # Combine the `features' attribute sets of all the kernel patches.
+  kernelFeatures = lib.foldr (x: y: (x.features or {}) // y) ({
+    iwlwifi = true;
+    efiBootStub = true;
+    needsCifsUtils = true;
+    netfilterRPFilter = true;
+    ia32Emulation = true;
+  } // features) kernelPatches;
+
+  commonStructuredConfig = import ./common-config.nix {
+    inherit lib stdenv version;
+
+    features = kernelFeatures; # Ensure we know of all extra patches, etc.
+  };
+
+  intermediateNixConfig = configfile.moduleStructuredConfig.intermediateNixConfig
+    # extra config in legacy string format
+    + extraConfig
+    + stdenv.hostPlatform.linux-kernel.extraConfig or "";
+
+  structuredConfigFromPatches =
+        map ({extraStructuredConfig ? {}, ...}: {settings=extraStructuredConfig;}) kernelPatches;
+
+  # appends kernel patches extraConfig
+  kernelConfigFun = baseConfigStr:
+    let
+      configFromPatches =
+        map ({extraConfig ? "", ...}: extraConfig) kernelPatches;
+    in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches);
+
+  configfile = stdenv.mkDerivation {
+    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch extraMakeFlags;
+    pname = "linux-config";
+    inherit version;
+
+    generateConfig = ./generate-config.pl;
+
+    kernelConfig = kernelConfigFun intermediateNixConfig;
+    passAsFile = [ "kernelConfig" ];
+
+    depsBuildBuild = [ buildPackages.stdenv.cc ];
+    nativeBuildInputs = [ perl gmp libmpc mpfr ]
+      ++ lib.optionals (lib.versionAtLeast version "4.16") [ bison flex ]
+      ++ lib.optional (lib.versionAtLeast version "5.2") pahole;
+
+    platformName = stdenv.hostPlatform.linux-kernel.name;
+    # e.g. "defconfig"
+    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.linux-kernel.baseConfig;
+
+    makeFlags = lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags) stdenv.hostPlatform.linux-kernel.makeFlags
+      ++ extraMakeFlags;
+
+    postPatch = kernel.postPatch + ''
+      # Patch kconfig to print "###" after every question so that
+      # generate-config.pl from the generic builder can answer them.
+      sed -e '/fflush(stdout);/i\printf("###");' -i scripts/kconfig/conf.c
+    '';
+
+    preUnpack = kernel.preUnpack or "";
+
+    inherit (kernel) src patches;
+
+    buildPhase = ''
+      export buildRoot="''${buildRoot:-build}"
+      export HOSTCC=$CC_FOR_BUILD
+      export HOSTCXX=$CXX_FOR_BUILD
+      export HOSTAR=$AR_FOR_BUILD
+      export HOSTLD=$LD_FOR_BUILD
+
+      # Get a basic config file for later refinement with $generateConfig.
+      make $makeFlags \
+          -C . O="$buildRoot" $kernelBaseConfig \
+          ARCH=$kernelArch \
+          HOSTCC=$HOSTCC HOSTCXX=$HOSTCXX HOSTAR=$HOSTAR HOSTLD=$HOSTLD \
+          CC=$CC OBJCOPY=$OBJCOPY OBJDUMP=$OBJDUMP READELF=$READELF \
+          $makeFlags
+
+      # Create the config file.
+      echo "generating kernel configuration..."
+      ln -s "$kernelConfigPath" "$buildRoot/kernel-config"
+      DEBUG=1 ARCH=$kernelArch KERNEL_CONFIG="$buildRoot/kernel-config" AUTO_MODULES=$autoModules \
+        PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. MAKE_FLAGS="$makeFlags" \
+        perl -w $generateConfig
+    '';
+
+    installPhase = "mv $buildRoot/.config $out";
+
+    enableParallelBuilding = true;
+
+    passthru = rec {
+      module = import ../../../../nixos/modules/system/boot/kernel_config.nix;
+      # used also in apache
+      # { modules = [ { options = res.options; config = svc.config or svc; } ];
+      #   check = false;
+      # The result is a set of two attributes
+      moduleStructuredConfig = (lib.evalModules {
+        modules = [
+          module
+        ] ++ lib.optionals enableCommonConfig [
+          { settings = commonStructuredConfig; _file = "pkgs/os-specific/linux/kernel/common-config.nix"; }
+        ] ++ [
+          { settings = structuredExtraConfig; _file = "structuredExtraConfig"; }
+        ]
+        ++  structuredConfigFromPatches
+        ;
+      }).config;
+
+      structuredConfig = moduleStructuredConfig.settings;
+    };
+  }; # end of configfile derivation
+
+  kernel = (callPackage ./manual-config.nix { inherit lib stdenv buildPackages; }) (basicArgs // {
+    inherit kernelPatches randstructSeed extraMakeFlags extraMeta configfile;
+    pos = builtins.unsafeGetAttrPos "version" args;
+
+    config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
+  } // lib.optionalAttrs (modDirVersion != null) { inherit modDirVersion; });
+
+  passthru = basicArgs // {
+    features = kernelFeatures;
+    inherit commonStructuredConfig structuredExtraConfig extraMakeFlags isZen isHardened isLibre;
+    isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+
+    # Adds dependencies needed to edit the config:
+    # nix-shell '<nixpkgs>' -A linux.configEnv --command 'make nconfig'
+    configEnv = kernel.overrideAttrs (old: {
+      nativeBuildInputs = old.nativeBuildInputs or [] ++ (with buildPackages; [
+        pkg-config ncurses
+      ]);
+    });
+
+    passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
+    tests = let
+      overridableKernel = finalKernel // {
+        override = args:
+          lib.warn (
+            "override is stubbed for NixOS kernel tests, not applying changes these arguments: "
+            + toString (lib.attrNames (if lib.isAttrs args then args else args {}))
+          ) overridableKernel;
+      };
+    in [ (nixosTests.kernel-generic.passthru.testsForKernel overridableKernel) ] ++ kernelTests;
+  };
+
+  finalKernel = lib.extendDerivation true passthru kernel;
+in finalKernel
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix b/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix
new file mode 100644
index 000000000000..40e282bbf541
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, linux }:
+
+with lib;
+
+stdenv.mkDerivation {
+  pname = "gpio-utils";
+  version = linux.version;
+
+  inherit (linux) src makeFlags;
+
+  preConfigure = ''
+    cd tools/gpio
+  '';
+
+  separateDebugInfo = true;
+  installFlags = [ "install" "DESTDIR=$(out)" "bindir=/bin" ];
+
+  meta = {
+    description = "Linux tools to inspect the gpiochip interface";
+    maintainers = with maintainers; [ kwohlfahrt ];
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
new file mode 100644
index 000000000000..101ccfbf0f2b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
@@ -0,0 +1,325 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBE64OEUBEADPS1v+zoCdKA6zyfUtVIaBoIwMhCibqurXi30tVoC9LgM6W1ve
+HwPFukWq7DAS0mZUPE3mSV63JFLaTy0bY/6GO1D4wLdWZx4ppH7XKNCvKCbsi70k
+UozFykNVf+83WEskuF1oYzXlF3aB5suz2IWJl7ey1EXgIpehwQaTJUA5JIWYFp9A
+566LRNJefYMzUR33xc4dRKj6Etg0xdLVq7/vZoo8HpLCBGNWiP0AKqFWEwTg0xQL
+7nsJA5tfJJdwAJvrzjpFsvb63PKG6waAtdHhON4q7E2Udak9fz2tRjxA5l9l2zXk
+aqsysUzkxPhNjwMENoQ04KZg4aT+ZhhBzTowSWLp3KV2uaZ66kdPUO3s+/1bPp5/
+N/IlykaUwyL773iYOZ5dOY/9hIuX/zssihcrGEMW6yIyZR5uKhzYdaM9ExTXP637
+UccgNS9/pskPGPx/xK23NDCfeHzL9YHS5KokA2wb/b9hqpwvLaeblbMl2pt79F1R
+ac+rZlrRyX3NvlTQP4hqM9Ei2YBAU7QFDJEjH8pVIceL7grxi1Ju1iD5QiSK+je5
+Jj5EAikfwSeAttSzsqNvaXJHfABrv5mkkVt1z3icP3HIHTYnG+uj+t8kvW+o9/1i
+pD6e6LUh4w5v1aY9kaK/M3+eBH59yNYI99crPUKUBVfW4gv4DBUJAQTWRQARAQAB
+tDVMZXZlbnRlIFBvbHlhayAoYW50aHJheHgpIDxsZXZlbnRlQGxldmVudGVwb2x5
+YWsubmV0PokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEF
+AlSXU9QFCQfATw8ACgkQ/BtUfI2BcsjPbxAAs+UR/bJz/HeYTpPy+HnKwDJgI9GP
+AZlNvp+QSIhOTtKCYkQ/Iu+5scY5J0Qyv0pcJW5Rxjx+l7KGovw84jzVznnYsJoy
+UQ5H3Ev9T2xW1nrZT3abJ7j6ZIck+Q+WFHu5Plsq6doSXOXmJNoehvT3BVolvc6w
+S1+CAoyA5Wm1yfocZgVOvWPWQaa1T4XA7OwxFWrvNWEZwAzTSjkGHkwmji+DxdBd
+RPam9+qm/rcN1IJTu6xJPr38a9LydWonsUpTR2Qn7Bo4EJp8yHJLaiLEMV/Nmgrr
+1orBYw/OzDzhbdMl+2zzwEBLUMPABdgnPM6ZCZ5PWyWnCU4jsBGyVd0IC5xEu3Eg
+a0EtIdvx2lXiLfh2dulpMn52uJY5iNwaTleO+z9CENQVhh5R4FuN9H0BLiyAxf1+
+MkD3jLT+DGl02hQghtxz18iTkRk7KOw/NFn4z0is+TRl4/ocNt1LiWQXt8dr7qdx
+zvUpDnxCSYZkeutzopo1TA4lKpnsS2mHabx6CbrUmF+wOIr8gHUfpBFeEQ8BHebU
+5X0JrFF5mjeNl4uK9l9lD9ng74rsSpKPr15DU41jIuQDHJYd6H3TXQ4K1z7Ciivy
+r4vgsruAFX/GduKseOx1obWW3GfIQzLAIuVdjldgREl61GWoLiGFqlcveiAIkN5p
+Bxc20hSrHgZP9ZyIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GTK7AKC8Sd1ndNvc
+1ispBaECbHT/JPfGrQCgvkfGBsFn/KBrgC5hTm0mSxdy942JAkEEEwECACsCGwMF
+CQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOuD2qAhkBAAoJEPwbVHyN
+gXLIXL4QAJtbs62EpOIFld0N+tTEFn1qQPPaExAXmH/RF5Epf+0rSS6B0OXEZBXz
+cWtMPbHxoLjN1iY8o0QC1ex7/KDfYq8Ho18M9P+Lf6XfW0sJ9d021U5MJWGPs4zA
+lNFXJqeMgfJZAno2N6dO/azcYHq1wmSgUbTb9Oyi1PHfn3g0UAW59dfkB8d2jEvY
+Yed1X0mBPPXcbgnYNZ514JQtm9wuDdVWrh/Si9EhKg6+MPcbv18G4lpPGR+yNq9y
+3Jze4vmmWen0ceDJEp06IAeTfJzzD80Oui2WXtLfaQxgf9uuZtGjrMX5l+mq7rBS
+VH/dsHP1VYI0efKIs7qbmiLcMRVWYIGix9I1C3UYr3ImYiCGlBG/uQ929xbjWAHa
+hy4W6rzruUWjyi/Kz7QRnyBgtHfhDO7hYziTr5hoGhd4VeUpcbxL+MegXFZsWJlE
+kz8TOOsZ/4XxXHVoalg8fYOcA7j/aoszsPMQUOL/5jsVRhyP3evtVxb3m1EwvYDK
+Lii4IkVxGztlBOIgeT4kwXgoJEASSZHgcd6tDv9q7o33n2I1DGL8X3axcHES2/C7
+cP+li3KL3Hc9vjgaJ9HfcQLuMcHqfoHn+YzVfbG5XeFcxhgQpwpYsZv3MTbXAQwI
+fRHXRuIfOiFwqUXahi5N1WSIXNBGSyI7pu9ht5I7gIIOINE+VS7FiQJBBBMBAgAr
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUNol8QUJA/yTqwAKCRD8
+G1R8jYFyyIqUD/9yWw7WBQiWyIMpVuX9c2Ov1fAkDya43fDm0gqIgNsdaxCt5ATh
+XaXZ/p2jglWwon5jDLDNsVR0/Q/t8ugdcP3bcwRtW2YYQ2F1PaNjfr5WsuPEadyc
+J62DIobY4IzqBpDuqGLYdbzZeKr49VwbRRvIJpphrk3+CekFvdIs1ofEpA2Kn2oA
+DXfYuaWoVBF7fTwAZmc3hYPOI1jK7nrFZbCnAT4WZPzZ4IY9lsaNTF/4mQ8vV1xF
+De6HjfslHURlZWsWtQIKhIPBKoZC1nP5VRK3IHYgKw8toq780kalLH8ofv9BkSrs
+t98JOoJX4etdmE8Ta/+Wg5C9EzR+909tQfdWdkaRbhvbtl/x7X76HU4ItefLR5pW
+d0OSo488QZMQjCUWlzgPMsmnYMQm6ckNOp0B/RtMfbJV7t5H+JE3PLfFG55jcz3w
+uNGhfZyl/ZhV9fvGLU/sPyhIW7ewuIwd+7i12fH9r4NAGB/mkSKK+tHGcTZvXxux
+5QMKE+a9u6NMJRrbsIiTFwhrCLMgzLYL0mtX8FZXNFFZzGFYkiXymBR0ze4LKzRo
+dMFpyP/w/IIjYBhVpgboT2EMMIgJHSsMJDCdDjI+9cAykVF6ccSiUQ11devHL6Pv
+WwlT2Ub4TP4yCScHDPyfWq+tfdQlWFVRZMRJ7kmq0VagqomdRHgLPyPgDYkCHAQQ
+AQIABgUCUtgrXgAKCRBH1QFsQv98LACcEACFq3Oz8nHAa6KsyspIWo0+HjzCtTv0
+G6TB+svf3fl24C93IfFhpSyxNf8XVa9h9kCU5ZImYN+LaoUGiz3lcYxjdOeFYDc4
+GU5TFrJwY9eOYYCsr+z+NLn7wlLZEO772lGUDPJMWxSGqR9yOGhQCTIADLLcp6mt
+07zdejESYxMT6IjYR+rX6miWG5Hr9/lBdh/X4XhGpHEY64IL8vVB3C+FQfG3hiMB
+bHbvJ4/S/cjfNM1T9oKiA0H6jklRHIdstj+2eeWA7lS+GE3Mpkra+8KmkEjV4O03
+izcRpMm1yTGoTjp9UddTNYErb/sha5YigYAqK8bj3gh6tTFNJHbN4RWgtPDyc5Va
+1u+sH2ob6JS5tez8/Z6pMarGpTQujIGAlntP4igi0Q4hxyLof6Vtc6XF80uSwTvN
+RRmQrcq+kLPwX0NbyZCBCI+kjBPu2b932JDTfVBKwJCLF3e1zvQqN0C7EZnIzveX
+r7VtJ4WHIfSyi/HQP7xm5L0uQj+KRr+/LMaxkCDgrlqoWTgAoxCAPYH1XCvBoJRc
+DHjNikyEAS8WUGl9ZHQyAoFngi/jqH6WoDAmfBUKRoBMR2hXLOKUBmObw0DHgauM
+kk4kD6CW4UEy0SM/i9JD7sk9KiKoHMip1jguKRJkHJ1WSkNl7nZpeo+KG0WbGHXN
+b7hnrQsNyqJkUokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC
+GQEFAlLV0QIFCQXdHmsACgkQ/BtUfI2Bcsj8DA//b8wZrFY/Fj/iR5ZaO0AjmMV1
+hM7lAFWLfDiLyYofuiGLUg9rqFWj+Ks2kedVN7+22Bjgi5fvpXv3Uy4trZKKw8Xs
+FJ/s8HQ6jzIv6pFdIYPLFQBqS2tEgfsanPZWIqJI9fbhOrRGN7WV5tXiksCaRO+u
+rLjIhAYmsDb//BD2xqsY54ouRdrz5nRG3qG2odq2Lw8XquW6srouGaSm+BI3sow6
+l2eAW8UjbxwICQg2ZPZYCBc9ArbgLS1ha+yPhp65nGpVbqDA8rUKC11op1ArAbY3
+Yt6xzLg+RCuCHBa1gNPpDoYV9V8Zve03mEIcsK10X0RhJQ+z4INvrjtelPRCOLpN
+179JmsyxwOzwAPg773SK1Z31jSirsiEke/q8j13PGNDBCb4ZKpm/KOht+4d0jJLK
+GLqD85cv3/uAeSh2zWkoKcVW6uVZpiz3KA3i4YMWnteOlrlZH28nIrDXevPzkOxo
+pZlhuLboCD6g6yuZI4Wm9fEiga8xmRDw4RrOIuDXWjNW6IVaeFGvnYaNf0wnmBD+
+FE1SMWwcmqgB1yIylmKqH0lYce8SVAMLkkOlaijhWrfCO5iS7zjWaVz98HCqFfwR
+gHuJTxOwwlf9Qb6cyC3bGsfILBUuE0L5vUAZUAc61H+6Sv88CDDUO1EOKaqAAYhR
+plvoyYZ3xiSMgzYKGZ+0OkxldmVudGUgUG9seWFrIChKYWJiZXIvWE1QUCBvbmx5
+KSA8YW50aHJheHhAamFiYmVyLmNjYy5kZT6JAj4EEwECACgCGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheABQJUl1PaBQkHwE8PAAoJEPwbVHyNgXLIQokQAKxJB9/F
+TfBae6eqcT+izxGSnsvbc2bcrtsmKkhu9HwpsJ4IDutphXFB0wFalI40BL0o1k54
+Wlfv5GHbq7Ju3kW2dmTMP0WpfFytV7rr2yqSmik+skJw27BDk74rP0v4TNOHaTrP
+nokfTnlaKuv1bqlwbIwV7rJ5jbAtw5hueeN4jghGU8SGlCOEZ/xGxYYsvtyPhZhn
+kmsAzcPr/BpW4NkSb2SnRIO8KzcPnzxz7JDdeIusq/YW7P5OlhDx4ejdh0Wg6ISl
+zxB5VoqFqNuKTBQNz4HHpqDVQqEDE4JngMerDr+4qAiDYI4w6kN3Ce2LqciRyMVh
+YYnTqyyjXYY3C1WwXIa1tZb2Cw2DorshNFdACr7wKQMOoJtAFpdd3d/DRKQWCc3x
+jkBERqZ+55unTY0/0uyNPoK0noAcGydiU8WGh6wyi+Do+Zxq4QJEcqL/FHrhlaiw
+LTmgDS+XDl7zRtQia7ykpi/xqe74ujOHcJO8tpY0ZCdR2A13xiOi+11wndbOkBFv
+dQ0vgih9ROzwe3hBbBQQOdF4hkA9vEd2Ks4gF8IR+5ixWAIyZAVbnDiLelWgQgnE
+aeEwTtfcXRNAxuj+MgMPQhXQ2/cK0dPD4z51DchVRIf9G3hAuBT/CEhTqNkkm5F0
+og7azwd75+vh5RxwVld3ES6CMXKaiV4csQkdiEYEEBECAAYFAk64PygACgkQvnQP
+QT8iuxlligCeNgfNE4w1AQuOC4ef3HNNY0GXgVMAnjmtCVIUJv/w6PDimvf20rgF
+GVHxiQI+BBMBAgAoBQJOuD0KAhsDBQkCHIcABgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRD8G1R8jYFyyPv3D/wJ+sYXqSxoo8OriGMUzG5LXs2Hf1YULdlysGa8
+mxWTwCIEMSSx8AoOKf/FyXglDVl9msfOgv6jRiN+UyNCQEv+6a5ZCL7BlAVU0Q4W
+w2/UUlOUlLMC1QAodGcC3kiPSy41jnDVswKYRrICuiW1Pqgad3h7u7caqvqG1D/A
+YOR2Q8JjY15j6Qf62Xx+YANx2tPWKeDyPUAN/x1W6RrEDbN5F+1qOpPFuTnpPmqH
+q4zxm4Dz4szypmAKsN+5/q8T6DJtSnP7COtsY467oX2XtNTTuCIsU79lBVo/yan9
+ofB6hu12KyXwJIl1OK34g9VEP5suU3hcEw7uVAvxyMYJQlxORUCG0DAFc/oPm3d0
+ypRdbxXJMjoS3pmCf7kwnEA9PIAjZDYuVHGZkAdmYYInTIH6ipjkVxDHEF1en0h2
+zHJEZC7NIYgPyzHXmH7Xy3VZVhhKKKM12VDOuIOOecQPuFIw3hG7dymjn5e9dMzv
++DMkbEZzoFahLYkbVGG1FGzhE6Uvb/IG0UJCC4nDz0pzZpV++QHvgEvbY/HLbHJ4
+o3CT5aVE0YIhTP+zqXNFMOao8yZy+AzdMzdX+Y3ADZfY0oiZ+JH1Zo++rdrgXUhg
+Y98QgMwVwESbwaBKjsC0JnlmWyNivhIOS6NRyqR75E7j7JSvgJdxhvpQXXkQ/BzL
+FM1Ej4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlDaJfoF
+CQP8k6sACgkQ/BtUfI2BcsiEahAArZfD1yJK385eqgCZ5LryVLRXrocuF1zlHl/6
+ugRy2TEe43ex4eTOY+mv4ZJVSxbDzUqMbBv0m3IETbM0CSESjGD+i5I7K3IToZO9
+ZgIXDbpoy9x2KWjU+R5oaxCTmZ9jk1p+f4zHxc8lJdgOXPwcIIT5Euwk4LAFN+wn
+CUHkO/D0xzP2ivTrM+VHNWqSUcNInAGRx+R0NvdSryIAsdA/5E3ql786WQhPy6L6
+1d7cmxaLsfAKIOf8ydNyoiqmJkT62omLLnqyERfLZRa9RKt5EgnxX6kR2BA+h/Gn
+KVV18bCIJjF3Gjnh3qjJehKRaw9nmzrB9KtGQAHdIp8ivNvjMitc1ijRIECfidWd
+lGxgmuI/gX58eaV3scjbs5YUFmGhcZIgjCxWWxFSwmzJTUVT5XqBpXFQB4dokj9m
+NNMpM3YH8T9QaaS/m9j7cmCJ4gxp7i1bJsqsVG5BjRLiZv701eVKVmU6vqhubR0R
+eSZghqho9e44ZMbn4rJ5kTQhGc7ZGNsIyChMSaYVreB8IBLDC7rg8dB/umg1OYOp
+8EqRLJyXdtpa4DN3X0e4WcWb0Toj4QuyCh/es1CtBldhdqHr0aLZYCX4i/KuGTXI
+kA8LTOJmZsE+K+/NCux1VHK9DADKcNjhSV0QTf+8ntGlNW6i2Mlt34thZK5eeB6W
+Bbo1zl6JAhwEEAECAAYFAlLYK14ACgkQR9UBbEL/fCyyQBAA0931q8dBD/6COmat
+8S+JSgcuIpylukFxU2vySBWSGRHFmFzwbokUE4bbNyutwNO2cNBa9zcxRPrkIg+7
+d65QjdZNDV2zWTjv5GwzEMjWxhP7VpTwTouYgx9j2d2KpFo2jfhTtZ7OU7DDF9YT
+FsaRiZHHZT+W/JHuB9Lxc55HkSagu00yTaZURc0olBui5c/hqBte1b3OWTjCmysG
+mwDL2FwdmFi9mbEm77sdD8PSVfkZaBv5rIaet+Xe/JMZoz0WUkZRCFXMr6B7aOdS
+WeB7kUsPh2J5dhf4x4YaxKLOHod9JQF/DGJsdexKqMTqM/xOMSQ1FTUMCQ5SBWJc
+3PywqMB/0eqlteHydlk7bb9HLCT3M6vVxTkpj834wGRsoVXPqWKzAHPpO2kjxXtc
+4DBh7T88YGE2k5rxdJHb3MjWVJQzHGhrO5Ji8CQaHjUJ4BTyim++RDisDi4C/QJ4
+qPOrafw/+KyJoWyfmAUpxplPvY/LKJlvKaKxmpwlildYjH7HjoYvCjagbSCUOnzo
+uM//YIJ8/o8QdxEDdYiTd7cwskYWphrAlV8+vCl/Y0lepRf+hsUS+uZi/NX4qYMx
+CTsewnnqJQduuehQl9/RnoBX9T04kS64cWNaPZ4dxZUYJm3us5QFcQJMysZ4tT1Y
+A0oEUX1KUTDzTQXT/kFi8MtmXauJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheABQJS1dELBQkF3R5rAAoJEPwbVHyNgXLIV98P/jcu/DiP/muH2Qsy
+FtjscyLu1NzBbSFB9q1jMVfx3VbaIT22Ly6BIQNHF7L2fpjf36EWpdJzpfR+Glp5
+1+KqZgIMAW5CGguSy8v7iHs6Rh5hzChiF48wCqxUmMdQ0ITTrnAXIYq6H6s8ytKF
+Y31znXmne1XYBg8e4yb3pcBhkzIPeVU7rMz9PjPB0+Q2jWCpqPA4eUSV8rL2TxFR
+KbEt8XlkZ6yuCLnkN84aLZFxfZA1tIGifi0PpeaO2z/IwOmftbQRiljMdnsPye49
+j4wlJS7yRIpnH3nH9Zku/MrDV/M0z7BVwKfF2F95/2QX4Tdyd/UESTdLqGtXpX4c
+axahZKrOhNr+k60qSBxoBqKauZkSbZunRnbYmVa3nA2kQuIPF9/QmoZgDUfdkKZJ
+u1RjwcRUGKd1XV19QjUvBMD3oHA4G6Jbi5vWKQZ40KVcL78YIL7C8dUOiPIasA45
+olaGpCSsGsfrMp5ngegxM+uh9Tc2kTFC9bTqp17VYI96cAqGrEBUQrmLmZLk0HUm
+a6MNZO/+vKN4UTlgjpjxZon+/yK8bsmT/VNie5hzqZim6tfztl3rpJ9jPUeLgr5x
+oGePYV02inapzNHdWFHk0L9zR/3KKfJ3IRJwUXp00Eya28hEepIvdxgLYcN1UqVn
+VuFuMY8zYSl/VXtPxySCLENJHxvdtClMZXZlbnRlIFBvbHlhayA8bGV2ZW50ZUBs
+ZXZlbnRlcG9seWFrLmRlPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
+HgECF4AFAlSXU9oFCQfATw8ACgkQ/BtUfI2BcsiPxw//X2xUctIrd1O7UOk7LHBX
+/xI7xXoWQcA7l/1XMuZhM8yC8yIoAgvFrWBP1a29I0P3/yigkQXs+eTDTdvb0QP2
+q72q7Azt852v5u8+dHzoOXDpbo+4lfX+0OBDWimwJuChD8LQH7b7jO0oqWIV0AzM
+vegFJVp3cDbyqw08lBz3xZ79A9JtBeewf6PLpXKjEVS8bEAZjZKjsjAY+5ShtJAf
+PsD8r353dmkaHgC5Aji74ijZeY3PUCvGVVCGeN9isLnRpTEn7qUvN2DfHJU4w6aw
+sXu7m7zidISo6dQLUzo54dHKWPGFy6INNkzXPOgrlbYnjt7v0Ou21/R6HrhdmsSw
+lt7GALJcgAUxrcT/ljB3SZhSB0BdH0DXPcUziEdfhgMhhrXYpMjwH2XFBD1MLusW
+GaVDbpPrSoEnmPVePcDUonDHePcuLjfOl13mOER1Kf6WFapOCa+4HCLakfKcPnGY
+eyfD7Dbz3/046MmfQ8/Iyf8ipFXN6tI2WkRKj8uq9IFYrX3yoCBxZJN837DM3Grq
+h48/T3pYU1f9LiekxbsgXmcHoGNdXX5+EsuO+QILZPttlG5QLuqFdJHei77uvW+B
+4u8mgzi1Zhh0hRLm4K6UaJ/fBJ87BZSHShPKI9PI073U1O/CcYXnb8cdPLu3UgSQ
+FM/bxT70TSYKI01Dt4KXRfWIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GT9FAJ47
+X5+0dQaOFkfy3WnMgX3AmIXJYQCfR4XL47rZ9a66jWaD0IbcXMK4oE2JAj4EEwEC
+ACgFAk64PJ4CGwMFCQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwb
+VHyNgXLI2U8QAJGKPv1gWLn7P1KeHVsKkfRf+zgdsoY4mF3bUjX/03z1h1OKp+S7
+gZD/ZI80ckw/ElgFt9sr8J+pOgHk+aGHW+V0cZNgDHXCINb17s+Ra7SA/SWeJOrr
+d4IpvTnjGc88C/j+bzRFagfnGXU601PeJdXIe6H75xVGIb0DgQBfPB9m+7p3sq/R
+6UigzLwwhIQRW/l77hq79v5Rm77e0GTfcYHSuKu2Itim8p5OYCNchr4ZpBzrv5cF
+/nH+HyD0AnM1q4a3mT9y4abNgtxJMGJBoIUEDT5vaTRpPowVHIGg9QroHkrYkMWA
+ffIBzoq38WLnPjvjNtTncyP7sjbP8KS7NfjxZ6RAcNO6m6BTDYG/lM9jwCcOma90
+RZDVYD8hy+z1hXWFfB7zB+5TYuuKV5SXZpS9/JUR1BuI44WkY0hLHUa7inpqLlqc
+b9O7KYikgyaeUKAN5LkF8A7rMVzuhrSItNzJVOs7WLnNAe9+Frzqx/jZ9aU04avS
+r5OlWLdL7k9JNDnsLFqNtG/XQ7Hc8CPl0HvY3YXYGD3xwW6Ua6+ykxZGmQGPB68W
+6a7G5EX+MEWKZgMQYsl1HgU49/sOD6QnCG3m2IB7bRAf5Kd527BnSgAaYHjVug8G
++X9opDwUW1b73Ut5tWfZJqQ4XBjl0Hc7Zi7OtlqdBeKGu/65QU+N9x33iQI+BBMB
+AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8
+G1R8jYFyyPv+D/9lA9yMXPBROLaCRab8Ca2QJBEtpT6lGVlkQ5Am2C8xdoLGiuJF
+E7Cn/lS1j4RSVDK6DELeaBMXaY2g1eun8g2ERJIUGC98zrPjZXs/ZtCZtX8vYr1X
+Bf9U8Ty6N3rKgt1XHc1oMgzkKLUc72RC+P/fkDsiAg62nVcmOFFykyTXnpM/5Ux/
+9kaahjf4LwGeRqkDIoLrXdZ7FHPjei8VlKSiHTkl4F+UCzEySxiInV+BWAhL5Lvb
+zHxHaNDCquOb2zbgafVKON3oa8nCZoUw3iwpjrEy/JT+1BG6vxyT/LX7wPG3SKEw
+8QTl8YBF8wvHS0JHW4KTc4grCMNWDwfkrlXnp6ZzTpy4JXZfYs/ltR4FH3atDG2C
+xRCSAWXkGyTPMZkougdDbJ3jjViYcWO6B//LE1qDjeC05O9G3MXVxu16M5U8nVA2
+B3bo5cVv7+ECBTKaAvG3ZV6eOaeJ63gHRY8qI7y5OgzuNfxUXMTIAjHfO2mvSy5M
+qFgDI10F8rYevGOKxvPVE1F8aiD1uRAOMCcLTy3oUKHIdaskSytL1D/bT9WqWzii
+OXhLhSjMzkdPSUWVABeC6KM+Jcll0A0sHTkKWS3mavx3dUacB+O4efuTKNhSvo7n
+XhUvSOOikRityipE5Ma5WlXBiu54DdIMGFzANHFdb5GmC7da9F1aALkshokCHAQQ
+AQIABgUCUtgrXgAKCRBH1QFsQv98LMmaD/9W2qJyFlZAsjOWgNQPwUU4vV9/Ursj
+kt4RI/oS0Gzovw2bmL0a+Q/dp6wM4PBMuYQXCepF8V+o4uKzL2OjVZDVtU/KqGCY
+rEigiAhG0gHxgF1ukc9JQzhShFeq7/wkY+FQ4MOhuhuUsSMlvFzAd1hY+xlvckol
+DEeS54loDspUh4EwxsWlopaA1rs5dzVXrYcinz9iDzLj6ujb6uJzCQVogk9w3dv8
+smKn81TVhtR4RFecqL9mURZcGnj7NV3n2Lrl2Pe0u/DiTtpavCkzVx7v9qiB/2Di
+dqWR7OtYcywUr6lZeZsNabNwntPxSP7V6EcNXF3Qpi2IkAcwdJKb+aIG1v7/Wx77
+GhpBhbtdgKEebttzO4EVVeE8a2kmgqc8VXeAeqI89egU53dUdAinejFVDyemxHnJ
+L4L6uVnSxbk/vRzu+fr6EaPyBsqORGXj2OuwxlWcnWs/N9XzNaiq6funedUSYtbP
+trdpt7ogvzrQew7wetcwfxSB3IWcVwA9QvGDIBHTWPrb87jKV153w9I+cSfz9jg8
+qTIOw4qad7VOC4L1oaoRsLq6VFgnoW5DLsuhaVd6fgdY/byL6H5q2FPYJ+F8ovhR
+2yPlQm8UYIFwmnwzpnuGBaPtU0bP7C+SNMK+G/9+b5q4psh1MnK8sg1RfSr1w7sw
+b+Tur045QrUDu4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AF
+AlLV0QsFCQXdHmsACgkQ/BtUfI2BcsitRA/7BbFuuAXPJMA4XtPhlYbfhNkYQ7+v
+vx9HIZ1SgJfhpYwt/vbNTVclO79XD65v5JSWx+0gVJfHNolP5umB0++giIw9NCIx
+uVa5eh3kS5NFfJ0YHrYgpFDdZPHRA9wI+oZgJBC/Cm40kafgTUoPFqXb0Sdlcz3R
+hciLZBgYXV/uYubczfmAaJpmrVI1UuUWYrdPnmUkgitp9e6IePYiKVDeIGhBW8Bc
+7Nbs2hc9yH1zwv3Affs8m+4tQQiwQHsB29WEZcmBuFllTbA5g5bvTvhfCRmYVgWC
+Ti4SW+uA0B05a/aVP8fDXk82qCQ4cRB1BOwVNn+1/Aqcw+Zh8KKzH8gpPcsKGGP6
+uNg9uinuxYDneEY8cG7FSpm3XsXu4q4N6j5R63U6hz39pY/5Ib8mzYMEoLEZOLPu
+CkVH9OOQc8zuiRL/wGc0pbMiGPEp13rAI0WbIFahrWS60bwtM1YEM5Ep8vD3TLl1
+pTWlF/zWpM/uJ6n/4nDXGQsGzKQn5D5Nsu7+55C0du0d1VRvYd8oG3AaNqhtM46V
+C4eOqxH8XZtkJ3WMxhsHnV9acuDTpn5E5JKL7vEq0btN2UQ69lpKv7PmV/TgOJhf
+KKvHZ0dh6KYY7iKW7NUCouLGibBoxDa+K4reh0i0M5UcsNiPkCqDIHUAIxW6FrvQ
+xBr7NgCls+B9Kwu0JExldmVudGUgUG9seWFrIDxaM3IwLjB4MDBAZ21haWwuY29t
+PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlSXU9oFCQfA
+Tw8ACgkQ/BtUfI2Bcsg4cw/5Af5/cxr5s8qiPvcGDglJyzFj8VBk0d7hpgdxcOi3
+VCOJY4YRoliu8WKThwxt7sD03fSZurFDDx+X27y3zPtgH/qBohmcr51jbSNom4mH
+Gf8gpViFqbQlFh7tYz4kSQExgmpFx/FIaxmwFoEqiVrp6VpM2DZ6kg//4M+Ka2Mt
+nuzV3C631A0eoMCJhPWPTgkGGknURvzhw6m2aGFWC/HE1yzf7Ej7fQeaqIxIG4Wy
+Fk3lMV9rxMxGuUZTqIhvcU85JSriHowfX1VsAI2LXJYQ9c0jI737FcLwHv8VCa5s
+NKDkLkb5S83/4Ep8e9M+a7u4WvkAqzmPfSna7bLxdsTS5gKGqEtMvMP2YGWWQxSR
+GRSttiMmIC8Cnd45S8cASA2mR/ebNcrYOpa48cjYpBKDG2BIYU7oSLNulsM1qbxL
+WJ0QM/g7iKHcrXhyIBaI22GS9hvmYcS960cox9oPCvNZcOKA6FBklnUg/ReJ3JTj
+6D6v9SUxOOfXPQIon8EzB7BNKGedHxCFgniZnl10k+pP34YGyphMZTYGdhtAm6zq
+T7PlraHQaFgQ3ba78lJcn3cWVZYpbCNJiH+Nna/Akm3/qQKTst3eW1lqopffCs1m
+F6G6wjiHCw2bio5uX1c/gDr4Peh0E28heAqKopjultPXPZbSZL4D3fJIGP2j6e1B
+wvmIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GcYrAKCgKW+qFwbMNeh4ikFg9fJx
+4/lH9wCdGevT7dwBzPe6L+aWZxipEXYmjx6JAj4EEwECACgFAk64PN0CGwMFCQIc
+hwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwbVHyNgXLIThYP/AnoLpQl
+whEEKaIhOSOKXegfdUHK6cL4cHRACzRIbBk/S4G2Vg/bnUW8tvWZDQLZ3CGL8Z0F
+tNQ6GusUxt7mcYdSj7xynbi7bZiurgYp7B7hh1hVG3pAXEwlDnJgfoc0YZHrHZwt
+HnNVYOfGEQF4zyplmUUxDyp/ZMYcXMr3PVJkYBJhYKCHOkMUtzzNjSSginaqZY1p
+fgbP+Gou/9qgotkYiH84oUG9yTSKLIO5x0WzQYuoPNJyOdSHaLPfEqCC435vCYT5
+YLZB1YI5xzQiGsAL//cUCe267oiFmO9Ioky/azeX1Ouy2DH8uEDQPQFTJYXt3CbL
+i10HkoBWdmncPC6+b0IJjDUo8Iv4yk0xFt2/DGkGK3h6jJxJ9pzx5KBT46iLfU50
+iTWMTguXn9ud/UJV0MpKgKjvO9hB4fae60n2UootknzEw6Y5W55PfGkT14WcrGGo
+WHLSbpR6+gA9apU1cdoOC8nXlf3Eb2No6LP3X7RJXqiRsdP0s6QXkZGfR/qyNXI9
+S5j6wIyqNFU0cX21UgI9oJSKEKIKEFacgyD9za0gswEI+DZr8/p3cJE89ZX8ySgO
+FG148wgaakTNGyGwR6aogGZ8IAHc83bnwGCgTeK6ZPSKNLSE/sImcTOrxIN1/x39
+r8o0TxuZjqFH+zKWfpdHX+sJLyi8Gs29CsUhiQI+BBMBAgAoAhsDBgsJCAcDAgYV
+CAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8G1R8jYFyyLl/EACG6QRV
+kKVBoI2Ycr4UISk2+gCD2r4xSK/QLEhDFcZRgMctvPVnhod3uJOsMGJCk3aPGu91
+Jtwuj0CkeURa/cVzOjC+f7baveTuWQaAqW+r70m6F4gYHU0aDD/uQ75rTCcrsmt2
+pnZCyA9jLJxQGG11AvbOcV+7K7BuIvXs4iAactZ0hRvDVuGXuup2LnUbxyBU2oj7
+OWCXKTpZcJ0KGTWapMf8ClYYsEgS0wvMWotJzAov7ijkoP2DyEQVOPTnGWcfjsTk
+QgbyqiFeBl+3IT4+xSzkPsd75dCYhsHBvCoT8cfUH4wvDXzU2CwpC1CDfHit6Hw5
+UigvZ8HXyn00Bm0UjLHGW+haS3kyOoz+z09gVFYd33cpjSnFr5is8ZMBPW31PE15
+q9/l6G/o6OGJCtOax3Yi6ttqn+KbDXIooZoRPZlayOSghyjoD40+ErevmqZPfJ3E
+o1kHz62B1YpoXmhUm2Ihf2SbjWJRaW9Hp2nd81kAAXjr+8k4yvOuHxwYPFnpBjfV
+cfYNQ3Zf5xF4nfszFuZMc5JYrIR3EYVgEk+n8VpulAqd0rXUEODwGy7rPjdxLY7w
+DhUEZMQN3xweIb4vjPDBb0Ax3ACyfWKIdT0kC3rGOy9xyCzxWO2CjHMjrbxy4jL7
+B0WIQ5fpRcV2+wozs2WYgJKVKJgJZGYsW8dDLYkCHAQQAQIABgUCUtgrXgAKCRBH
+1QFsQv98LIX0EADVefJUEMGKiTFLwUmWNF2X4oCzEZEMsQ6NliiQFvtNkKrT+OzZ
+zggxfINUr0XEKgjjoGZ03Hmm7xAFc1Y51QZEr25H18PuSixz2YSHPqYwwVgLUh0v
+u2AqaP0mQckssK+ZAQVvoZ7ZOI22ZXIZ6CPEPY6aJawHov8Strlm8oTbFgLfZ5Wo
+3NCxMkkq3NFNHuwesccelNPefgnFZWhwr1mkUeX+rCAbQF/QHYEAi7KjfKyY+XKs
+ccjYS+RWxpte21ejngp7pRYli3M8cZoaWKCzLTrD8gKztlo3op9Zc2+hjOY9gZtG
+CaXkN8lchJ1yMyWju61ZO++AJq6S2OdBVxgsj9xPm+x91RbZRHQmUuq8mefUzaEm
+NHE29udVFfuV//Fpabi04IrOuabkrSvP27eX9FT1y25tKFHuJdL5fDUFGnNnTvcR
+X51lJmvnuIKJQ+Lthup7npS0L06+dPIDoqyxF8hmdu3RtwEsvkboPaxx5XTB5d8y
+3wzBFWd4ePwBIumrY1YHSzdJCvyyLRXZbSOsHXgZfhfQ1LVgxxebP7E+stWqGLLC
+Fry0WGG8f/UUgVr1QpluT6NjioUnuI/ZmKR/aKewqVYWAnr54fF+np4VdxPfYwci
+lpbXpkamORZqPfq/nyoWgnp+y4AptDdDkSWnFxfcJ1wnFFcrHVUSFQ1wBYkCPgQT
+AQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlLV0QsFCQXdHmsACgkQ
+/BtUfI2BcsjV6w/9Fe1+3Mc6wG3R9VbxiYo13/JV4t+tA9/tcJ1R/Y96eAqVajoK
+c2ZQ7FrimmlzvLIvxpH4Z76h3NmPWfOQ6qEumZQ5BM3QwBfQQ3Tmj10gfiL5vOZJ
+6dUaJjwXgjz0Qyk1G3gw7K1xmtnXgBPyGT9T9q3OAhHHdV2b6xS9dWoNKhUV8GUn
+HfIKwq+87aZqexjFE7ubZdOAe+5nrqnlMEfJKgDjXbazES9IYvPQiSjwR3xaIPOa
+ma5WfQV0SHg3Vkhtv2PjuoYWNfNy17N7u+dfg7nAtKLIQCPht45uKk66BYWYBoDI
+VQfg6zcFLpdNcFzzwmgrYRZvEvBf5aSG3KFD7UReT0695/lHheRxEAA3thsx8gaM
+CCavtVxbVUluEfYZ7TgXLMuIO9OBKhi7MwB3iL5qacrNShMB+1J5FxieJBmWXdla
++kCdCdS+9kIZH+mnQ8daGEJ5R9mNcVwcWasI0o9NObqIZwhKw4obrC5Q7m2NfXL6
+FUScfA7yn7+/icdQB9fH2ZXGJVuNm1b8OBN6Nbz0QauaCystWzKXKwpVb/5M623v
+Vw75RfnqCFiAf4tX58nL/QalJc4C0E+TvQ2pXC47VQvHmiAB31vKvU0nbo+lzi64
+hAPWJnhr2pmTvglquTFzLwEsWfO4zDtUwFo8KM1XFsonaoX5UzGTXPmIN5+0J0xl
+dmVudGUgUG9seWFrIDxhbnRocmF4eEBhcmNobGludXgub3JnPokCPwQTAQIAKQIb
+AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJUl1PbBQkHwE8PAAoJEPwbVHyN
+gXLIdGAP/0ch1NeFyXWszqA5ow+itBn6iyUaplXB5I56Q77cTIFB6LqJ5+2kdUuO
+UqPvOilGS3dxbyDsSdWDLs+bHRFG4uqZyGUDhmu2mvS+uDqPFwcKJUNDlgdccxph
+sA5HJFGg1ca0TWWg8vjwANdU4sL9Ujbaw93v0Mx/1+aSIxyEJBNxc6DJWEfCjpSy
+R9JB8WTHgvxEAImVNsT1OGNTvd2DN+17WBhxBktLHDocIGJ/fttzFgKkv6NTPwt+
+y4QyP3UgeYRZR21B6MVckk2/UuCuCY7gAGruTFVoINa/Wqn2YPPZhJYrTX7ysDaV
+QLObxlepeo0UWC7wFEiuqu5OM75MWLUX8j/1OAIE6my85vrlcWSf0Z3jOAgPTjJw
+VT5h7T/7NPP2azoIlOE2bh5UcKXFkT0xDYPcMr2hV2Ih+jU+Ygiyg/1yIIxearmm
+PFjfIHMLepa+7RPtTlHwu4fpNPXzL13W6PXSoCTTi/suGlYmSyLtOwxq15GGT3vg
+1Xh8wfkuWwbWJnBKXtt8HkteQRgDngDnRSJwsO2nnQ7+sr+F8J3rQDdlVdVcolic
+ekup8ZgSjJYinfcpF+H+qy2kK2jOYyyHI/+zHQtwy1R7MbLwPJe7WNWrBmEvmazB
+2//Iu5EVIfFX3flPjeRQbKX4B/SuXF48uo0/8WfdgaMW8glRWJnbiQI/BBMBAgAp
+BQJUSwOnAhsDBQkF3R5rBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/BtU
+fI2Bcsj5ihAAg0d0A8OUsNWG7TiPQTuC/D4e/5JTkJARmQ5xO6gMPxTpjSZCyWEl
+7gQOg/liU8nz5HZGaJgg4HuBwTs6euqdnVi6zhW1c1wye2thGTQ7DeSPJnhju3Qe
+mPS1jEdC34lXCo6eGjdKnGb7TV7hkptHKHh7XCU9n6qcXQ2cNQQbdqSCRsfVm1XD
++p+mM/FGOz8uFOrhERAUl99WkVZ4NKTdws8U6FXulbdWrWwI4eRggIdwI/Tl7zuy
+ja7KxBCCeJ/gFY6g+iOYmIo6//bJITgmAG60hFHJ9JigcN6xglYFI28TCdNqM0+C
+hgbZUner0vLmaxRNoXqV9Xw8ihNMQa7fUFYkX8VrXOdLdVvee7OaeLuWWE8x6usQ
+NzgLDQQx9fmxtrQY+dC6Y25IPMm094z0nrbM1wtfG2+8Vw4mQ2U099fT5t3Yl7fE
+PlanhgQxRZE78PxezyYxms4HV+wqvrhlBzFnWAd6H27uDPfUfO9cLgbmFTUlwFhg
+gsDeIFRFx8+h4/0xAIPqUODmTiN0mj5sLRW7zvqZW6zhsGIMdPd+IkhHiGjeJqme
+Ai0iOjpV3tRteoW51/+/ajPmyUBbvOxiFJNADHH2NvqoBMU1pkTvpc7Wy+2J9VcF
+4TFdWBbwjU8BoC3ZgixTrT0zCSwabnKriglOhA5Ik/n5HsR7S76V13y0KExldmVu
+dGUgUG9seWFrIDxhbnRocmF4eEBoYW1idXJnLmNjYy5kZT6JAj0EEwEIACcFAlSX
+VHICGwMFCQfATw8FCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ/BtUfI2Bcsia
+Wg//SKLFNUTEBQG11cV/AljxmI2s8y+cPKs3VqlwEjiuRMu4DRkFVaZNEuPq0b8q
+8pwcHIJ5/nZvOticm9M/g7TrTp3pOxmSYf7WG31vVrprig22dz8WxQAy76srNn1z
+stg0TFO7nKNVjZOFz5D0RpWazwnXyDed3l2/7RZ1CMv7ue/rZez8FnDHN7Di3daX
+AJ5XkvDAsD6AITYQd+4XEbh2rt9p8G6qUUjwzoVU/aGVgo1CGZydYMJQVccNL7kv
+fumnwkAED8u9j0ZI+xfaD3c1rP98bnqk9u8rJPCAeIkA4ppisDb7noz0NaO7dDyM
+ywBK4OR478fw5h7GfiIwZdVAHkCoEHNvF1ON8JnYgyplLvZvxZ0dtYGDYDiFdORN
+gVgGMU12kemPws4hEx3WMgUu/BBkF58XyQyqcwt7q+WGI2lQ88UzZ/FAsu8i8r/J
+jkV8FsiCJ2rSHEMddmOHoaTM+6oB2i9kZo7KmToSZu7DxuemlHpuOO3kG/iRga2y
+NeancRJwbxgZhNGBbhrA/7k5UOcXkmfW74oBkbCci0ncVhHu12dsJXhk+eprkOXv
+nD1vEIeuzL4V/SMDar3SxFlfLFwQk4cn9+pdeP3LxwHKBn74pABsbEBhEY4IjUEL
+YOTEVoP6s+Ou1NcLxFl3elmniwL2+GV5rDM8pctkKNemtZa5Ag0ETrg4RQEQALfu
+qEihKS+DTVlWUujzSq5zK/5oQ1ZL8AiTUTZuVtrRWCq0HE8tWaVxEP3Vt9FCo7yF
+afXigokChzHOgzczg80tctrlv+vbFyaZnjGQH20Nlz8EnZP102zudx/RdFXG/up8
+PX50Eck2lH+IvvosMLdvrZTkFJ4SgqMGSoAgMhJHZdZB5N0y8yPPAjcEnSXp8L2A
+mo9e0egCrEuqBrCZld00nIoipyDlYNZkLjPf0JRgFPO/AWWgBZLvLlteLu0emq8N
+96bT3QTdXpRVPM0qeX94+2gIj+0V1uQ9+k5Xkslbbii9TnOzMnLRO6dBAONVTTb3
+ajzdXK71iv2a8Y9lKShxhYWP9JNOFlXkAp+ZoD7EZex4dgu6giV3PrTDJLyWSu41
+WfqOz6cJGpJSTacrenC542ynAaSVKXH+1plqB9kq/M7HtE/P4GveQXIVT9Sho394
+4hwkuETo20KwCgFPMmiNaBysnOykIcDsDutBOyygdovzdGEyHVsM8/kz007QFgJf
+hKy91H6O/Cg7VH+yaUKllRZ+kFsoSy8/E0IqLzqBHG3sUGM6lJ0Q9fgSnpzIZsdE
+jRhczNCvlovGLa/kBHcEUWQ2zrjnfjsLkxvamKJ8N6LLIXIDRv5dE2smpdi3oiVg
+XdOKshyXB+obhRFlWtirK4udX5yYzUpcB0zBoo1hABEBAAGJAiUEGAECAA8CGwwF
+AlSXVAEFCQfATzwACgkQ/BtUfI2Bcsj0Tw//dyDYwcnh0BIb+nDCXFC91KiPUILa
+f+wI5w6c9YYEo6TR89q6Wsq8EDiqcqSJcztuNvw3MZGHWA25nNB/0046CGM/tUBd
+Jyudd3TxQBi6XMMSTbG1EMtSN1UMV4guuUfYcAGW38oZ+YJACCBFFz/Kt0aa/hhi
+/hBNyvI73vZfQ/fsScFDewkxikUEspRsLVmX6gaEmumOxOhJP3HBoxeBCM4Z3IXo
+dON2SiiMxt9BPIPJOyKNkFQGQ3dqJIag3GnsZ1s0CEoi8iqF7uS4RjC7uOJtvn74
+CODxg1Ibl1IweyAuBEA80wUh9DGLAdRJpxWy1B2fDhIROvpcg0R5p6j9UX0b0esc
+jKLQEiE1wRswjXhWpZhe7Pjl38KhwqMyaeR3OnDtP7JXazIG6HiBIp4cx4k5A2TT
+X+LhvG3NHCeuxIyjLTRTWgv241kf7uAu+qgjHDSKXQqpjvo+cUYQgSxQZZXnmlz0
+sz/tEeiWl+i8kW/RNKQvNNR8ghWDW3YRak/zS+WFNoLZchecIzMj+je1vSg411o4
+Xd3LHDur6boCetaq7ZkqoS+NcX9n8MnKhHKYJblvXyc1h67s90+wSwhlumA8WqlM
+yqn99m13aF8GuGZbw5B2/x/Cd7WW5wZV6ioola/yqDXB1XtDFBy2Hxr/VMRlE3Cu
+kekzzVjVTZxOgZE=
+=yRuG
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix
new file mode 100644
index 000000000000..92192eb79f89
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -0,0 +1,100 @@
+# Based on recommendations from:
+# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
+# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
+#
+# Dangerous features that can be permanently (for the boot session) disabled at
+# boot via sysctl or kernel cmdline are left enabled here, for improved
+# flexibility.
+#
+# See also <nixos/modules/profiles/hardened.nix>
+
+{ stdenv, lib, version }:
+
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
+
+assert (versionAtLeast version "4.9");
+
+{
+  # Report BUG() conditions and kill the offending process.
+  BUG = yes;
+
+  # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+  # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+  # implicitly marks LSM hooks read-only after init.
+  #
+  # SELinux can only be disabled at boot via selinux=0
+  #
+  # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+  # config builder fails to detect that it has indeed been unset.
+  SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
+  SECURITY_WRITABLE_HOOKS  = option no;
+
+  STRICT_KERNEL_RWX = yes;
+
+  # Perform additional validation of commonly targeted structures.
+  DEBUG_CREDENTIALS     = yes;
+  DEBUG_NOTIFIERS       = yes;
+  DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()
+  DEBUG_PLIST           = whenAtLeast "5.2" yes;
+  DEBUG_SG              = yes;
+  SCHED_STACK_END_CHECK = yes;
+
+  REFCOUNT_FULL = whenOlder "5.4.208" yes;
+
+  # Randomize page allocator when page_alloc.shuffle=1
+  SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
+
+  # Allow enabling slub/slab free poisoning with slub_debug=P
+  SLUB_DEBUG = yes;
+
+  # Wipe higher-level memory allocations on free() with page_poison=1
+  PAGE_POISONING           = yes;
+  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
+  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
+
+  # Enable the SafeSetId LSM
+  SECURITY_SAFESETID = whenAtLeast "5.1" yes;
+
+  # Reboot devices immediately if kernel experiences an Oops.
+  PANIC_TIMEOUT = freeform "-1";
+
+  GCC_PLUGINS = yes; # Enable gcc plugin options
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+  GCC_PLUGIN_LATENT_ENTROPY = yes;
+
+  GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin
+  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address
+  GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
+  GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
+
+  # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
+  RANDSTRUCT = whenAtLeast "5.19" yes;
+  RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
+
+  # Disable various dangerous settings
+  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
+  PROC_KCORE         = no; # Exposes kernel text image layout
+  INET_DIAG          = no; # Has been used for heap based attacks in the past
+
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
+  # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+  CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
+  CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
+
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
+
+  # CONFIG_DEVMEM=n causes these to not exist anymore.
+  STRICT_DEVMEM    = option no;
+  IO_STRICT_DEVMEM = option no;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json
new file mode 100644
index 000000000000..d8f8bb2fa73f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -0,0 +1,82 @@
+{
+    "4.14": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.14.328-hardened1.patch",
+            "sha256": "1qq2l4nwhxgl4drx6isc1ly892kffjq4hqb4zadqs6sxvsdm7x57",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.328-hardened1/linux-hardened-4.14.328-hardened1.patch"
+        },
+        "sha256": "1igcpvnhwwrczfdsafmszvi0456k7f6j4cgpfw6v6afw09p95d8x",
+        "version": "4.14.328"
+    },
+    "4.19": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.19.297-hardened1.patch",
+            "sha256": "1qj09bynl7ml880xpc2956jn0b1gmm77yf3jc45v3jq3610jhna4",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.297-hardened1/linux-hardened-4.19.297-hardened1.patch"
+        },
+        "sha256": "0c9xxqgv2i36hrr06dwz7f3idc04xpv0a5pxg08xdh03cnyf12cx",
+        "version": "4.19.297"
+    },
+    "5.10": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.10.199-hardened1.patch",
+            "sha256": "10vwd5wygfnxpbz15bq56pjygba3vqqal0d7xry2bch4p444pp5f",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.199-hardened1/linux-hardened-5.10.199-hardened1.patch"
+        },
+        "sha256": "1h944syk7n6c4j1djlx19n77alzwbxcdza77c9ykicgfynhpgsm0",
+        "version": "5.10.199"
+    },
+    "5.15": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.15.137-hardened1.patch",
+            "sha256": "19gs1w380qgvazwjwhxypizpfx71faa7hsji0x5cgyw6vxhi6l1b",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.137-hardened1/linux-hardened-5.15.137-hardened1.patch"
+        },
+        "sha256": "1xxjbxldrhmnh2q6rykpxyfbj8xqgl82q30n8sfavrzr14bb4jcp",
+        "version": "5.15.137"
+    },
+    "5.4": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.4.259-hardened1.patch",
+            "sha256": "1w8ipflgisd127gmx6wyz8p5qfi8cfd2a5j2xgibspkf45nzfwi8",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.259-hardened1/linux-hardened-5.4.259-hardened1.patch"
+        },
+        "sha256": "195v4fidavzm637glj6580006mrcaygnbj4za874imb62bxf9rpz",
+        "version": "5.4.259"
+    },
+    "6.1": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-6.1.61-hardened1.patch",
+            "sha256": "0d9zhh32dx1q828q50kmznmsa6yinppbklhgg8ix7b7k23857ha6",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.61-hardened1/linux-hardened-6.1.61-hardened1.patch"
+        },
+        "sha256": "1kk4d7ph6pvgdrdmaklg15wf58nw9n7yqgkag7jdvqinzh99sb5d",
+        "version": "6.1.61"
+    },
+    "6.4": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-6.4.16-hardened1.patch",
+            "sha256": "10lydnnhhq9ynng1gfaqh1mncsb0dmr27zzcbygs1xigy2bl70n9",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.4.16-hardened1/linux-hardened-6.4.16-hardened1.patch"
+        },
+        "sha256": "0zgj1z97jyx7wf12zrnlcp0mj4cl43ais9qsy6dh1jwylf2fq9ln",
+        "version": "6.4.16"
+    },
+    "6.5": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-6.5.10-hardened1.patch",
+            "sha256": "0p2lj7ryiizr1sxvm2kgds3l8sg9fns35y2fcyqq61lg7ymzj1fi",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.5.10-hardened1/linux-hardened-6.5.10-hardened1.patch"
+        },
+        "sha256": "12sswml8jvabv6bqx35lg3jj6gq8jjk365rghjngdy5d0j34jpx1",
+        "version": "6.5.10"
+    }
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py
new file mode 100755
index 000000000000..ce54c2980758
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -0,0 +1,298 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub])" git gnupg
+
+# This is automatically called by ../update.sh.
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import subprocess
+import sys
+from dataclasses import dataclass
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from typing import (
+    Dict,
+    Iterator,
+    List,
+    Optional,
+    Sequence,
+    Tuple,
+    TypedDict,
+    Union,
+)
+
+from github import Github
+from github.GitRelease import GitRelease
+
+VersionComponent = Union[int, str]
+Version = List[VersionComponent]
+
+
+PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str})
+Patch = TypedDict("Patch", {
+    "patch": PatchData,
+    "version": str,
+    "sha256": str,
+})
+
+
+@dataclass
+class ReleaseInfo:
+    version: Version
+    release: GitRelease
+
+
+HERE = Path(__file__).resolve().parent
+NIXPKGS_KERNEL_PATH = HERE.parent
+NIXPKGS_PATH = HERE.parents[4]
+HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
+HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
+HARDENED_PATCHES_PATH = HERE / "patches.json"
+MIN_KERNEL_VERSION: Version = [4, 14]
+
+
+def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]:
+    try:
+        return subprocess.run(
+            args,
+            check=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            encoding="utf-8",
+        )
+    except subprocess.CalledProcessError as err:
+        print(
+            f"error: `{err.cmd}` failed unexpectedly\n"
+            f"status code: {err.returncode}\n"
+            f"stdout:\n{err.stdout.strip()}\n"
+            f"stderr:\n{err.stderr.strip()}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+
+def nix_prefetch_url(url: str) -> Tuple[str, Path]:
+    output = run("nix-prefetch-url", "--print-path", url).stdout
+    sha256, path = output.strip().split("\n")
+    return sha256, Path(path)
+
+
+def verify_openpgp_signature(
+    *, name: str, trusted_key: Path, sig_path: Path, data_path: Path,
+) -> bool:
+    with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str:
+        gnupg_home = Path(gnupg_home_str)
+        run("gpg", "--homedir", gnupg_home, "--import", trusted_key)
+        keyring = gnupg_home / "pubring.kbx"
+        try:
+            subprocess.run(
+                ("gpgv", "--keyring", keyring, sig_path, data_path),
+                check=True,
+                stderr=subprocess.PIPE,
+                encoding="utf-8",
+            )
+            return True
+        except subprocess.CalledProcessError as err:
+            print(
+                f"error: signature for {name} failed to verify!",
+                file=sys.stderr,
+            )
+            print(err.stderr, file=sys.stderr, end="")
+            return False
+
+
+def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
+    release = release_info.release
+    extra = f'-{release_info.version[-1]}'
+
+    def find_asset(filename: str) -> str:
+        try:
+            it: Iterator[str] = (
+                asset.browser_download_url
+                for asset in release.get_assets()
+                if asset.name == filename
+            )
+            return next(it)
+        except StopIteration:
+            raise KeyError(filename)
+
+    patch_filename = f"{name}.patch"
+    try:
+        patch_url = find_asset(patch_filename)
+        sig_url = find_asset(patch_filename + ".sig")
+    except KeyError:
+        print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr)
+        return None
+
+    sha256, patch_path = nix_prefetch_url(patch_url)
+    _, sig_path = nix_prefetch_url(sig_url)
+    sig_ok = verify_openpgp_signature(
+        name=name,
+        trusted_key=HARDENED_TRUSTED_KEY,
+        sig_path=sig_path,
+        data_path=patch_path,
+    )
+    if not sig_ok:
+        return None
+
+    kernel_ver = re.sub(r"(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name)
+    major = kernel_ver.split('.')[0]
+    sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")
+
+    return Patch(
+        patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra),
+        version=kernel_ver,
+        sha256=sha256_kernel
+    )
+
+
+def parse_version(version_str: str) -> Version:
+    version: Version = []
+    for component in re.split('\.|\-', version_str):
+        try:
+            version.append(int(component))
+        except ValueError:
+            version.append(component)
+    return version
+
+
+def version_string(version: Version) -> str:
+    return ".".join(str(component) for component in version)
+
+
+def major_kernel_version_key(kernel_version: Version) -> str:
+    return version_string(kernel_version[:-1])
+
+
+def commit_patches(*, kernel_key: str, message: str) -> None:
+    new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new")
+    with open(new_patches_path, "w") as new_patches_file:
+        json.dump(patches, new_patches_file, indent=4, sort_keys=True)
+        new_patches_file.write("\n")
+    os.rename(new_patches_path, HARDENED_PATCHES_PATH)
+    message = f"linux/hardened/patches/{kernel_key}: {message}"
+    print(message)
+    if os.environ.get("COMMIT"):
+        run(
+            "git",
+            "-C",
+            NIXPKGS_PATH,
+            "commit",
+            f"--message={message}",
+            HARDENED_PATCHES_PATH,
+        )
+
+
+# Load the existing patches.
+patches: Dict[str, Patch]
+with open(HARDENED_PATCHES_PATH) as patches_file:
+    patches = json.load(patches_file)
+
+# Get the set of currently packaged kernel versions.
+kernel_versions = {}
+with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as kernel_versions_json:
+    kernel_versions = json.load(kernel_versions_json)
+    for kernel_branch_str in kernel_versions:
+        if kernel_branch_str == "testing": continue
+        kernel_branch = [int(i) for i in kernel_branch_str.split(".")]
+        if kernel_branch < MIN_KERNEL_VERSION: continue
+        kernel_version = [int(i) for i in kernel_versions[kernel_branch_str]["version"].split(".")]
+        kernel_versions[kernel_branch_str] = kernel_version
+
+# Remove patches for unpackaged kernel versions.
+for kernel_key in sorted(patches.keys() - kernel_versions.keys()):
+    commit_patches(kernel_key=kernel_key, message="remove")
+
+g = Github(os.environ.get("GITHUB_TOKEN"))
+repo = g.get_repo(HARDENED_GITHUB_REPO)
+failures = False
+
+# Match each kernel version with the best patch version.
+releases = {}
+i = 0
+for release in repo.get_releases():
+    # Dirty workaround to make sure that we don't run into issues because
+    # GitHub's API only allows fetching the last 1000 releases.
+    # It's not reliable to exit earlier because not every kernel minor may
+    # have hardened patches, hence the naive search below.
+    i += 1
+    if i > 500:
+        break
+
+    version = parse_version(release.tag_name)
+    # needs to look like e.g. 5.6.3-hardened1
+    if len(version) < 4:
+        continue
+
+    if not (isinstance(version[-2], int)):
+        continue
+
+    kernel_version = version[:-1]
+
+    kernel_key = major_kernel_version_key(kernel_version)
+    try:
+        packaged_kernel_version = kernel_versions[kernel_key]
+    except KeyError:
+        continue
+
+    release_info = ReleaseInfo(version=version, release=release)
+
+    if kernel_version == packaged_kernel_version:
+        releases[kernel_key] = release_info
+    else:
+        # Fall back to the latest patch for this major kernel version,
+        # skipping patches for kernels newer than the packaged one.
+        if '.'.join(str(x) for x in kernel_version) > '.'.join(str(x) for x in packaged_kernel_version):
+            continue
+        elif (
+            kernel_key not in releases or releases[kernel_key].version < version
+        ):
+            releases[kernel_key] = release_info
+
+# Update hardened-patches.json for each release.
+for kernel_key in sorted(releases.keys()):
+    release_info = releases[kernel_key]
+    release = release_info.release
+    version = release_info.version
+    version_str = release.tag_name
+    name = f"linux-hardened-{version_str}"
+
+    old_version: Optional[Version] = None
+    old_version_str: Optional[str] = None
+    update: bool
+    try:
+        old_filename = patches[kernel_key]["patch"]["name"]
+        old_version_str = old_filename.replace("linux-hardened-", "").replace(
+            ".patch", ""
+        )
+        old_version = parse_version(old_version_str)
+        update = old_version < version
+    except KeyError:
+        update = True
+
+    if update:
+        patch = fetch_patch(name=name, release_info=release_info)
+        if patch is None:
+            failures = True
+        else:
+            patches[kernel_key] = patch
+            if old_version:
+                message = f"{old_version_str} -> {version_str}"
+            else:
+                message = f"init at {version_str}"
+            commit_patches(kernel_key=kernel_key, message=message)
+
+missing_kernel_versions = kernel_versions.keys() - patches.keys()
+
+if missing_kernel_versions:
+    print(
+        f"warning: no patches for kernel versions "
+        + ", ".join(missing_kernel_versions),
+        file=sys.stderr,
+    )
+
+if failures:
+    sys.exit(1)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix b/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix
new file mode 100644
index 000000000000..ba641347c839
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, graphviz
+, imagemagick
+, linux_latest
+, makeFontsConf
+, perl
+, python3
+, sphinx
+, which
+}:
+
+stdenv.mkDerivation {
+  pname = "linux-kernel-latest-htmldocs";
+
+  inherit (linux_latest) version src;
+
+  postPatch = ''
+    patchShebangs \
+      Documentation/sphinx/parse-headers.pl \
+      scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install}
+  '';
+
+  FONTCONFIG_FILE = makeFontsConf {
+    fontDirectories = [ ];
+  };
+
+  nativeBuildInputs = [
+    graphviz
+    imagemagick
+    perl
+    python3.pkgs.sphinx
+    python3.pkgs.sphinx-rtd-theme
+    which
+  ];
+
+  preBuild = ''
+    export XDG_CACHE_HOME="$(mktemp -d)"
+  '';
+
+  makeFlags = [ "htmldocs" ];
+
+  installPhase = ''
+    mkdir -p $out/share/doc
+    mv Documentation/output $out/share/doc/linux-doc
+    cp -r Documentation/* $out/share/doc/linux-doc/
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel html documentation";
+    homepage = "https://www.kernel.org/doc/htmldocs/";
+    platforms = platforms.linux;
+    inherit (linux_latest.meta) license;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/kernels-org.json b/nixpkgs/pkgs/os-specific/linux/kernel/kernels-org.json
new file mode 100644
index 000000000000..94ab60aa67b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/kernels-org.json
@@ -0,0 +1,38 @@
+{
+    "testing": {
+        "version": "6.7-rc1",
+        "hash": "sha256:1a071vvmm08sp48d0arqzcmqnz5xdb1vflfhxcqwmpzaabjrgadk"
+    },
+    "6.5": {
+        "version": "6.5.11",
+        "hash": "sha256:06dmb4hbwrms0lp4axphwgj8wbnzsym70sx55lxr501b53wlmqif"
+    },
+    "6.1": {
+        "version": "6.1.62",
+        "hash": "sha256:1v453q4sf0j8708ivs1zmdf645hgimqvxfc8xz7czgnnmipn3zdr"
+    },
+    "5.15": {
+        "version": "5.15.138",
+        "hash": "sha256:1ajaxy97gx0c9cdxiyxa49ykfsykir22i9abfrcizh71ci0yb15g"
+    },
+    "5.10": {
+        "version": "5.10.200",
+        "hash": "sha256:012i41bj8rcqn0vhfxrwq3gg82nb6pp2cwq8n146wj47pwgrcbcx"
+    },
+    "5.4": {
+        "version": "5.4.260",
+        "hash": "sha256:1zpbaipd2j3idj8h9iznlj0ywcq5nkhwj707a1f9ixf82h3q4c4q"
+    },
+    "4.19": {
+        "version": "4.19.298",
+        "hash": "sha256:0mhgq6hdcls1af7nj999x1mds5b37s7vwin8nsb4q0lnx2y1da4x"
+    },
+    "4.14": {
+        "version": "4.14.329",
+        "hash": "sha256:1dvb4xf0b7snabznl7bg7gga7ffdmywy8vr8q65pzl9yf6fnhdny"
+    },
+    "6.6": {
+        "version": "6.6.1",
+        "hash": "sha256:0d42b1hbvv9w3y3q4wydr6il0g5a823n54a06p4p5vcpgkadf7ns"
+    }
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
new file mode 100644
index 000000000000..9cf5f46cfb80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -0,0 +1,47 @@
+{ stdenv, lib, fetchsvn, linux
+, scripts ? fetchsvn {
+    url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
+    rev = "19441";
+    sha256 = "1z0x8cw9nr7qf5qh3xjf6rg20q0i79bg71lik847sabyb6vcrk0z";
+  }
+, ...
+}:
+
+let
+  majorMinor = lib.versions.majorMinor linux.modDirVersion;
+
+  major = lib.versions.major linux.modDirVersion;
+  minor = lib.versions.minor linux.modDirVersion;
+  patch = lib.versions.patch linux.modDirVersion;
+
+  # See http://linux-libre.fsfla.org/pub/linux-libre/releases
+  versionPrefix = if linux.kernelOlder "5.14" then
+    "gnu1"
+  else
+    "gnu";
+in linux.override {
+  argsOverride = {
+    modDirVersion = "${linux.modDirVersion}-${versionPrefix}";
+    isLibre = true;
+
+    src = stdenv.mkDerivation {
+      name = "${linux.name}-libre-src";
+      src = linux.src;
+      buildPhase = ''
+        # --force flag to skip empty files after deblobbing
+        ${scripts}/${majorMinor}/deblob-${majorMinor} --force \
+            ${major} ${minor} ${patch}
+      '';
+      checkPhase = ''
+        ${scripts}/deblob-check
+      '';
+      installPhase = ''
+        cp -r . "$out"
+      '';
+    };
+
+    passthru.updateScript = ./update-libre.sh;
+
+    maintainers = with lib.maintainers; [ qyliss ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix
new file mode 100644
index 000000000000..1bea61975297
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -0,0 +1,72 @@
+{ stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, rpiVersion, ... } @ args:
+
+let
+  # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
+  modDirVersion = "6.1.21";
+  tag = "1.20230405";
+in
+lib.overrideDerivation (buildLinux (args // {
+  version = "${modDirVersion}-${tag}";
+  inherit modDirVersion;
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "linux";
+    rev = tag;
+    hash = "sha256-ILwecHZ1BN6GhZAUB6/UwiN/rZ8gHndKON6DUhidtxI=";
+  };
+
+  defconfig = {
+    "1" = "bcmrpi_defconfig";
+    "2" = "bcm2709_defconfig";
+    "3" = if stdenv.hostPlatform.isAarch64 then "bcmrpi3_defconfig" else "bcm2709_defconfig";
+    "4" = "bcm2711_defconfig";
+  }.${toString rpiVersion};
+
+  features = {
+    efiBootStub = false;
+  } // (args.features or {});
+
+  extraMeta = if (rpiVersion < 3) then {
+    platforms = with lib.platforms; arm;
+    hydraPlatforms = [];
+  } else {
+    platforms = with lib.platforms; arm ++ aarch64;
+    hydraPlatforms = [ "aarch64-linux" ];
+  };
+} // (args.argsOverride or {}))) (oldAttrs: {
+  postConfigure = ''
+    # The v7 defconfig has this set to '-v7' which screws up our modDirVersion.
+    sed -i $buildRoot/.config -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+    sed -i $buildRoot/include/config/auto.conf -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+  '';
+
+  # Make copies of the DTBs named after the upstream names so that U-Boot finds them.
+  # This is ugly as heck, but I don't know a better solution so far.
+  postFixup = ''
+    dtbDir=${if stdenv.isAarch64 then "$out/dtbs/broadcom" else "$out/dtbs"}
+    rm $dtbDir/bcm283*.dtb
+    copyDTB() {
+      cp -v "$dtbDir/$1" "$dtbDir/$2"
+    }
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv6l-linux"]) ''
+    copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero.dtb
+    copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero-w.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b-rev2.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-a-plus.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb
+    copyDTB bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux"]) ''
+    copyDTB bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux" "aarch64-linux"]) ''
+    copyDTB bcm2710-rpi-zero-2.dtb bcm2837-rpi-zero-2.dtb
+    copyDTB bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb
+    copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-a-plus.dtb
+    copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb
+    copyDTB bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb
+    copyDTB bcm2711-rpi-4-b.dtb bcm2838-rpi-4-b.dtb
+  '';
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
new file mode 100644
index 000000000000..65ca352b53b8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -0,0 +1,44 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.10.199-rt97"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = lib.versions.pad 3 version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1h944syk7n6c4j1djlx19n77alzwbxcdza77c9ykicgfynhpgsm0";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "13k7md0a63q4r5vqqvbszmg3kzp5np0hdaj1siyl4yvs9j78d03s";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix
new file mode 100644
index 000000000000..bc45a86905c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.15.137-rt71"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1xxjbxldrhmnh2q6rykpxyfbj8xqgl82q30n8sfavrzr14bb4jcp";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "11zk02ni3b0l1wwrfvyc1q92bd9as61hwgbwlj42xv5gbpd39jlw";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
new file mode 100644
index 000000000000..22e07bfd0f56
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -0,0 +1,41 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.4.257-rt87"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1w1x91slzg9ggakqhyxnmvz77v2cwfk8bz0knrpgz9qya9q5jxrf";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "0rgkk5ibagsyz9in12clzn7szsw1i3m96s8wy5yxwa26aaa2wki7";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix
new file mode 100644
index 000000000000..85c8a8b8a10e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "6.1.59-rt16"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz";
+    sha256 = "1860r1aan258yi2jq68bp1kdbcyy7ygc7d8g54wnc0vmqqj7fzv2";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1cmgw6a8zlj89172mp85lxaksz1pvc155mj2fq59l1ry35gwb5q7";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
new file mode 100644
index 000000000000..c58c4e67e4d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -0,0 +1,46 @@
+{ lib
+, stdenv
+, fetchpatch
+, kernel
+, commitDate ? "2023-06-28"
+# bcachefs-tools stores the expected-revision in:
+#   https://evilpiepirate.org/git/bcachefs-tools.git/tree/.bcachefs_revision
+# but this does not means that it'll be the latest-compatible revision
+, currentCommit ? "4d2faeb4fb58c389dc9f76b8d5ae991ef4497e04"
+, diffHash ? "sha256-DtMc8P4lTRzvS6PVvD7WtWEPsfnxIXSpqMsKKWs+edI="
+, kernelPatches # must always be defined in bcachefs' all-packages.nix entry because it's also a top-level attribute supplied by callPackage
+, argsOverride ? {}
+, ...
+} @ args:
+# NOTE: bcachefs-tools should be updated simultaneously to preserve compatibility
+(kernel.override ( args // {
+
+  argsOverride = {
+    version = "${kernel.version}-bcachefs-unstable-${commitDate}";
+    modDirVersion = kernel.modDirVersion;
+
+    extraMeta = {
+      homepage = "https://bcachefs.org/";
+      branch = "master";
+      maintainers = with lib.maintainers; [ davidak Madouura pedrohlc raitobezarius YellowOnion ];
+    };
+  } // argsOverride;
+
+  structuredExtraConfig = with lib.kernel; {
+    BCACHEFS_FS = module;
+    BCACHEFS_QUOTA = option yes;
+    BCACHEFS_POSIX_ACL = option yes;
+    # useful for bug reports
+    FTRACE = option yes;
+  };
+
+  kernelPatches = [ {
+      name = "bcachefs-${currentCommit}";
+
+      patch = fetchpatch {
+        name = "bcachefs-${currentCommit}.diff";
+        url = "https://evilpiepirate.org/git/bcachefs.git/rawdiff/?id=${currentCommit}&id2=v${lib.versions.majorMinor kernel.version}";
+        sha256 = diffHash;
+      };
+    } ] ++ kernelPatches;
+}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/mainline.nix b/nixpkgs/pkgs/os-specific/linux/kernel/mainline.nix
new file mode 100644
index 000000000000..4e1d5b8a9e87
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/mainline.nix
@@ -0,0 +1,27 @@
+{ branch, lib, fetchurl, fetchzip, buildLinux, ... } @ args:
+
+let
+  allKernels = builtins.fromJSON (builtins.readFile ./kernels-org.json);
+  thisKernel = allKernels.${branch};
+  inherit (thisKernel) version;
+
+  src =
+    # testing kernels are a special case because they don't have tarballs on the CDN
+    if branch == "testing"
+      then fetchzip {
+        url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
+        inherit (thisKernel) hash;
+      }
+      else fetchurl {
+        url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
+        inherit (thisKernel) hash;
+      };
+
+  args' = (builtins.removeAttrs args ["branch"]) // {
+    inherit src version;
+
+    modDirVersion = lib.versions.pad 3 version;
+    extraMeta.branch = branch;
+  } // (args.argsOverride or {});
+in
+buildLinux args'
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix
new file mode 100644
index 000000000000..2ba31fbc9789
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -0,0 +1,389 @@
+{ lib, stdenv, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, libelf, cpio, elfutils, zstd, python3Minimal, zlib, pahole, kmod, ubootTools
+, fetchpatch
+}:
+
+let
+  lib_ = lib;
+  stdenv_ = stdenv;
+
+  readConfig = configfile: import (runCommand "config.nix" {} ''
+    echo "{" > "$out"
+    while IFS='=' read key val; do
+      [ "x''${key#CONFIG_}" != "x$key" ] || continue
+      no_firstquote="''${val#\"}";
+      echo '  "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
+    done < "${configfile}"
+    echo "}" >> $out
+  '').outPath;
+in lib.makeOverridable ({
+  # The kernel version
+  version,
+  # Position of the Linux build expression
+  pos ? null,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
+  # The name of the kernel module directory
+  # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
+  modDirVersion ? lib.versions.pad 3 version,
+  # The kernel source (tarball, git checkout, etc.)
+  src,
+  # a list of { name=..., patch=..., extraConfig=...} patches
+  kernelPatches ? [],
+  # The kernel .config file
+  configfile,
+  # Manually specified nixexpr representing the config
+  # If unspecified, this will be autodetected from the .config
+  config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+  # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+  # automatically extended with extra per-version and per-config values.
+  randstructSeed ? "",
+  # Extra meta attributes
+  extraMeta ? {},
+
+  # for module compatibility
+  isZen      ? false,
+  isLibre    ? false,
+  isHardened ? false,
+
+  # Whether to utilize the controversial import-from-derivation feature to parse the config
+  allowImportFromDerivation ? false,
+  # ignored
+  features ? null, lib ? lib_, stdenv ? stdenv_,
+}:
+
+let
+  inherit (lib)
+    hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
+
+  # Dependencies that are required to build kernel modules
+  moduleBuildDependencies = [
+    pahole
+    perl
+    libelf
+    # module makefiles often run uname commands to find out the kernel version
+    (buildPackages.deterministic-uname.override { inherit modDirVersion; })
+  ] ++ optional (lib.versionAtLeast version "5.13") zstd;
+
+  drvAttrs = config_: kernelConf: kernelPatches: configfile:
+    let
+      config = let attrName = attr: "CONFIG_" + attr; in {
+        isSet = attr: hasAttr (attrName attr) config;
+
+        getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
+
+        isYes = attr: (config.getValue attr) == "y";
+
+        isNo = attr: (config.getValue attr) == "n";
+
+        isModule = attr: (config.getValue attr) == "m";
+
+        isEnabled = attr: (config.isModule attr) || (config.isYes attr);
+
+        isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
+      } // config_;
+
+      isModular = config.isYes "MODULES";
+
+      buildDTBs = kernelConf.DTB or false;
+
+    in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
+      passthru = rec {
+        inherit version modDirVersion config kernelPatches configfile
+          moduleBuildDependencies stdenv;
+        inherit isZen isHardened isLibre;
+        isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+        baseVersion = lib.head (lib.splitString "-rc" version);
+        kernelOlder = lib.versionOlder baseVersion;
+        kernelAtLeast = lib.versionAtLeast baseVersion;
+      };
+
+      inherit src;
+
+      patches =
+        map (p: p.patch) kernelPatches
+        # Required for deterministic builds along with some postPatch magic.
+        ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+        ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
+        # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
+        # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
+        # https://github.com/openzfs/zfs/pull/13367
+        ++ optional (lib.versionAtLeast version "5.12" &&
+                     lib.versionOlder version "5.19" &&
+                     stdenv.hostPlatform.isPower)
+          (fetchpatch {
+            url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
+            hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
+          });
+
+      postPatch = ''
+        # Ensure that depmod gets resolved through PATH
+        sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
+
+        # Don't include a (random) NT_GNU_BUILD_ID, to make the build more deterministic.
+        # This way kernels can be bit-by-bit reproducible depending on settings
+        # (e.g. MODULE_SIG and SECURITY_LOCKDOWN_LSM need to be disabled).
+        # See also https://kernelnewbies.org/BuildId
+        sed -i Makefile -e 's|--build-id=[^ ]*|--build-id=none|'
+
+        # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
+        [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
+
+        # Set randstruct seed to a deterministic but diversified value. Note:
+        # we could have instead patched gen-random-seed.sh to take input from
+        # the buildFlags, but that would require also patching the kernel's
+        # toplevel Makefile to add a variable export. This would be likely to
+        # cause future patch conflicts.
+        for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
+          if [ -f "$file" ]; then
+            substituteInPlace "$file" \
+              --replace NIXOS_RANDSTRUCT_SEED \
+              $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+            break
+          fi
+        done
+
+        patchShebangs scripts
+
+        # also patch arch-specific install scripts
+        for i in $(find arch -name install.sh); do
+            patchShebangs "$i"
+        done
+      '';
+
+      configurePhase = ''
+        runHook preConfigure
+
+        mkdir build
+        export buildRoot="$(pwd)/build"
+
+        echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
+
+        if [ -f "$buildRoot/.config" ]; then
+          echo "Could not link $buildRoot/.config : file exists"
+          exit 1
+        fi
+        ln -sv ${configfile} $buildRoot/.config
+
+        # reads the existing .config file and prompts the user for options in
+        # the current kernel source that are not found in the file.
+        make $makeFlags "''${makeFlagsArray[@]}" oldconfig
+        runHook postConfigure
+
+        make $makeFlags "''${makeFlagsArray[@]}" prepare
+        actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
+        if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
+          echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
+          exit 1
+        fi
+
+        buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
+
+        cd $buildRoot
+      '';
+
+      buildFlags = [
+        "KBUILD_BUILD_VERSION=1-NixOS"
+        kernelConf.target
+        "vmlinux"  # for "perf" and things like that
+      ] ++ optional isModular "modules"
+        ++ optionals buildDTBs ["dtbs" "DTC_FLAGS=-@"]
+      ++ extraMakeFlags;
+
+      installFlags = [
+        "INSTALL_PATH=$(out)"
+      ] ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
+      ++ optionals buildDTBs ["dtbs_install" "INSTALL_DTBS_PATH=$(out)/dtbs"];
+
+      preInstall = let
+        # All we really need to do here is copy the final image and System.map to $out,
+        # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
+        # for the rest. Easy, right?
+        #
+        # Unfortunately for us, the obvious way of getting the built image path,
+        # make -s image_name, does not work correctly, because some architectures
+        # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
+        # so we end up attempting to install the thing we didn't actually build.
+        #
+        # Thankfully, there's a way out that doesn't involve just hardcoding everything.
+        #
+        # The kernel has an install target, which runs a pretty simple shell script
+        # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
+        # which kernel version you're looking at) that tries to do something sensible.
+        #
+        # (it would be great to hijack this script immediately, as it has all the
+        #   information we need passed to it and we don't need it to try and be smart,
+        #   but unfortunately, the exact location of the scripts differs between kernel
+        #   versions, and they're seemingly not considered to be public API at all)
+        #
+        # One of the ways it tries to discover what "something sensible" actually is
+        # is by delegating to what's supposed to be a user-provided install script
+        # located at ~/bin/installkernel.
+        #
+        # (the other options are:
+        #   - a distribution-specific script at /sbin/installkernel,
+        #        which we can't really create in the sandbox easily
+        #   - an architecture-specific script at arch/$arch/boot/install.sh,
+        #        which attempts to guess _something_ and usually guesses very wrong)
+        #
+        # More specifically, the install script exec's into ~/bin/installkernel, if one
+        # exists, with the following arguments:
+        #
+        # $1: $KERNELRELEASE - full kernel version string
+        # $2: $KBUILD_IMAGE - the final image path
+        # $3: System.map - path to System.map file, seemingly hardcoded everywhere
+        # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
+        #
+        # $2 is exactly what we want, so hijack the script and use the knowledge given to it
+        # by the makefile overlords for our own nefarious ends.
+        #
+        # Note that the makefiles specifically look in ~/bin/installkernel, and
+        # writeShellScriptBin writes the script to <store path>/bin/installkernel,
+        # so HOME needs to be set to just the store path.
+        #
+        # FIXME: figure out a less roundabout way of doing this.
+        installkernel = buildPackages.writeShellScriptBin "installkernel" ''
+          cp -av $2 $4
+          cp -av $3 $4
+        '';
+      in ''
+        installFlagsArray+=("-j$NIX_BUILD_CORES")
+        export HOME=${installkernel}
+      '';
+
+      # Some image types need special install targets (e.g. uImage is installed with make uinstall)
+      installTargets = [
+        (kernelConf.installTarget or (
+          /**/ if kernelConf.target == "uImage" then "uinstall"
+          else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" then "zinstall"
+          else "install"))
+      ];
+
+      postInstall = optionalString isModular ''
+        mkdir -p $dev
+        cp vmlinux $dev/
+        if [ -z "''${dontStrip-}" ]; then
+          installFlagsArray+=("INSTALL_MOD_STRIP=1")
+        fi
+        make modules_install $makeFlags "''${makeFlagsArray[@]}" \
+          $installFlags "''${installFlagsArray[@]}"
+        unlink $out/lib/modules/${modDirVersion}/build
+        rm -f $out/lib/modules/${modDirVersion}/source
+
+        mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
+
+        # To save space, exclude a bunch of unneeded stuff when copying.
+        (cd .. && rsync --archive --prune-empty-dirs \
+            --exclude='/build/' \
+            * $dev/lib/modules/${modDirVersion}/source/)
+
+        cd $dev/lib/modules/${modDirVersion}/source
+
+        cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
+        make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
+
+        # For reproducibility, removes accidental leftovers from a `cc1` call
+        # from a `try-run` call from the Makefile
+        rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
+
+        # Keep some extra files on some arches (powerpc, aarch64)
+        for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
+          if [ -f "$buildRoot/$f" ]; then
+            cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
+          fi
+        done
+
+        # !!! No documentation on how much of the source tree must be kept
+        # If/when kernel builds fail due to missing files, you can add
+        # them here. Note that we may see packages requiring headers
+        # from drivers/ in the future; it adds 50M to keep all of its
+        # headers on 3.10 though.
+
+        chmod u+w -R ..
+        arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
+
+        # Remove unused arches
+        for d in $(cd arch/; ls); do
+          if [ "$d" = "$arch" ]; then continue; fi
+          if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
+          rm -rf arch/$d
+        done
+
+        # Remove all driver-specific code (50M of which is headers)
+        rm -fR drivers
+
+        # Keep all headers
+        find .  -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
+
+        # Keep linker scripts (they are required for out-of-tree modules on aarch64)
+        find .  -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
+
+        # Keep root and arch-specific Makefiles
+        chmod u-w Makefile arch/"$arch"/Makefile*
+
+        # Keep whole scripts dir
+        chmod u-w -R scripts
+
+        # Delete everything not kept
+        find . -type f -perm -u=w -print0 | xargs -0 -r rm
+
+        # Delete empty directories
+        find -empty -type d -delete
+      '';
+
+      requiredSystemFeatures = [ "big-parallel" ];
+
+      meta = {
+        description =
+          "The Linux kernel" +
+          (if kernelPatches == [] then "" else
+            " (with patches: "
+            + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
+            + ")");
+        license = lib.licenses.gpl2Only;
+        homepage = "https://www.kernel.org/";
+        maintainers = lib.teams.linux-kernel.members ++ [
+          maintainers.thoughtpolice
+        ];
+        platforms = platforms.linux;
+        badPlatforms =
+          lib.optionals (lib.versionOlder version "4.15") [ "riscv32-linux" "riscv64-linux" ] ++
+          lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
+        timeout = 14400; # 4 hours
+      } // extraMeta;
+    };
+in
+
+assert lib.versionOlder version "5.8" -> libelf != null;
+assert lib.versionAtLeast version "5.8" -> elfutils != null;
+
+stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile) // {
+  pname = "linux";
+  inherit version;
+
+  enableParallelBuilding = true;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal kmod ubootTools ]
+      ++ optional  (lib.versionOlder version "5.8") libelf
+      ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ]
+      ++ optionals (lib.versionAtLeast version "5.2")  [ cpio pahole zlib ]
+      ++ optional  (lib.versionAtLeast version "5.8")  elfutils
+      ;
+
+  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
+
+  # Absolute paths for compilers avoid any PATH-clobbering issues.
+  makeFlags = [
+    "O=$(buildRoot)"
+    "CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
+    "HOSTCC=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
+    "HOSTLD=${buildPackages.stdenv.cc.bintools}/bin/${buildPackages.stdenv.cc.targetPrefix}ld"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [])
+    ++ extraMakeFlags;
+
+  karch = stdenv.hostPlatform.linuxArch;
+} // (optionalAttrs (pos != null) { inherit pos; })))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch b/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch
new file mode 100644
index 000000000000..58a9191989ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch
@@ -0,0 +1,14 @@
+diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
+index 07650ee..934a7a8 100644
+--- a/scripts/Makefile.modinst
++++ b/scripts/Makefile.modinst
+@@ -9,7 +9,8 @@ include scripts/Kbuild.include
+ 
+ #
+ 
+-__modules := $(sort $(shell grep -h '\.ko$$' /dev/null $(wildcard $(MODVERDIR)/*.mod)))
++__modules := $(sort $(foreach f,$(wildcard $(MODVERDIR)/*.mod),$(shell \
++    grep -h '\.ko$$' '$f')))
+ modules := $(patsubst %.o,%.ko,$(wildcard $(__modules:.ko=.o)))
+ 
+ PHONY += $(modules)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix
new file mode 100644
index 000000000000..59b11167ac22
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix
@@ -0,0 +1,28 @@
+{ lib }:
+with lib.kernel;
+{
+    # DRM_AMDGPU = yes;
+
+    IPV6               = yes;
+    MPTCP              = yes;
+    IP_MULTIPLE_TABLES = yes;
+
+    # Enable advanced path-managers...
+    MPTCP_PM_ADVANCED = yes;
+    MPTCP_FULLMESH = yes;
+    MPTCP_NDIFFPORTS = yes;
+    # ... but use none by default.
+    # The default is safer if source policy routing is not setup.
+    DEFAULT_DUMMY = yes;
+    DEFAULT_MPTCP_PM.freeform = "default";
+
+    # MPTCP scheduler selection.
+    MPTCP_SCHED_ADVANCED = yes;
+    DEFAULT_MPTCP_SCHED.freeform = "default";
+
+    # Smarter TCP congestion controllers
+    TCP_CONG_LIA = module;
+    TCP_CONG_OLIA = module;
+    TCP_CONG_WVEGAS = module;
+    TCP_CONG_BALIA = module;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix b/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
new file mode 100644
index 000000000000..5d4ebc214dc7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
@@ -0,0 +1,68 @@
+{ lib, fetchpatch, fetchurl }:
+
+{
+  ath_regd_optional = rec {
+    name = "ath_regd_optional";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/openwrt/openwrt/raw/ed2015c38617ed6624471e77f27fbb0c58c8c660/package/kernel/mac80211/patches/ath/402-ath_regd_optional.patch";
+      sha256 = "1ssDXSweHhF+pMZyd6kSrzeW60eb6MO6tlf0il17RC0=";
+      postFetch = ''
+        sed -i 's/CPTCFG_/CONFIG_/g' $out
+        sed -i '/--- a\/local-symbols/,$d' $out
+      '';
+    };
+  };
+
+  bridge_stp_helper =
+    { name = "bridge-stp-helper";
+      patch = ./bridge-stp-helper.patch;
+    };
+
+  # Reverts the buggy commit causing https://bugzilla.kernel.org/show_bug.cgi?id=217802
+  dell_xps_regression = {
+    name = "dell_xps_regression";
+    patch = fetchpatch {
+      name = "Revert-101bd907b424-misc-rtsx-judge-ASPM-Mode-to-set.patch";
+      url = "https://raw.githubusercontent.com/openSUSE/kernel-source/1b02b1528a26f4e9b577e215c114d8c5e773ee10/patches.suse/Revert-101bd907b424-misc-rtsx-judge-ASPM-Mode-to-set.patch";
+      sha256 = "sha256-RHJdQ4p0msTOVPR+/dYiKuwwEoG9IpIBqT4dc5cJjf8=";
+    };
+  };
+
+  request_key_helper =
+    { name = "request-key-helper";
+      patch = ./request-key-helper.patch;
+    };
+
+  request_key_helper_updated =
+    { name = "request-key-helper-updated";
+      patch = ./request-key-helper-updated.patch;
+    };
+
+  modinst_arg_list_too_long =
+    { name = "modinst-arglist-too-long";
+      patch = ./modinst-arg-list-too-long.patch;
+    };
+
+  hardened = let
+    mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in {
+      name = lib.removeSuffix ".patch" src.name;
+      patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
+      extra = src.extra;
+      inherit version sha256;
+    };
+    patches = lib.importJSON ./hardened/patches.json;
+  in lib.mapAttrs mkPatch patches;
+
+  # Adapted for Linux 5.4 from:
+  # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04896832c94aae4842100cafb8d3a73e1bed3a45
+  rtl8761b_support =
+    { name = "rtl8761b-support";
+      patch = ./rtl8761b-support.patch;
+    };
+
+  export-rt-sched-migrate = {
+    name = "export-rt-sched-migrate";
+    patch = ./export-rt-sched-migrate.patch;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix b/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix
new file mode 100644
index 000000000000..ad8f2608d936
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix
@@ -0,0 +1,166 @@
+{ lib
+, stdenv
+, fetchpatch
+, fetchurl
+, kernel
+, elfutils
+, python3
+, perl
+, newt
+, slang
+, asciidoc
+, xmlto
+, makeWrapper
+, docbook_xsl
+, docbook_xml_dtd_45
+, libxslt
+, flex
+, bison
+, pkg-config
+, libunwind
+, binutils-unwrapped
+, libiberty
+, audit
+, libbfd
+, libbfd_2_38
+, libopcodes
+, libopcodes_2_38
+, libpfm
+, libtraceevent
+, openssl
+, systemtap
+, numactl
+, zlib
+, babeltrace
+, withGtk ? false
+, gtk2
+, withZstd ? true
+, zstd
+, withLibcap ? true
+, libcap
+}:
+let
+  d3-flame-graph-templates = stdenv.mkDerivation rec {
+    pname = "d3-flame-graph-templates";
+    version = "4.1.3";
+
+    src = fetchurl {
+      url = "https://registry.npmjs.org/d3-flame-graph/-/d3-flame-graph-${version}.tgz";
+      sha256 = "sha256-W5/Vh5jarXUV224aIiTB2TnBFYT3naEIcG2945QjY8Q=";
+    };
+
+    installPhase = ''
+      install -D -m 0755 -t $out/share/d3-flame-graph/ ./dist/templates/*
+    '';
+  };
+in
+
+stdenv.mkDerivation {
+  pname = "perf-linux";
+  version = kernel.version;
+
+  inherit (kernel) src;
+
+  postPatch = ''
+    # Linux scripts
+    patchShebangs scripts
+    patchShebangs tools/perf/check-headers.sh
+  '' + lib.optionalString (lib.versionAtLeast kernel.version "6.3") ''
+    # perf-specific scripts
+    patchShebangs tools/perf/pmu-events
+  '' + ''
+    cd tools/perf
+
+    for x in util/build-id.c util/dso.c; do
+      substituteInPlace $x --replace /usr/lib/debug /run/current-system/sw/lib/debug
+    done
+
+  '' + lib.optionalString (lib.versionAtLeast kernel.version "5.8") ''
+    substituteInPlace scripts/python/flamegraph.py \
+      --replace "/usr/share/d3-flame-graph/d3-flamegraph-base.html" \
+      "${d3-flame-graph-templates}/share/d3-flame-graph/d3-flamegraph-base.html"
+
+  '' + lib.optionalString (lib.versionAtLeast kernel.version "6.0") ''
+    patchShebangs pmu-events/jevents.py
+  '';
+
+  makeFlags = [ "prefix=$(out)" "WERROR=0" "ASCIIDOC8=1" ] ++ kernel.makeFlags
+    ++ lib.optional (!withGtk) "NO_GTK2=1"
+    ++ lib.optional (!withZstd) "NO_LIBZSTD=1"
+    ++ lib.optional (!withLibcap) "NO_LIBCAP=1";
+
+  hardeningDisable = [ "format" ];
+
+  # perf refers both to newt and slang
+  nativeBuildInputs = [
+    asciidoc
+    xmlto
+    docbook_xsl
+    docbook_xml_dtd_45
+    libxslt
+    flex
+    bison
+    libiberty
+    audit
+    makeWrapper
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    elfutils
+    newt
+    slang
+    libtraceevent
+    libunwind
+    zlib
+    openssl
+    numactl
+    python3
+    perl
+    babeltrace
+  ] ++ (if (lib.versionAtLeast kernel.version "5.19")
+  then [ libbfd libopcodes ]
+  else [ libbfd_2_38 libopcodes_2_38 ])
+  ++ lib.optional (lib.meta.availableOn stdenv.hostPlatform systemtap) systemtap.stapBuild
+  ++ lib.optional withGtk gtk2
+  ++ lib.optional withZstd zstd
+  ++ lib.optional withLibcap libcap
+  ++ lib.optional (lib.versionAtLeast kernel.version "5.8") libpfm
+  ++ lib.optional (lib.versionAtLeast kernel.version "6.0") python3.pkgs.setuptools;
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-Wno-error=cpp"
+    "-Wno-error=bool-compare"
+    "-Wno-error=deprecated-declarations"
+    "-Wno-error=stringop-truncation"
+  ];
+
+  doCheck = false; # requires "sparse"
+
+  installTargets = [ "install" "install-man" ];
+
+  # TODO: Add completions based on perf-completion.sh
+  postInstall = ''
+    # Same as perf. Remove.
+    rm -f $out/bin/trace
+  '';
+
+  separateDebugInfo = true;
+
+  preFixup = ''
+    # Pull in 'objdump' into PATH to make annotations work.
+    # The embedded Python interpreter will search PATH to calculate the Python path configuration(Should be fixed by upstream).
+    # Add python.interpreter to PATH for now.
+    wrapProgram $out/bin/perf \
+      --prefix PATH : ${lib.makeBinPath [ binutils-unwrapped python3 ]}
+  '';
+
+  meta = with lib; {
+    homepage = "https://perf.wiki.kernel.org/";
+    description = "Linux tools to profile with performance counters";
+    maintainers = with maintainers; [ viric ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch
new file mode 100644
index 000000000000..5ca897a76bf6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch
@@ -0,0 +1,13 @@
+diff --git a/scripts/gen-randstruct-seed.sh b/scripts/gen-randstruct-seed.sh
+index 61017b36c464..7bb494dd2e18 100755
+--- a/scripts/gen-randstruct-seed.sh
++++ b/scripts/gen-randstruct-seed.sh
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ 
+-SEED=$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n')
++SEED="NIXOS_RANDSTRUCT_SEED"
+ echo "$SEED" > "$1"
+ HASH=$(echo -n "$SEED" | sha256sum | cut -d" " -f1)
+ echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
new file mode 100644
index 000000000000..1328b9cee3c9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
@@ -0,0 +1,12 @@
+diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh
+--- a/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 11:50:29.228258920 +0100
++++ b/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 12:18:33.555902720 +0100
+@@ -2,7 +2,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ 
+ if [ ! -f "$1" ]; then
+-	SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
++	SEED="NIXOS_RANDSTRUCT_SEED"
+ 	echo "const char *randstruct_seed = \"$SEED\";" > "$1"
+ 	HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
+ 	echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch
new file mode 100644
index 000000000000..aabb9e801be4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch
@@ -0,0 +1,13 @@
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 88172c163953..4da74a1eebb2 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -161,7 +161,7 @@ static int call_sbin_request_key(struct key_construction *cons,
+
+	/* set up the argument list */
+	i = 0;
+-	argv[i++] = "/sbin/request-key";
++	argv[i++] = "/run/current-system/sw/bin/request-key";
+	argv[i++] = (char *) op;
+	argv[i++] = key_str;
+	argv[i++] = uid_str;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch
new file mode 100644
index 000000000000..8264e265aedf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch
@@ -0,0 +1,13 @@
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 957b9e3e1492..5436a0d8b81d 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -114,7 +114,7 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
+  */
+ static int call_sbin_request_key(struct key *authkey, void *aux)
+ {
+-	static char const request_key[] = "/sbin/request-key";
++	static char const request_key[] = "/run/current-system/sw/bin/request-key";
+ 	struct request_key_auth *rka = get_request_key_auth(authkey);
+ 	const struct cred *cred = current_cred();
+ 	key_serial_t prkey, sskey;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch b/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
new file mode 100644
index 000000000000..b6d80d5bc8d3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
@@ -0,0 +1,33 @@
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 67f4bc21e7c5..3a9afc905f24 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -130,12 +130,19 @@  static const struct id_table ic_id_table[] = {
+ 	  .cfg_name = "rtl_bt/rtl8821c_config" },
+
+ 	/* 8761A */
+-	{ IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_8761A, 0x0,
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa),
+ 	  .config_needed = false,
+ 	  .has_rom_version = true,
+ 	  .fw_name  = "rtl_bt/rtl8761a_fw.bin",
+ 	  .cfg_name = "rtl_bt/rtl8761a_config" },
+
++	/* 8761B */
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb),
++	  .config_needed = false,
++	  .has_rom_version = true,
++	  .fw_name  = "rtl_bt/rtl8761b_fw.bin",
++	  .cfg_name = "rtl_bt/rtl8761b_config" },
++
+	/* 8822C with USB interface */
+	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc),
+	  .config_needed = false,
+@@ -251,6 +258,7 @@  static int rtlbt_parse_firmware(struct hci_dev *hdev,
+ 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
+ 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
+ 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
++		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
+ 	};
+
+ 	min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh
new file mode 100755
index 000000000000..aea12df55cc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh
@@ -0,0 +1,33 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p nix-prefetch-svn git curl
+set -euo pipefail
+
+nixpkgs="$(git rev-parse --show-toplevel)"
+path="$nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix"
+
+old_rev="$(grep -o 'rev = ".*"' "$path" | awk -F'"' '{print $2}')"
+old_sha256="$(grep -o 'sha256 = ".*"' "$path" | awk -F'"' '{print $2}')"
+
+svn_url=https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/
+rev="$(curl -s "$svn_url" | grep -Em 1 -o 'Revision [0-9]+' | awk '{print $2}')"
+
+if [ "$old_rev" = "$rev" ]; then
+    echo "No updates for linux-libre"
+    exit 0
+fi
+
+sha256="$(QUIET=1 nix-prefetch-svn "$svn_url" "$rev" | tail -1)"
+
+if [ "$old_sha256" = "$sha256" ]; then
+    echo "No updates for linux-libre"
+    exit 0
+fi
+
+sed -i -e "s/rev = \".*\"/rev = \"$rev\"/" \
+    -e "s/sha256 = \".*\"/sha256 = \"$sha256\"/" "$path"
+
+if [ -n "${COMMIT-}" ]; then
+    git commit -qm "linux_latest-libre: $old_rev -> $rev" "$path" \
+       $nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
+    echo "Updated linux_latest-libre $old_rev -> $rev"
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-mainline.py b/nixpkgs/pkgs/os-specific/linux/kernel/update-mainline.py
new file mode 100755
index 000000000000..30b9ebec984c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-mainline.py
@@ -0,0 +1,130 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.beautifulsoup4 ps.lxml ])"
+import json
+import os
+import pathlib
+import subprocess
+import sys
+import urllib.request
+from dataclasses import dataclass
+from enum import Enum
+
+from bs4 import BeautifulSoup, NavigableString, Tag
+
+HERE = pathlib.Path(__file__).parent
+ROOT = HERE.parent.parent.parent.parent
+VERSIONS_FILE = HERE / "kernels-org.json"
+
+
+class KernelNature(Enum):
+    MAINLINE = 1
+    STABLE = 2
+    LONGTERM = 3
+
+
+@dataclass
+class KernelRelease:
+    nature: KernelNature
+    version: str
+    branch: str
+    date: str
+    link: str
+    eol: bool = False
+
+
+def parse_release(release: Tag) -> KernelRelease | None:
+    columns: list[Tag] = list(release.find_all("td"))
+    try:
+        nature = KernelNature[columns[0].get_text().rstrip(":").upper()]
+    except KeyError:
+        return None
+
+    version = columns[1].get_text().rstrip(" [EOL]")
+    date = columns[2].get_text()
+    link = columns[3].find("a")
+    if link is not None and isinstance(link, Tag):
+        link = link.attrs.get("href")
+    assert link is not None, f"link for kernel {version} is non-existent"
+    eol = bool(release.find(class_="eolkernel"))
+
+    return KernelRelease(
+        nature=nature,
+        branch=get_branch(version),
+        version=version,
+        date=date,
+        link=link,
+        eol=eol,
+    )
+
+
+def get_branch(version: str):
+    # This is a testing kernel.
+    if "rc" in version:
+        return "testing"
+    else:
+        major, minor, *_ = version.split(".")
+        return f"{major}.{minor}"
+
+
+def get_hash(kernel: KernelRelease):
+    if kernel.branch == "testing":
+        args = ["--unpack"]
+    else:
+        args = []
+
+    hash = (
+        subprocess.check_output(["nix-prefetch-url", kernel.link] + args)
+        .decode()
+        .strip()
+    )
+    return f"sha256:{hash}"
+
+
+def commit(message):
+    return subprocess.check_call(["git", "commit", "-m", message, VERSIONS_FILE])
+
+
+def main():
+    kernel_org = urllib.request.urlopen("https://kernel.org/")
+    soup = BeautifulSoup(kernel_org.read().decode(), "lxml")
+    release_table = soup.find(id="releases")
+    if not release_table or isinstance(release_table, NavigableString):
+        print(release_table, file=sys.stderr)
+        print("Failed to find the release table on https://kernel.org", file=sys.stderr)
+        sys.exit(1)
+
+    releases = release_table.find_all("tr")
+    parsed_releases = filter(None, [parse_release(release) for release in releases])
+    all_kernels = json.load(VERSIONS_FILE.open())
+
+    for kernel in parsed_releases:
+        branch = get_branch(kernel.version)
+        nixpkgs_branch = branch.replace(".", "_")
+
+        old_version = all_kernels.get(branch, {}).get("version")
+        if old_version == kernel.version:
+            print(f"linux_{nixpkgs_branch}: {kernel.version} is latest, skipping...")
+            continue
+
+        if old_version is None:
+            message = f"linux_{nixpkgs_branch}: init at {kernel.version}"
+        else:
+            message = f"linux_{nixpkgs_branch}: {old_version} -> {kernel.version}"
+
+        print(message, file=sys.stderr)
+
+        all_kernels[branch] = {
+            "version": kernel.version,
+            "hash": get_hash(kernel),
+        }
+
+        with VERSIONS_FILE.open("w") as fd:
+            json.dump(all_kernels, fd, indent=4)
+            fd.write("\n")  # makes editorconfig happy
+
+        if os.environ.get("COMMIT") == "1":
+            commit(message)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh
new file mode 100755
index 000000000000..a9e0577fae92
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# To update all rt kernels run: ./update-rt.sh
+
+# To update just one ./linux-rt-5.X.nix run: ./update-rt.sh ./linux-rt-5.X.nix
+
+# To add a new kernel branch 5.Y run: ./update-rt.sh ./linux-rt-5.Y.nix
+# (with nonexistent .nix file) and update all-packages.nix.
+
+# To commit run with: env COMMIT=1
+
+mirror=https://kernel.org/pub/linux/kernel
+
+main() {
+    if [ $# -ge 1 ]; then
+        update-if-needed "$1"
+    else
+        update-all-if-needed
+    fi
+}
+
+update-all-if-needed() {
+    for f in "$(dirname "$0")"/linux-rt-*.nix; do
+        update-if-needed "$f"
+    done
+}
+
+file-version() {
+    file="$1" # e.g. ./linux-rt-5.4.nix
+    if [ -e "$file" ]; then
+        grep ' version = ' "$file" | grep -o '[0-9].[^"]*'
+    fi
+}
+
+latest-rt-version() {
+    branch="$1" # e.g. 5.4
+    curl -sL "$mirror/projects/rt/$branch/sha256sums.asc" |
+        sed -ne '/.patch.xz/ { s/.*patch-\(.*\).patch.xz/\1/p}' |
+        grep -v '\-rc' |
+        sort --version-sort |
+        tail -n 1
+}
+
+update-if-needed() {
+    file="$1" # e.g. ./linux-rt-5.4.nix (created if does not exist)
+    branch=$(basename "$file" .nix) # e.g. linux-rt-5.4
+    branch=${branch#linux-rt-} # e.g. 5.4
+    cur=$(file-version "$file") # e.g. 5.4.59-rt36 or empty
+    new=$(latest-rt-version "$branch") # e.g. 5.4.61-rt37
+    kversion=${new%-*} # e.g. 5.4.61
+    major=${branch%.*} # e.g 5
+    nixattr="linux-rt_${branch/./_}"
+    if [ "$new" = "$cur" ]; then
+        echo "$nixattr: $cur (up-to-date)"
+        return
+    fi
+    khash=$(nix-prefetch-url "$mirror/v${major}.x/linux-${kversion}.tar.xz")
+    phash=$(nix-prefetch-url "$mirror/projects/rt/${branch}/older/patch-${new}.patch.xz")
+    if [ "$cur" ]; then
+        msg="$nixattr: $cur -> $new"
+    else
+        msg="$nixattr: init at $new"
+        prev=$(ls -v "$(dirname "$0")"/linux-rt-*.nix | tail -1)
+        cp "$prev" "$file"
+        cur=$(file-version "$file")
+    fi
+    echo "$msg"
+    sed -i "$file" \
+        -e "s/$cur/$new/" \
+        -e "s|kernel/v[0-9]*|kernel/v$major|" \
+        -e "1,/.patch.xz/ s/sha256 = .*/sha256 = \"$khash\";/" \
+        -e "1,/.patch.xz/! s/sha256 = .*/sha256 = \"$phash\";/"
+    if [ "${COMMIT:-}" ]; then
+        git add "$file"
+        git commit -m "$msg"
+    fi
+}
+
+return 2>/dev/null || main "$@"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py b/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py
new file mode 100755
index 000000000000..3c51f806d8f8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py
@@ -0,0 +1,122 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python3 -p python3 nix nix-prefetch-git
+
+import fileinput
+import json
+import os
+import sys
+import re
+import subprocess
+
+from datetime import datetime
+from urllib.request import urlopen, Request
+
+
+def panic(exc):
+    raise Exception(exc)
+
+
+DIR = os.path.dirname(os.path.abspath(__file__))
+HEADERS = {'Accept': 'application/vnd.github.v3+json'}
+
+
+def github_api_request(endpoint):
+    base_url = 'https://api.github.com/'
+    request = Request(base_url + endpoint, headers=HEADERS)
+    with urlopen(request) as http_response:
+        return json.loads(http_response.read().decode('utf-8'))
+
+
+def get_commit_date(repo, sha):
+    url = f'https://api.github.com/repos/{repo}/commits/{sha}'
+    request = Request(url, headers=HEADERS)
+    with urlopen(request) as http_response:
+        commit = json.loads(http_response.read().decode())
+        date = commit['commit']['committer']['date'].rstrip('Z')
+        date = datetime.fromisoformat(date).date().isoformat()
+        return 'unstable-' + date
+
+
+def nix_prefetch_git(url, rev):
+    """Prefetches the requested Git revision (incl. submodules) of the given repository URL."""
+    print(f'nix-prefetch-git {url} {rev}')
+    out = subprocess.check_output([
+        'nix-prefetch-git', '--quiet',
+        '--url', url,
+        '--rev', rev,
+        '--fetch-submodules'])
+    return json.loads(out)['sha256']
+
+
+def nix_prefetch_url(url, unpack=False):
+    """Prefetches the content of the given URL."""
+    print(f'nix-prefetch-url {url}')
+    options = ['--type', 'sha256']
+    if unpack:
+        options += ['--unpack']
+    out = subprocess.check_output(['nix-prefetch-url'] + options + [url])
+    return out.decode('utf-8').rstrip()
+
+
+def update_file(relpath, variant, version, suffix, sha256):
+    file_path = os.path.join(DIR, relpath)
+    with fileinput.FileInput(file_path, inplace=True) as f:
+        for line in f:
+            result = line
+            result = re.sub(
+                fr'^    version = ".+"; #{variant}',
+                f'    version = "{version}"; #{variant}',
+                result)
+            result = re.sub(
+                fr'^    suffix = ".+"; #{variant}',
+                f'    suffix = "{suffix}"; #{variant}',
+                result)
+            result = re.sub(
+                fr'^    sha256 = ".+"; #{variant}',
+                f'    sha256 = "{sha256}"; #{variant}',
+                result)
+            print(result, end='')
+
+
+def read_file(relpath, variant):
+    file_path = os.path.join(DIR, relpath)
+    re_version = re.compile(fr'^\s*version = "(.+)"; #{variant}')
+    re_suffix = re.compile(fr'^\s*suffix = "(.+)"; #{variant}')
+    version = None
+    suffix = None
+    with fileinput.FileInput(file_path, mode='r') as f:
+        for line in f:
+            version_match = re_version.match(line)
+            if version_match:
+                version = version_match.group(1)
+                continue
+
+            suffix_match = re_suffix.match(line)
+            if suffix_match:
+                suffix = suffix_match.group(1)
+                continue
+
+            if version and suffix:
+                break
+    return version, suffix
+
+
+if __name__ == "__main__":
+    if len(sys.argv) == 1:
+        panic("Update variant expected")
+    variant = sys.argv[1]
+    if variant not in ("zen", "lqx"):
+        panic(f"Unexepected variant instead of 'zen' or 'lqx': {sys.argv[1]}")
+    pattern = re.compile(fr"v(\d+\.\d+\.?\d*)-({variant}\d+)")
+    zen_tags = github_api_request('repos/zen-kernel/zen-kernel/releases')
+    for tag in zen_tags:
+        zen_match = pattern.match(tag['tag_name'])
+        if zen_match:
+            zen_tag = zen_match.group(0)
+            zen_version = zen_match.group(1)
+            zen_suffix = zen_match.group(2)
+            break
+    old_version, old_suffix = read_file('zen-kernels.nix', variant)
+    if old_version != zen_version or old_suffix != zen_suffix:
+        zen_hash = nix_prefetch_git('https://github.com/zen-kernel/zen-kernel.git', zen_tag)
+        update_file('zen-kernels.nix', variant, zen_version, zen_suffix, zen_hash)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update.sh
new file mode 100755
index 000000000000..37e1cc1a5cd4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+cd "$(dirname "$(readlink -f "$0")")" || exit
+
+echo "Update linux (mainline)"
+COMMIT=1 ./update-mainline.py || echo "update-mainline failed with exit code $?"
+
+echo "Update linux-rt"
+COMMIT=1 ./update-rt.sh || echo "update-rt failed with exit code $?"
+
+echo "Update linux-libre"
+COMMIT=1 ./update-libre.sh || echo "update-libre failed with exit code $?"
+
+echo "Update linux-hardened"
+COMMIT=1 ./hardened/update.py || echo "update-hardened failed with exit code $?"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix b/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
new file mode 100644
index 000000000000..691b4899f2dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+
+let
+  # These names are how they are designated in https://xanmod.org.
+
+  # NOTE: When updating these, please also take a look at the changes done to
+  # kernel config in the xanmod version commit
+  ltsVariant = {
+    version = "6.1.62";
+    hash = "sha256-fo5OQ/MZ+QVdCmLzX0OgFUBedfqrkqp+Ev081RVdtWw=";
+    variant = "lts";
+  };
+
+  mainVariant = {
+    version = "6.5.11";
+    hash = "sha256-1bb5LG6JvqX5eNSe2Xyu86HxaqkUVkKUf1H3T7bFkGE=";
+    variant = "main";
+  };
+
+  xanmodKernelFor = { version, suffix ? "xanmod1", hash, variant }: buildLinux (args // rec {
+    inherit version;
+    modDirVersion = lib.versions.pad 3 "${version}-${suffix}";
+
+    src = fetchFromGitHub {
+      owner = "xanmod";
+      repo = "linux";
+      rev = modDirVersion;
+      inherit hash;
+    };
+
+    structuredExtraConfig = with lib.kernel; {
+      # Google's BBRv3 TCP congestion Control
+      TCP_CONG_BBR = yes;
+      DEFAULT_BBR = yes;
+
+      # WineSync driver for fast kernel-backed Wine
+      WINESYNC = module;
+
+      # Preemptive Full Tickless Kernel at 250Hz
+      HZ = freeform "250";
+      HZ_250 = yes;
+      HZ_1000 = no;
+    };
+
+    extraMeta = {
+      branch = lib.versions.majorMinor version;
+      maintainers = with lib.maintainers; [ fortuneteller2k lovesegfault atemu shawn8901 zzzsy ];
+      description = "Built with custom settings and new features built to provide a stable, responsive and smooth desktop experience";
+      broken = stdenv.isAarch64;
+    };
+  } // (args.argsOverride or { }));
+in
+{
+  lts = xanmodKernelFor ltsVariant;
+  main = xanmodKernelFor mainVariant;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix b/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix
new file mode 100644
index 000000000000..456a6c7c27dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix
@@ -0,0 +1,116 @@
+{ lib, stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+
+let
+  # comments with variant added for update script
+  # ./update-zen.py zen
+  zenVariant = {
+    version = "6.6.1"; #zen
+    suffix = "zen1"; #zen
+    sha256 = "13m820wggf6pkp351w06mdn2lfcwbn08ydwksyxilqb88vmr0lpq"; #zen
+    isLqx = false;
+  };
+  # ./update-zen.py lqx
+  lqxVariant = {
+    version = "6.5.11"; #lqx
+    suffix = "lqx2"; #lqx
+    sha256 = "0rak2ald95bwb5qlp8pf2g93a0gkv8rypiv5s8dpds3cilwmxrg9"; #lqx
+    isLqx = true;
+  };
+  zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {
+    inherit version;
+    modDirVersion = lib.versions.pad 3 "${version}-${suffix}";
+    isZen = true;
+
+    src = fetchFromGitHub {
+      owner = "zen-kernel";
+      repo = "zen-kernel";
+      rev = "v${version}-${suffix}";
+      inherit sha256;
+    };
+
+    # This is based on the following sources:
+    # - zen: https://gitlab.archlinux.org/archlinux/packaging/packages/linux-zen/-/blob/main/config
+    # - lqx: https://github.com/damentz/liquorix-package/blob/6.4/master/linux-liquorix/debian/config/kernelarch-x86/config-arch-64
+    # - Liquorix features: https://liquorix.net/
+    # The list below is not exhaustive, so the kernels probably doesn't match
+    # the upstream, but should bring most of the improvements that will be
+    # expected by users
+    structuredExtraConfig = with lib.kernel; {
+      # Zen Interactive tuning
+      ZEN_INTERACTIVE = yes;
+
+      # FQ-Codel Packet Scheduling
+      NET_SCH_DEFAULT = yes;
+      DEFAULT_FQ_CODEL = yes;
+      DEFAULT_NET_SCH = freeform "fq_codel";
+
+      # Preempt (low-latency)
+      PREEMPT = lib.mkOverride 60 yes;
+      PREEMPT_VOLUNTARY = lib.mkOverride 60 no;
+
+      # Preemptible tree-based hierarchical RCU
+      TREE_RCU = yes;
+      PREEMPT_RCU = yes;
+      RCU_EXPERT = yes;
+      TREE_SRCU = yes;
+      TASKS_RCU_GENERIC = yes;
+      TASKS_RCU = yes;
+      TASKS_RUDE_RCU = yes;
+      TASKS_TRACE_RCU = yes;
+      RCU_STALL_COMMON = yes;
+      RCU_NEED_SEGCBLIST = yes;
+      RCU_FANOUT = freeform "64";
+      RCU_FANOUT_LEAF = freeform "16";
+      RCU_BOOST = yes;
+      RCU_BOOST_DELAY = freeform "500";
+      RCU_NOCB_CPU = yes;
+      RCU_LAZY = yes;
+
+      # Futex WAIT_MULTIPLE implementation for Wine / Proton Fsync.
+      FUTEX = yes;
+      FUTEX_PI = yes;
+
+      # Preemptive Full Tickless Kernel at 1000Hz
+      HZ = freeform "1000";
+      HZ_1000 = yes;
+    } // lib.optionalAttrs (isLqx) {
+      # Google's BBRv3 TCP congestion Control
+      TCP_CONG_BBR = yes;
+      DEFAULT_BBR = yes;
+      DEFAULT_TCP_CONG = freeform "bbr";
+
+      # PDS Process Scheduler
+      SCHED_ALT = yes;
+      SCHED_PDS = yes;
+
+      # Swap storage is compressed with LZ4 using zswap
+      ZSWAP_COMPRESSOR_DEFAULT_LZ4 = yes;
+      ZSWAP_COMPRESSOR_DEFAULT = freeform "lz4";
+
+      # Fix error: unused option: XXX.
+      CFS_BANDWIDTH = lib.mkForce (option no);
+      PSI = lib.mkForce (option no);
+      RT_GROUP_SCHED = lib.mkForce (option no);
+      SCHED_AUTOGROUP = lib.mkForce (option no);
+      SCHED_CORE = lib.mkForce (option no);
+
+      # ERROR: modpost: "sched_numa_hop_mask" [drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko] undefined!
+      MLX5_CORE = no;
+    };
+
+    passthru.updateScript = [ ./update-zen.py (if isLqx then "lqx" else "zen") ];
+
+    extraMeta = {
+      branch = lib.versions.majorMinor version + "/master";
+      maintainers = with lib.maintainers; [ thiagokokada jerrysm64 ];
+      description = "Built using the best configuration and kernel sources for desktop, multimedia, and gaming workloads." +
+        lib.optionalString isLqx " (Same as linux_zen, but less aggressive release schedule and additional extra config)";
+      broken = stdenv.isAarch64;
+    };
+
+  } // (args.argsOverride or { }));
+in
+{
+  zen = zenKernelsFor zenVariant;
+  lqx = zenKernelsFor lqxVariant;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix
new file mode 100644
index 000000000000..2df5c0454ddc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, buildPackages, fetchurl, fetchpatch, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "kexec-tools";
+  version = "2.0.26";
+
+  src = fetchurl {
+    urls = [
+      "mirror://kernel/linux/utils/kernel/kexec/${pname}-${version}.tar.xz"
+      "http://horms.net/projects/kexec/kexec-tools/${pname}-${version}.tar.xz"
+    ];
+    sha256 = "sha256-f+NqBkEBzVxRXkGyvjk9zjyoitzlnW7maOCvfAxFcM0=";
+  };
+
+  patches = [
+    # Use ELFv2 ABI on ppc64be
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/void-linux/void-packages/6c1192cbf166698932030c2e3de71db1885a572d/srcpkgs/kexec-tools/patches/ppc64-elfv2.patch";
+      sha256 = "19wzfwb0azm932v0vhywv4221818qmlmvdfwpvvpfyw4hjsc2s1l";
+    })
+  ];
+
+  hardeningDisable = [ "format" "pic" "relro" "pie" ];
+
+  # Prevent kexec-tools from using uname to detect target, which is wrong in
+  # cases like compiling for aarch32 on aarch64
+  configurePlatforms = [ "build" "host" ];
+  configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ];
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  buildInputs = [ zlib ];
+
+  meta = with lib; {
+    homepage = "http://horms.net/projects/kexec/kexec-tools";
+    description = "Tools related to the kexec Linux feature";
+    platforms = platforms.linux;
+    badPlatforms = [
+      "riscv64-linux" "riscv32-linux"
+      "sparc-linux" "sparc64-linux"
+    ];
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch b/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch
new file mode 100644
index 000000000000..61ad2a474f9a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch
@@ -0,0 +1,28 @@
+From 59d91e57d103fb4686d2f45ee3c688878244367a Mon Sep 17 00:00:00 2001
+From: Christian Kampka <christian@kampka.net>
+Date: Tue, 24 Nov 2020 22:12:40 +0100
+Subject: [PATCH] Remove unused function 'after_eq'
+
+---
+ keyctl_watch.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/keyctl_watch.c b/keyctl_watch.c
+index a70a19a..c4ca7f7 100644
+--- a/keyctl_watch.c
++++ b/keyctl_watch.c
+@@ -47,11 +47,6 @@ static struct watch_notification_filter filter = {
+ 	},
+ };
+ 
+-static inline bool after_eq(unsigned int a, unsigned int b)
+-{
+-        return (signed int)(a - b) >= 0;
+-}
+-
+ static void consumer_term(int sig)
+ {
+ 	consumer_stop = 1;
+-- 
+2.28.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch b/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch
new file mode 100644
index 000000000000..02762e857a81
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch
@@ -0,0 +1,13 @@
+diff --git a/request-key.c b/request-key.c
+index bf47c0a..105fee8 100644
+--- a/request-key.c
++++ b/request-key.c
+@@ -313,7 +313,7 @@ static void scan_conf_dir(struct parameters *params, const char *confdir)
+ 	while ((d = readdir(dir))) {
+ 		if (d->d_name[0] == '.')
+ 			continue;
+-		if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG)
++		if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG && d->d_type != DT_LNK)
+ 			continue;
+ 		l = strlen(d->d_name);
+ 		if (l < 5)
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix b/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix
new file mode 100644
index 000000000000..86b2535e1dde
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix
@@ -0,0 +1,62 @@
+{ lib, stdenv, fetchurl }:
+
+# Note: this package is used for bootstrapping fetchurl, and thus
+# cannot use fetchpatch! All mutable patches (generated by GitHub or
+# cgit) that are needed here should be included directly in Nixpkgs as
+# files.
+
+stdenv.mkDerivation rec {
+  pname = "keyutils";
+  version = "1.6.3";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/snapshot/${pname}-${version}.tar.gz";
+    sha256 = "sha256-ph1XBhNq5MBb1I+GGGvP29iN2L1RB+Phlckkz8Gzm7Q=";
+  };
+
+  patches = [
+    ./conf-symlink.patch
+    # This patch solves a duplicate symbol error when building with a clang stdenv
+    # Before removing this patch, please ensure the package still builds by running eg.
+    # nix-build -E 'with import ./. {}; pkgs.keyutils.override { stdenv = pkgs.clangStdenv; }'
+    ./0001-Remove-unused-function-after_eq.patch
+
+    # Fix build for s390-linux, where size_t is different from ptrdiff_t.
+    (fetchurl {
+      url = "https://lore.kernel.org/keyrings/20230301134250.301819-1-hi@alyssa.is/raw";
+      sha256 = "1cbgwxq28fw5ldh38ngcs7xiqvpnmrw0hw9zzhbhb1hdxkavrc1s";
+    })
+  ];
+
+  makeFlags = lib.optionals stdenv.hostPlatform.isStatic "NO_SOLIB=1";
+
+  outputs = [ "out" "lib" "dev" ];
+
+  postPatch = ''
+    # https://github.com/archlinux/svntogit-packages/blob/packages/keyutils/trunk/reproducible.patch
+    substituteInPlace Makefile \
+      --replace \
+        'VCPPFLAGS	:= -DPKGBUILD="\"$(shell date -u +%F)\""' \
+        'VCPPFLAGS	:= -DPKGBUILD="\"$(date -ud "@$SOURCE_DATE_EPOCH" +%F)\""'
+  '';
+
+  enableParallelBuilding = true;
+
+  installFlags = [
+    "ETCDIR=$(out)/etc"
+    "BINDIR=$(out)/bin"
+    "SBINDIR=$(out)/sbin"
+    "SHAREDIR=$(out)/share/keyutils"
+    "MANDIR=$(out)/share/man"
+    "INCLUDEDIR=$(dev)/include"
+    "LIBDIR=$(lib)/lib"
+    "USRLIBDIR=$(lib)/lib"
+  ];
+
+  meta = with lib; {
+    homepage = "https://people.redhat.com/dhowells/keyutils/";
+    description = "Tools used to control the Linux kernel key management system";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix
new file mode 100644
index 000000000000..94ae4806cf25
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix
@@ -0,0 +1,91 @@
+{ lib
+, stdenv
+, fetchgit
+, requireFile
+, pkg-config
+, libusb1
+, p7zip
+}:
+
+let
+  # The last known good firmware package to have been tested
+  # by the upstream projet.
+  # The firmware URL is hardcoded in the upstream project's installation script
+  firmwareUrl = "https://download.microsoft.com/download/F/9/9/F99791F2-D5BE-478A-B77A-830AD14950C3/KinectSDK-v1.0-beta2-x86.msi";
+  # The original URL "https://research.microsoft.com/en-us/um/legal/kinectsdk-tou_noncommercial.htm"
+  # redirects to the following url:
+  licenseUrl = "https://www.microsoft.com/en-us/legal/terms-of-use";
+in
+stdenv.mkDerivation rec {
+  pname = "kinect-audio-setup";
+
+  # On update: Make sure that the `firmwareURL` is still in sync with upstream.
+  # If the project structure hasn't changed you can find the URL in the
+  # `kinect_fetch_fw` file in the project source.
+  version = "0.5";
+
+  # This is an MSI or CAB file
+  FIRMWARE = requireFile rec {
+    name = "UACFirmware";
+    sha256 = "08a2vpgd061cmc6h3h8i6qj3sjvjr1fwcnwccwywqypz3icn8xw1";
+    message = ''
+      In order to install the Kinect Audio Firmware, you need to download the
+      non-redistributable firmware from Microsoft.
+      The firmware is available at ${firmwareUrl} and the license at ${licenseUrl} .
+      Save the file as UACFirmware and use "nix-prefetch-url file://\$PWD/UACFirmware" to
+      add it to the Nix store.
+    '';
+  };
+
+  src = fetchgit {
+    url = "git://git.ao2.it/kinect-audio-setup.git";
+    rev = "v${version}";
+    sha256 = "sha256-bFwmWh822KvFwP/0Gu097nF5K2uCwCLMB1RtP7k+Zt0=";
+  };
+
+  # These patches are not upstream because the project has seen no
+  # activity since 2016
+  patches = [
+    ./libusb-1-import-path.patch
+    ./udev-rules-extra-devices.patch
+  ];
+
+  nativeBuildInputs = [ p7zip libusb1 pkg-config ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "DESTDIR=$(out)"
+    "FIRMWARE_PATH=$(out)/lib/firmware/UACFirmware"
+    "LOADER_PATH=$(out)/libexec/kinect_upload_fw"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make -C kinect_upload_fw kinect_upload_fw $makeFlags "''${makeFlagsArray[@]}"
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/libexec/ $out/lib/firmware $out/lib/udev/rules.d
+
+    install -Dm755 kinect_upload_fw/kinect_upload_fw $out/libexec/
+
+    # 7z extract "assume yes on all queries" "only extract/keep files/directories matching UACFIRMWARE.* recursively"
+    7z e -y -r "${FIRMWARE}" "UACFirmware.*" >/dev/null
+    # The filename is bound to change with the Firmware SDK
+    mv UACFirmware.* $out/lib/firmware/UACFirmware
+
+    make install_udev_rules $makeFlags "''${makeFlagsArray[@]}"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tools to enable audio input from the Microsoft Kinect sensor device";
+    homepage = "https://git.ao2.it/kinect-audio-setup.git";
+    maintainers = with maintainers; [ berbiche ];
+    platforms = platforms.linux;
+    license = licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
new file mode 100644
index 000000000000..a0c5ad99f9f2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
@@ -0,0 +1,23 @@
+commit 02fd6c4355809e1bff7c66d478e88f30bedde13b
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Wed May 5 23:14:56 2021 -0400
+
+    fix libusb include for Linux
+
+diff --git a/kinect_upload_fw/kinect_upload_fw.c b/kinect_upload_fw/kinect_upload_fw.c
+index 1bd4102..351c94f 100644
+--- a/kinect_upload_fw/kinect_upload_fw.c
++++ b/kinect_upload_fw/kinect_upload_fw.c
+@@ -35,7 +35,12 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>
++
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(_WIN32)
+ #include <libusb.h>
++#else
++#include <libusb-1.0/libusb.h>
++#endif
+ 
+ #include "endian.h"
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
new file mode 100644
index 000000000000..d58b970c7c01
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
@@ -0,0 +1,15 @@
+commit afaaa77b0a03811f86428cf264397b60dd795549
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Thu May 6 00:10:37 2021 -0400
+
+    Add support for other Kinect device in udev
+
+diff --git a/contrib/55-kinect_audio.rules.in b/contrib/55-kinect_audio.rules.in
+index 25ea713..9e1b69f 100644
+--- a/contrib/55-kinect_audio.rules.in
++++ b/contrib/55-kinect_audio.rules.in
+@@ -1,2 +1,4 @@
+ # Rule to load the Kinect UAC firmware on the "generic" usb device
+ ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02ad", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
++# Rule to load the Kinect UAC firmware on another supported device
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02bb", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/default.nix b/nixpkgs/pkgs/os-specific/linux/klibc/default.nix
new file mode 100644
index 000000000000..3a044cf9d84d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/default.nix
@@ -0,0 +1,58 @@
+{ lib, stdenv, fetchurl, buildPackages, linuxHeaders, perl, nixosTests }:
+
+let
+  commonMakeFlags = [
+    "prefix=$(out)"
+    "SHLIBDIR=$(out)/lib"
+  ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "klibc";
+  version = "2.0.13";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/libs/klibc/2.0/klibc-${version}.tar.xz";
+    hash = "sha256-1nOilPdC1ZNoIi/1w4Ri2BCYxVBjeZ3m+4p7o9SvBDY=";
+  };
+
+  patches = [ ./no-reinstall-kernel-headers.patch ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ perl ];
+  strictDeps = true;
+
+  hardeningDisable = [ "format" "stackprotector" ];
+
+  makeFlags = commonMakeFlags ++ [
+    "KLIBCARCH=${if stdenv.hostPlatform.isRiscV64 then "riscv64" else stdenv.hostPlatform.linuxArch}"
+    "KLIBCKERNELSRC=${linuxHeaders}"
+  ] # TODO(@Ericson2314): We now can get the ABI from
+    # `stdenv.hostPlatform.parsed.abi`, is this still a good idea?
+    ++ lib.optional (stdenv.hostPlatform.linuxArch == "arm") "CONFIG_AEABI=y"
+    ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "CROSS_COMPILE=${stdenv.cc.targetPrefix}";
+
+  # Install static binaries as well.
+  postInstall = ''
+    dir=$out/lib/klibc/bin.static
+    mkdir $dir
+    cp $(find $(find . -name static) -type f ! -name "*.g" -a ! -name ".*") $dir/
+
+    for file in ${linuxHeaders}/include/*; do
+      ln -sv $file $out/lib/klibc/include
+    done
+  '';
+
+  passthru.tests = {
+    # uses klibc's ipconfig
+    inherit (nixosTests) initrd-network-ssh;
+  };
+
+  meta = {
+    description = "Minimalistic libc subset for initramfs usage";
+    homepage = "https://kernel.org/pub/linux/libs/klibc/";
+    maintainers = with lib.maintainers; [ fpletz ];
+    license = lib.licenses.bsd3;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch b/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch
new file mode 100644
index 000000000000..bf46a17f3d7d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch
@@ -0,0 +1,12 @@
+diff --git a/scripts/Kbuild.install b/scripts/Kbuild.install
+index 0788637f..6708e19f 100644
+--- a/scripts/Kbuild.install
++++ b/scripts/Kbuild.install
+@@ -102,7 +102,6 @@ header:
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)lib
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)bin
+-	$(Q)cp -rfL $(KLIBCKERNELSRC)/include/. $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include/.
+ ifneq ($(srctree),$(objtree))
+ 	$(Q)cp -rf $(srctree)/usr/include/. $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include/.
+ endif
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix b/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix
new file mode 100644
index 000000000000..8b79940ed78c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix
@@ -0,0 +1,26 @@
+{stdenv, klibc}:
+
+stdenv.mkDerivation {
+  # !!! For now, the name has to be exactly as long as the original
+  # name due to the sed hackery below.  Once patchelf 0.4 is in the
+  # tree, we can do this properly.
+  #name = "${klibc.name}-shrunk";
+  name = klibc.name;
+  buildCommand = ''
+    mkdir -p $out/lib
+    cp -prd ${klibc.out}/lib/klibc/bin $out/
+    cp -p ${klibc.out}/lib/*.so $out/lib/
+    chmod +w $out/*
+    old=$(echo ${klibc.out}/lib/klibc-*.so)
+    new=$(echo $out/lib/klibc-*.so)
+    for i in $out/bin/*; do
+      echo $i
+      sed "s^$old^$new^" -i $i
+      # !!! use patchelf
+      #patchelf --set-interpreter $new $i
+    done
+  ''; # */
+  allowedReferences = ["out"];
+
+  inherit (klibc) meta;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
new file mode 100644
index 000000000000..3964538a4096
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl }:
+
+let
+  version = "28-1ubuntu4"; # impish 2021-06-24
+
+in stdenv.mkDerivation {
+  pname = "kmod-blacklist";
+  inherit version;
+
+  src = fetchurl {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+files/kmod_${version}.debian.tar.xz";
+    sha256 = "sha256-K8tWpaLmCm3Jcxw3OZ+D7Koiug7epooRn1YMfqjGAiw=";
+  };
+
+  installPhase = ''
+    mkdir "$out"
+    for f in modprobe.d/*.conf; do
+      echo "''\n''\n## file: "`basename "$f"`"''\n''\n" >> "$out"/modprobe.conf
+      cat "$f" >> "$out"/modprobe.conf
+      # https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/1475945
+      sed -i '/^blacklist i2c_i801/d' $out/modprobe.conf
+    done
+
+    substituteInPlace "$out"/modprobe.conf \
+      --replace "blacklist bochs-drm" "" \
+      --replace /sbin/lsmod /run/booted-system/sw/bin/lsmod \
+      --replace /sbin/rmmod /run/booted-system/sw/bin/rmmod \
+      --replace /sbin/modprobe /run/booted-system/sw/bin/modprobe \
+      --replace " grep " " /run/booted-system/sw/bin/grep " \
+      --replace " xargs " " /run/booted-system/sw/bin/xargs "
+  '';
+
+  meta = with lib; {
+    homepage = "https://launchpad.net/ubuntu/+source/kmod";
+    description = "Linux kernel module blacklists from Ubuntu";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2Plus lgpl21Plus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
new file mode 100644
index 000000000000..15f7251f9961
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "kmod-debian-aliases.conf";
+  version = "22-1.1";
+
+  src = fetchurl {
+    url = "https://snapshot.debian.org/archive/debian/20160404T220610Z/pool/main/k/kmod/kmod_${version}.debian.tar.xz";
+    sha256 = "0daap2n4bvjqcnksaayy6csmdb1px4r02w3xp36bcp6w3lbnqamh";
+  };
+
+  installPhase = ''
+    patch -i patches/aliases_conf
+    cp aliases.conf $out
+  '';
+
+  meta = with lib; {
+    homepage = "https://packages.debian.org/source/sid/kmod";
+    description = "Linux configuration file for modprobe";
+    maintainers = with maintainers; [ mathnerd314 ];
+    platforms = with platforms; linux;
+    license = with licenses; [ gpl2Plus lgpl21Plus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix b/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix
new file mode 100644
index 000000000000..cd138f1d7f55
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix
@@ -0,0 +1,35 @@
+{ stdenvNoCC, kmod, modules, buildEnv, name ? "kernel-modules" }:
+
+buildEnv {
+  inherit name;
+
+  paths = modules;
+
+  postBuild =
+    ''
+      source ${stdenvNoCC}/setup
+
+      if ! test -d "$out/lib/modules"; then
+        echo "No modules found."
+        # To support a kernel without modules
+        exit 0
+      fi
+
+      kernelVersion=$(cd $out/lib/modules && ls -d *)
+      if test "$(echo $kernelVersion | wc -w)" != 1; then
+         echo "inconsistent kernel versions: $kernelVersion"
+         exit 1
+      fi
+
+      echo "kernel version is $kernelVersion"
+
+      shopt -s extglob
+
+      # Regenerate the depmod map files.  Be sure to pass an explicit
+      # kernel version number, otherwise depmod will use `uname -r'.
+      if test -w $out/lib/modules/$kernelVersion; then
+          rm -f $out/lib/modules/$kernelVersion/modules.!(builtin*|order*)
+          ${kmod}/bin/depmod -b $out -C $out/etc/depmod.d -a $kernelVersion
+      fi
+    '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod/default.nix
new file mode 100644
index 000000000000..3f971e7a6edb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/default.nix
@@ -0,0 +1,84 @@
+{ stdenv, lib, fetchzip, autoconf, automake, docbook_xml_dtd_42
+, docbook_xml_dtd_43, docbook_xsl, gtk-doc, libtool, pkg-config
+, libxslt, xz, zstd, elf-header
+, withDevdoc ? stdenv.hostPlatform == stdenv.buildPlatform
+, withStatic ? stdenv.hostPlatform.isStatic
+, gitUpdater
+}:
+
+let
+  systems = [ "/run/booted-system/kernel-modules" "/run/current-system/kernel-modules" "" ];
+  modulesDirs = lib.concatMapStringsSep ":" (x: "${x}/lib/modules") systems;
+
+in stdenv.mkDerivation rec {
+  pname = "kmod";
+  version = "31";
+
+  # autogen.sh is missing from the release tarball,
+  # and we need to run it to regenerate gtk_doc.make,
+  # because the version in the release tarball is broken.
+  # Possibly this will be fixed in kmod 30?
+  # https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/.gitignore?id=61a93a043aa52ad62a11ba940d4ba93cb3254e78
+  src = fetchzip {
+    url = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/snapshot/kmod-${version}.tar.gz";
+    hash = "sha256-FNR015/AoYBbi7Eb1M2TXH3yxUuddKICCu+ot10CdeQ=";
+  };
+
+  outputs = [ "out" "dev" "lib" ] ++ lib.optional withDevdoc "devdoc";
+
+  strictDeps = true;
+  nativeBuildInputs = [
+    autoconf automake docbook_xsl libtool libxslt pkg-config
+
+    docbook_xml_dtd_42 # for the man pages
+  ] ++ lib.optionals withDevdoc [ docbook_xml_dtd_43 gtk-doc ];
+  buildInputs = [ xz zstd ]
+    # gtk-doc is looked for with pkg-config
+    ++ lib.optionals withDevdoc [ gtk-doc ];
+
+  preConfigure = ''
+    ./autogen.sh
+  '';
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--with-xz"
+    "--with-zstd"
+    "--with-modulesdirs=${modulesDirs}"
+    (lib.enableFeature withDevdoc "gtk-doc")
+  ] ++ lib.optional withStatic "--enable-static";
+
+  patches = [ ./module-dir.patch ]
+    ++ lib.optional withStatic ./enable-static.patch;
+
+  postInstall = ''
+    for prog in rmmod insmod lsmod modinfo modprobe depmod; do
+      ln -sv $out/bin/kmod $out/bin/$prog
+    done
+
+    # Backwards compatibility
+    ln -s bin $out/sbin
+  '';
+
+  passthru.updateScript = gitUpdater {
+    # No nicer place to find latest release.
+    url = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "Tools for loading and managing Linux kernel modules";
+    longDescription = ''
+      kmod is a set of tools to handle common tasks with Linux kernel modules
+      like insert, remove, list, check properties, resolve dependencies and
+      aliases. These tools are designed on top of libkmod, a library that is
+      shipped with kmod.
+    '';
+    homepage = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/";
+    downloadPage = "https://www.kernel.org/pub/linux/utils/kernel/kmod/";
+    changelog = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/plain/NEWS?h=v${version}";
+    license = with licenses; [ lgpl21Plus gpl2Plus ]; # GPLv2+ for tools
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ artturin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch b/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch
new file mode 100644
index 000000000000..8308c6557921
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch
@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index ee72283..b42c42a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -19,7 +19,6 @@ AM_SILENT_RULES([yes])
+ LT_INIT([disable-static pic-only])
+ DOLT
+ 
+-AS_IF([test "x$enable_static" = "xyes"], [AC_MSG_ERROR([--enable-static is not supported by kmod])])
+ AS_IF([test "x$enable_largefile" = "xno"], [AC_MSG_ERROR([--disable-largefile is not supported by kmod])])
+ 
+ #####################################################################
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch b/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch
new file mode 100644
index 000000000000..f7432e3756e9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch
@@ -0,0 +1,157 @@
+diff --git a/Makefile.am b/Makefile.am
+index d4eeb7e..5c9f603 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -19,6 +19,7 @@ AM_CPPFLAGS = \
+ 	-include $(top_builddir)/config.h \
+ 	-I$(top_srcdir) \
+ 	-DSYSCONFDIR=\""$(sysconfdir)"\" \
++	-DMODULESDIRS=\""$(shell echo $(modulesdirs) | $(SED) 's|:|\\",\\"|g')"\" \
+ 	${zlib_CFLAGS}
+ 
+ AM_CFLAGS = $(OUR_CFLAGS)
+diff --git a/configure.ac b/configure.ac
+index 23510c8..66490cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -202,6 +202,12 @@ GTK_DOC_CHECK([1.14],[--flavour no-tmpl-flat])
+ ], [
+ AM_CONDITIONAL([ENABLE_GTK_DOC], false)])
+ 
++AC_ARG_WITH([modulesdirs],
++	AS_HELP_STRING([--with-modulesdirs=DIRS], [Kernel modules directories, separated by :]),
++	[],
++	[with_modulesdirs=/lib/modules])
++AC_SUBST([modulesdirs], [$with_modulesdirs])
++
+ 
+ #####################################################################
+ # Default CFLAGS and LDFLAGS
+diff --git a/libkmod/libkmod.c b/libkmod/libkmod.c
+index 69fe431..d37da32 100644
+--- a/libkmod/libkmod.c
++++ b/libkmod/libkmod.c
+@@ -206,12 +206,15 @@ static int log_priority(const char *priority)
+ 	return 0;
+ }
+ 
+-static const char *dirname_default_prefix = "/lib/modules";
++static const char *dirname_default_prefixes[] = {
++	MODULESDIRS,
++	NULL
++};
+ 
+ static char *get_kernel_release(const char *dirname)
+ {
+ 	struct utsname u;
+-	char *p;
++	char *p, *dirname_prefix;
+ 
+ 	if (dirname != NULL)
+ 		return path_make_absolute_cwd(dirname);
+@@ -219,8 +222,42 @@ static char *get_kernel_release(const char *dirname)
+ 	if (uname(&u) < 0)
+ 		return NULL;
+ 
+-	if (asprintf(&p, "%s/%s", dirname_default_prefix, u.release) < 0)
+-		return NULL;
++	if ((dirname_prefix = getenv("MODULE_DIR")) != NULL) {
++		if(asprintf(&p, "%s/%s", dirname_prefix, u.release) < 0)
++			return NULL;
++	} else {
++		size_t i;
++		char buf[PATH_MAX];
++
++		for (i = 0; dirname_default_prefixes[i] != NULL; i++) {
++			int plen;
++			struct stat dirstat;
++
++			plen = snprintf(buf, sizeof(buf), "%s/%s", dirname_default_prefixes[i], u.release);
++			if (plen < 0)
++				return NULL;
++			else if (plen >= PATH_MAX)
++				continue;
++
++			if (dirname_default_prefixes[i + 1] != NULL) {
++				if (stat(buf, &dirstat) < 0) {
++					if (errno == ENOENT)
++						continue;
++					else
++						return NULL;
++				}
++
++				if (!S_ISDIR(dirstat.st_mode))
++					continue;
++			}
++
++			p = malloc(plen + 1);
++			if (p == NULL)
++				return NULL;
++			memcpy(p, buf, plen + 1);
++			break;
++		}
++	}
+ 
+ 	return p;
+ }
+diff --git a/tools/static-nodes.c b/tools/static-nodes.c
+index 8d2356d..2ed306d 100644
+--- a/tools/static-nodes.c
++++ b/tools/static-nodes.c
+@@ -29,10 +29,11 @@
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+-#include <sys/utsname.h>
+ 
+ #include <shared/util.h>
+ 
++#include <libkmod/libkmod.h>
++
+ #include "kmod.h"
+ 
+ struct static_nodes_format {
+@@ -154,8 +155,8 @@ static void help(void)
+ 
+ static int do_static_nodes(int argc, char *argv[])
+ {
+-	struct utsname kernel;
+ 	char modules[PATH_MAX], buf[4096];
++	struct kmod_ctx *ctx;
+ 	const char *output = "/dev/stdout";
+ 	FILE *in = NULL, *out = NULL;
+ 	const struct static_nodes_format *format = &static_nodes_format_human;
+@@ -206,22 +207,25 @@ static int do_static_nodes(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (uname(&kernel) < 0) {
+-		fputs("Error: uname failed!\n", stderr);
++	ctx = kmod_new(NULL, NULL);
++	if (ctx == NULL) {
++		fprintf(stderr, "Error: failed to create kmod context\n");
+ 		ret = EXIT_FAILURE;
+ 		goto finish;
+ 	}
+-
+-	snprintf(modules, sizeof(modules), "/lib/modules/%s/modules.devname", kernel.release);
++	if (snprintf(modules, sizeof(modules), "%s/modules.devname", kmod_get_dirname(ctx)) < 0) {
++		fprintf(stderr, "Error: path to modules.devname is too long\n");
++		ret = EXIT_FAILURE;
++		goto finish;
++	}
++	kmod_unref(ctx);
+ 	in = fopen(modules, "re");
+ 	if (in == NULL) {
+ 		if (errno == ENOENT) {
+-			fprintf(stderr, "Warning: /lib/modules/%s/modules.devname not found - ignoring\n",
+-				kernel.release);
++			fprintf(stderr, "Warning: %s not found - ignoring\n", modules);
+ 			ret = EXIT_SUCCESS;
+ 		} else {
+-			fprintf(stderr, "Error: could not open /lib/modules/%s/modules.devname - %m\n",
+-				kernel.release);
++			fprintf(stderr, "Error: could not open %s - %m\n", modules);
+ 			ret = EXIT_FAILURE;
+ 		}
+ 		goto finish;
diff --git a/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix b/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix
new file mode 100644
index 000000000000..4762b63eda9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix
@@ -0,0 +1,80 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, meson
+, libtsm
+, systemd
+, libxkbcommon
+, libdrm
+, libGLU
+, libGL
+, pango
+, pixman
+, pkg-config
+, docbook_xsl
+, libxslt
+, mesa
+, ninja
+}:
+
+stdenv.mkDerivation rec {
+  pname = "kmscon";
+  version = "9.0.0";
+
+  src = fetchFromGitHub {
+    owner = "Aetf";
+    repo = "kmscon";
+    rev = "v${version}";
+    sha256 = "sha256-8owyyzCrZVbWXcCR+RA+m0MOrdzW+efI+rIMWEVEZ1o=";
+  };
+
+  buildInputs = [
+    libGLU
+    libGL
+    libdrm
+    libtsm
+    libxkbcommon
+    libxslt
+    pango
+    pixman
+    systemd
+    mesa
+  ];
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    docbook_xsl
+    pkg-config
+  ];
+
+  patches = [
+    (fetchpatch {
+      name = "0001-tests-fix-warnings.patch";
+      url = "https://github.com/Aetf/kmscon/commit/b65f4269b03de580923ab390bde795e7956b633f.patch";
+      sha256 = "sha256-ngflPwmNMM/2JzhV+hHiH3efQyoSULfqEywzWox9iAQ=";
+    })
+  ];
+
+  # _FORTIFY_SOURCE requires compiling with optimization (-O)
+  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isGNU "-O"
+    + " -Wno-error=maybe-uninitialized"; # https://github.com/Aetf/kmscon/issues/49
+
+  configureFlags = [
+    "--enable-multi-seat"
+    "--disable-debug"
+    "--enable-optimizations"
+    "--with-renderers=bbulk,gltex,pixman"
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "KMS/DRM based System Console";
+    homepage = "https://www.freedesktop.org/wiki/Software/kmscon/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ omasanori ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix b/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix
new file mode 100644
index 000000000000..b9da37901700
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchgit, fetchpatch, autoreconfHook, libdrm, libX11, libGL, mesa, pkg-config }:
+
+stdenv.mkDerivation {
+  pname = "kmscube";
+  version = "unstable-2018-06-17";
+
+  src = fetchgit {
+    url = "git://anongit.freedesktop.org/mesa/kmscube";
+    rev = "9dcce71e603616ee7a54707e932f962cdf8fb20a";
+    sha256 = "1q5b5yvyfj3127385mp1bfmcbnpnbdswdk8gspp7g4541xk4k933";
+  };
+
+  patches = [
+    # Pull upstream patch for -fno-common toolchains.
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://gitlab.freedesktop.org/mesa/kmscube/-/commit/908ef39864442c0807954af5d3f88a3da1a6f8a5.patch";
+      sha256 = "1gxn3b50mvjlc25234839v5z29r8fd9di4176a3yx4gbsz8cc5vi";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libdrm libX11 libGL mesa ];
+
+  meta = with lib; {
+    description = "Example OpenGL app using KMS/GBM";
+    homepage = "https://gitlab.freedesktop.org/mesa/kmscube";
+    license = licenses.mit;
+    maintainers = with maintainers; [ dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/0001-skip-installing-example-configuration.patch b/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/0001-skip-installing-example-configuration.patch
new file mode 100644
index 000000000000..2b4b35774d19
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/0001-skip-installing-example-configuration.patch
@@ -0,0 +1,38 @@
+From 592de67191a3969fcccef6293740c7142793d461 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Wed, 1 Nov 2023 21:54:05 +0100
+Subject: [PATCH] skip installing example configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This requires root if prefix dir is pointed to /etc,
+which we cannot do in nix builds.
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ meson.build | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 5f5935f..8373013 100644
+--- a/meson.build
++++ b/meson.build
+@@ -114,10 +114,10 @@ else
+   runstatedir = rundir
+ endif
+ 
+-install_data(
+-  sources: 'ksmbd.conf.example',
+-  install_dir: get_option('sysconfdir') / 'ksmbd',
+-)
++#install_data(
++#  sources: 'ksmbd.conf.example',
++#  install_dir: get_option('sysconfdir') / 'ksmbd',
++#)
+ 
+ systemdsystemunitdir = get_option('systemdsystemunitdir')
+ if systemdsystemunitdir == ''
+-- 
+2.42.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/default.nix
new file mode 100644
index 000000000000..4098f6c22258
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ksmbd-tools/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, glib
+, libkrb5
+, libnl
+, libtool
+, pkg-config
+, withKerberos ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ksmbd-tools";
+  version = "3.5.0";
+
+  src = fetchFromGitHub {
+    owner = "cifsd-team";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-8mjfKCazigHnuN7Egf11ZuD+nQx7ZTesn0a4LsVvV/M=";
+  };
+
+  buildInputs = [ glib libnl ] ++ lib.optional withKerberos libkrb5;
+
+  nativeBuildInputs = [ meson ninja libtool pkg-config ];
+  patches = [ ./0001-skip-installing-example-configuration.patch ];
+  mesonFlags = [
+    "-Drundir=/run"
+    "--sysconfdir /etc"
+  ];
+
+  meta = with lib; {
+    description = "Userspace utilities for the ksmbd kernel SMB server";
+    homepage = "https://www.kernel.org/doc/html/latest/filesystems/cifs/ksmbd.html";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ elohmeier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix b/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix
new file mode 100644
index 000000000000..e2390b68a5ca
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, lib, fetchFromGitHub, vdo, kernel }:
+
+stdenv.mkDerivation rec {
+  inherit (vdo);
+  pname = "kvdo";
+  version = "8.2.1.6"; # bump this version with vdo
+
+  src = fetchFromGitHub {
+    owner = "dm-vdo";
+    repo = "kvdo";
+    rev = version;
+    hash = "sha256-S5r2Rgx5pWk4IsdIwmfZkuGL/oEQ3prquyVqxjR3cO0=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  dontConfigure = true;
+  enableParallelBuilding = true;
+
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+  INSTALL_MOD_PATH = placeholder "out";
+
+  preBuild = ''
+    makeFlags="$makeFlags -C ${KSRC} M=$(pwd)"
+  '';
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    inherit (vdo.meta) license maintainers;
+    homepage = "https://github.com/dm-vdo/kvdo";
+    description = "A pair of kernel modules which provide pools of deduplicated and/or compressed block storage";
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.15";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix b/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix
new file mode 100644
index 000000000000..a77d1290ca80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, kernel, looking-glass-client }:
+
+stdenv.mkDerivation {
+  pname = "kvmfr";
+  version = looking-glass-client.version;
+
+  src = looking-glass-client.src;
+  sourceRoot = "${looking-glass-client.src.name}/module";
+  patches = lib.optional (kernel.kernelAtLeast "6.4") [
+    ./linux-6-4-compat.patch
+  ];
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D kvmfr.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Optional kernel module for LookingGlass";
+    longDescription = ''
+      This kernel module implements a basic interface to the IVSHMEM device for LookingGlass when using LookingGlass in VM->VM mode
+      Additionally, in VM->host mode, it can be used to generate a shared memory device on the host machine that supports dmabuf
+    '';
+    homepage = "https://github.com/gnif/LookingGlass";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ j-brn ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "5.3";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch b/nixpkgs/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch
new file mode 100644
index 000000000000..e57d1d27c36c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch
@@ -0,0 +1,16 @@
+diff --git a/kvmfr.c b/kvmfr.c
+index 121aae5b..2f4c9e1a 100644
+--- a/kvmfr.c
++++ b/kvmfr.c
+@@ -539,7 +539,11 @@ static int __init kvmfr_module_init(void)
+   if (kvmfr->major < 0)
+     goto out_free;
+ 
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
+   kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
++#else
++  kvmfr->pClass = class_create(KVMFR_DEV_NAME);
++#endif
+   if (IS_ERR(kvmfr->pClass))
+     goto out_unreg;
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix b/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix
new file mode 100644
index 000000000000..a48abf85831f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl, ncurses, glib, pkg-config, gtk2, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "latencytop";
+  version = "0.5";
+
+  postPatch = ''
+    sed -i s,/usr,$out, Makefile
+
+    # Fix #171609
+    substituteInPlace fsync.c --replace /bin/mount ${util-linux}/bin/mount
+  '';
+
+  preInstall = "mkdir -p $out/sbin";
+
+  src = fetchurl {
+    urls = [ "http://latencytop.org/download/latencytop-${version}.tar.gz"
+     "http://dbg.download.sourcemage.org/mirror/latencytop-0.5.tar.gz" ];
+    sha256 = "1vq3j9zdab6njly2wp900b3d5244mnxfm88j2bkiinbvxbxp4zwy";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses glib gtk2 ];
+
+  meta = {
+    homepage = "http://latencytop.org";
+    description = "Tool to show kernel reports on latencies (LATENCYTOP option)";
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.viric ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ldm/default.nix b/nixpkgs/pkgs/os-specific/linux/ldm/default.nix
new file mode 100644
index 000000000000..f8a519de847e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ldm/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchgit, udev, util-linux, mountPath ? "/media/" }:
+
+assert mountPath != "";
+
+let
+  version = "0.5";
+in
+stdenv.mkDerivation rec {
+  pname = "ldm";
+  inherit version;
+
+  # There is a stable release, but we'll use the lvm branch, which
+  # contains important fixes for LVM setups.
+  src = fetchgit {
+    url = "https://github.com/LemonBoy/ldm";
+    rev = "refs/tags/v${version}";
+    sha256 = "0lxfypnbamfx6p9ar5k9wra20gvwn665l4pp2j4vsx4yi5q7rw2n";
+  };
+
+  buildInputs = [ udev util-linux ];
+
+  postPatch = ''
+    substituteInPlace ldm.c \
+      --replace "/mnt/" "${mountPath}"
+    sed '16i#include <sys/stat.h>' -i ldm.c
+  '';
+
+  buildFlags = [ "ldm" ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -v ldm $out/bin
+  '';
+
+  meta = {
+    description = "A lightweight device mounter, with libudev as only dependency";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix
new file mode 100644
index 000000000000..3a6bf9e5d51c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "ledger-udev-rules";
+  version = "unstable-2021-09-10";
+
+  src = fetchFromGitHub {
+    owner = "LedgerHQ";
+    repo = "udev-rules";
+    rev = "2776324af6df36c2af4d2e8e92a1c98c281117c9";
+    sha256 = "sha256-yTYI81PXMc32lMfI5uhD14nP20zAI7ZF33V1LRDWg2Y=";
+  };
+
+  dontBuild = true;
+  dontConfigure = true;
+
+  installPhase = ''
+    mkdir -p $out/lib/udev/rules.d
+    cp 20-hw1.rules $out/lib/udev/rules.d/20-ledger.rules
+  '';
+
+  meta = with lib; {
+    description = "udev rules for Ledger devices";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ asymmetric ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/LedgerHQ/udev-rules";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lenovo-legion/app.nix b/nixpkgs/pkgs/os-specific/linux/lenovo-legion/app.nix
new file mode 100644
index 000000000000..a409ad2fbf4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lenovo-legion/app.nix
@@ -0,0 +1,55 @@
+{ lib, fetchFromGitHub, xorg, libsForQt5, wrapQtAppsHook, python3 }:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "lenovo-legion-app";
+  version = "0.0.9";
+
+  src = fetchFromGitHub {
+    owner = "johnfanv2";
+    repo = "LenovoLegionLinux";
+    rev = "v${version}-prerelese";
+    hash = "sha256-P4vqzNX2nF4LnoQDOV8WEiXAICQCyjj9xPpFNvMu93k=";
+  };
+
+  sourceRoot = "${src.name}/python/legion_linux";
+
+  nativeBuildInputs = [ wrapQtAppsHook ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pyqt5
+    argcomplete
+    pyyaml
+    darkdetect
+    xorg.libxcb
+    libsForQt5.qtbase
+  ];
+
+  postPatch = ''
+    substituteInPlace ./setup.cfg \
+      --replace "_VERSION" "${version}"
+    substituteInPlace ../../extra/service/fancurve-set \
+      --replace "FOLDER=/etc/legion_linux/" "FOLDER=$out/share/legion_linux"
+    substituteInPlace ./legion_linux/legion.py \
+      --replace "/etc/legion_linux" "$out/share/legion_linux"
+  '';
+
+  postInstall = ''
+    cp ./legion_linux/legion_logo.png $out/${python3.sitePackages}/legion_logo.png
+  '';
+
+  dontWrapQtApps = true;
+
+  preFixup = ''
+    makeWrapperArgs+=("''${qtWrapperArgs[@]}")
+  '';
+
+  meta = {
+    description = "An utility to control Lenovo Legion laptop";
+    homepage = "https://github.com/johnfanv2/LenovoLegionLinux";
+    license = lib.licenses.gpl2Only;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.ulrikstrid ];
+    mainProgram = "legion_gui";
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/lenovo-legion/default.nix b/nixpkgs/pkgs/os-specific/linux/lenovo-legion/default.nix
new file mode 100644
index 000000000000..527f1852f1e0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lenovo-legion/default.nix
@@ -0,0 +1,34 @@
+{ lib, fetchurl, stdenv, kernel, bash, lenovo-legion }:
+
+stdenv.mkDerivation {
+  pname = "lenovo-legion-module";
+  inherit (lenovo-legion) version src;
+
+  sourceRoot = "${lenovo-legion.src.name}/kernel_module";
+
+  hardeningDisable = [ "pic" ];
+
+  preConfigure = ''
+    sed -i -e '/depmod/d' ./Makefile
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "SHELL=bash"
+    "KERNELVERSION=${kernel.modDirVersion}"
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALLDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/platform/x86"
+    "MODDESTDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/platform/x86"
+    "DKMSDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/misc"
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  meta = {
+    description = "Linux kernel module for controlling fan and power in Lenovo Legion laptops";
+    homepage = "https://github.com/johnfanv2/LenovoLegionLinux";
+    license = lib.licenses.gpl2Only;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.ulrikstrid ];
+    broken = kernel.kernelOlder "5.15";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libaio/default.nix b/nixpkgs/pkgs/os-specific/linux/libaio/default.nix
new file mode 100644
index 000000000000..324e2695dd53
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libaio/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchurl, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  version = "0.3.113";
+  pname = "libaio";
+
+  src = fetchurl {
+    url = "https://pagure.io/libaio/archive/${pname}-${version}/${pname}-${pname}-${version}.tar.gz";
+    sha256 = "sha256-cWxwWXAyRzROsGa1TsvDyiE08BAzBxkubCt9q1+VKKs=";
+  };
+
+  postPatch = ''
+    patchShebangs harness
+
+    # Makefile is too optimistic, gcc is too smart
+    substituteInPlace harness/Makefile \
+      --replace "-Werror" ""
+  '';
+
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+  ] ++ lib.optional stdenv.hostPlatform.isStatic "ENABLE_SHARED=0";
+
+  hardeningDisable = lib.optional (stdenv.isi686) "stackprotector";
+
+  checkTarget = "partcheck"; # "check" needs root
+
+  meta = {
+    description = "Library for asynchronous I/O in Linux";
+    homepage = "https://lse.sourceforge.net/io/aio.html";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix b/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix
new file mode 100644
index 000000000000..d5be78e913b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchurl, pkg-config, udev, buildPackages }:
+
+stdenv.mkDerivation rec {
+  pname = "libatasmart";
+  version = "0.19";
+
+  src = fetchurl {
+    url = "http://0pointer.de/public/libatasmart-${version}.tar.xz";
+    sha256 = "138gvgdwk6h4ljrjsr09pxk1nrki4b155hqdzyr8mlk3bwsfmw31";
+  };
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ udev ];
+
+  meta = with lib; {
+    homepage = "http://0pointer.de/blog/projects/being-smart.html";
+    description = "Library for querying ATA SMART status";
+    license = licenses.lgpl21;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libbpf/0.x.nix b/nixpkgs/pkgs/os-specific/linux/libbpf/0.x.nix
new file mode 100644
index 000000000000..480e78d0803a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libbpf/0.x.nix
@@ -0,0 +1,54 @@
+{ fetchFromGitHub
+, elfutils
+, pkg-config
+, stdenv
+, zlib
+, lib
+, nixosTests
+}:
+
+# update bot does not seem to limit updates here to 0.8.x despite
+# the all-packages derivation being libbpf_0 as the libbpf base alias
+# is still present: just disable it for 0.x:
+# nixpkgs-update: no auto update
+
+stdenv.mkDerivation rec {
+  pname = "libbpf";
+  version = "0.8.1";
+
+  src = fetchFromGitHub {
+    owner = "libbpf";
+    repo = "libbpf";
+    rev = "v${version}";
+    sha256 = "sha256-daVS+TErmDU8ksThOvcepg1A61iD8N8GIkC40cmc9/8=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ elfutils zlib ];
+
+  enableParallelBuilding = true;
+  makeFlags = [ "PREFIX=$(out)" "-C src" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  postInstall = ''
+    # install linux's libbpf-compatible linux/btf.h
+    install -Dm444 include/uapi/linux/*.h -t $out/include/linux
+  '';
+
+  # FIXME: Multi-output requires some fixes to the way the pkg-config file is
+  # constructed (it gets put in $out instead of $dev for some reason, with
+  # improper paths embedded). Don't enable it for now.
+
+  # outputs = [ "out" "dev" ];
+
+  meta = with lib; {
+    description = "Upstream mirror of libbpf";
+    homepage = "https://github.com/libbpf/libbpf";
+    license = with licenses; [ lgpl21 /* or */ bsd2 ];
+    maintainers = with maintainers; [ thoughtpolice vcunat saschagrunert martinetd ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix b/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix
new file mode 100644
index 000000000000..51f6ea471a6a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix
@@ -0,0 +1,49 @@
+{ fetchFromGitHub
+, elfutils
+, pkg-config
+, stdenv
+, zlib
+, lib
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libbpf";
+  version = "1.2.2";
+
+  src = fetchFromGitHub {
+    owner = "libbpf";
+    repo = "libbpf";
+    rev = "v${version}";
+    sha256 = "sha256-SDDdz2HKEfzHloLkb0sv5ldTo+1yJDVc9O7nj4Cjznk=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ elfutils zlib ];
+
+  enableParallelBuilding = true;
+  makeFlags = [ "PREFIX=$(out)" "-C src" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  postInstall = ''
+    # install linux's libbpf-compatible linux/btf.h
+    install -Dm444 include/uapi/linux/*.h -t $out/include/linux
+  '';
+
+  # FIXME: Multi-output requires some fixes to the way the pkg-config file is
+  # constructed (it gets put in $out instead of $dev for some reason, with
+  # improper paths embedded). Don't enable it for now.
+
+  # outputs = [ "out" "dev" ];
+
+  meta = with lib; {
+    description = "Upstream mirror of libbpf";
+    homepage = "https://github.com/libbpf/libbpf";
+    license = with licenses; [ lgpl21 /* or */ bsd2 ];
+    maintainers = with maintainers; [ thoughtpolice vcunat saschagrunert martinetd ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix b/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix
new file mode 100644
index 000000000000..0f60a8655ced
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "libcap-ng";
+  version = "0.8.3";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${version}.tar.gz";
+    sha256 = "sha256-vtb2hI4iuy+Dtfdksq7w7TkwVOgDqOOocRyyo55rSS0=";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  configureFlags = [
+    "--without-python"
+  ];
+
+  meta = with lib; {
+    description = "Library for working with POSIX capabilities";
+    homepage = "https://people.redhat.com/sgrubb/libcap-ng/";
+    platforms = platforms.linux;
+    license = licenses.lgpl21;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcap/default.nix b/nixpkgs/pkgs/os-specific/linux/libcap/default.nix
new file mode 100644
index 000000000000..9b23625102ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcap/default.nix
@@ -0,0 +1,92 @@
+{ stdenv, lib, buildPackages, fetchurl, attr, runtimeShell
+, usePam ? !isStatic, pam ? null
+, isStatic ? stdenv.hostPlatform.isStatic
+
+# passthru.tests
+, bind
+, chrony
+, htop
+, libgcrypt
+, libvirt
+, ntp
+, qemu
+, squid
+, tor
+, uwsgi
+}:
+
+assert usePam -> pam != null;
+
+stdenv.mkDerivation rec {
+  pname = "libcap";
+  version = "2.69";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
+    sha256 = "sha256-8xH489rYRpnQVm0db37JQ6kpiyj3FMrjyTHf1XSS1+s=";
+  };
+
+  outputs = [ "out" "dev" "lib" "man" "doc" ]
+    ++ lib.optional usePam "pam";
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  buildInputs = lib.optional usePam pam;
+
+  propagatedBuildInputs = [ attr ];
+
+  makeFlags = [
+    "lib=lib"
+    "PAM_CAP=${if usePam then "yes" else "no"}"
+    "BUILD_CC=$(CC_FOR_BUILD)"
+    "CC:=$(CC)"
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ lib.optional isStatic "SHARED=no";
+
+  postPatch = ''
+    patchShebangs ./progs/mkcapshdoc.sh
+
+    # use full path to bash
+    substituteInPlace progs/capsh.c --replace "/bin/bash" "${runtimeShell}"
+
+    # set prefixes
+    substituteInPlace Make.Rules \
+      --replace 'prefix=/usr' "prefix=$lib" \
+      --replace 'exec_prefix=' "exec_prefix=$out" \
+      --replace 'lib_prefix=$(exec_prefix)' "lib_prefix=$lib" \
+      --replace 'inc_prefix=$(prefix)' "inc_prefix=$dev" \
+      --replace 'man_prefix=$(prefix)' "man_prefix=$doc"
+  '';
+
+  installFlags = [ "RAISE_SETFCAP=no" ];
+
+  postInstall = ''
+    ${lib.optionalString (!isStatic) ''rm "$lib"/lib/*.a''}
+    mkdir -p "$doc/share/doc/${pname}-${version}"
+    cp License "$doc/share/doc/${pname}-${version}/"
+  '' + lib.optionalString usePam ''
+    mkdir -p "$pam/lib/security"
+    mv "$lib"/lib/security "$pam/lib"
+  '';
+
+  passthru.tests = {
+    inherit
+      bind
+      chrony
+      htop
+      libgcrypt
+      libvirt
+      ntp
+      qemu
+      squid
+      tor
+      uwsgi;
+  };
+
+  meta = {
+    description = "Library for working with POSIX capabilities";
+    homepage = "https://sites.google.com/site/fullycapable";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix b/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix
new file mode 100644
index 000000000000..8f24362b94b2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, pam, bison, flex, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "libcgroup";
+  version = "3.0";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    fetchSubmodules = true;
+    hash = "sha256-x2yBqpr3LedtWmpZ4K1ipZxIualNJuDtC4FVGzzcQn8=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook bison flex ];
+  buildInputs = [ pam ];
+
+  postPatch = ''
+    substituteInPlace src/tools/Makefile.am \
+      --replace 'chmod u+s' 'chmod +x'
+  '';
+
+  meta = {
+    description = "Library and tools to manage Linux cgroups";
+    homepage    = "https://github.com/libcgroup/libcgroup";
+    license     = lib.licenses.lgpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix b/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix
new file mode 100644
index 000000000000..5e6b7cd47815
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, coreutils, pkg-config, glib, jsoncpp }:
+
+stdenv.mkDerivation rec {
+  pname = "libevdevc";
+  version = "2.0.1";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "libevdevc";
+    rev = "v${version}";
+    sha256 = "0ry30krfizh87yckmmv8n082ad91mqhhbbynx1lfidqzb6gdy2dd";
+  };
+
+  postPatch = ''
+    substituteInPlace common.mk \
+      --replace /bin/echo ${coreutils}/bin/echo
+    substituteInPlace include/module.mk \
+      --replace /usr/include /include
+  '';
+
+  makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
+
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
+  meta = with lib; {
+    description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://chromium.googlesource.com/chromiumos/platform/libevdev/";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix b/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix
new file mode 100644
index 000000000000..1454c0c78a50
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, glib, jsoncpp }:
+
+stdenv.mkDerivation rec {
+  pname = "libgestures";
+  version = "2.0.1";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "libgestures";
+    rev = "v${version}";
+    sha256 = "0dfvads2adzx4k8cqc1rbwrk1jm2wn9wl2jk51m26xxpmh1g0zab";
+  };
+  patches = [ ./include-fix.patch ];
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace -Werror -Wno-error \
+      --replace '$(DESTDIR)/usr/include' '$(DESTDIR)/include'
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ glib jsoncpp ];
+
+
+  makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
+
+  meta = with lib; {
+    description = "ChromiumOS libgestures modified to compile for Linux";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://chromium.googlesource.com/chromiumos/platform/gestures";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch b/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch
new file mode 100644
index 000000000000..851be4771434
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch
@@ -0,0 +1,12 @@
+diff -ur a/include/gestures/include/finger_metrics.h b/include/gestures/include/finger_metrics.h
+--- a/include/gestures/include/finger_metrics.h    1970-01-01 09:00:01.000000000 +0900
++++ b/include/gestures/include/finger_metrics.h    2018-12-01 16:58:51.590718511 +0900
+@@ -5,6 +5,8 @@
+ #ifndef GESTURES_FINGER_METRICS_H_
+ #define GESTURES_FINGER_METRICS_H_
+ 
++#include <math.h>
++
+ #include "gestures/include/gestures.h"
+ #include "gestures/include/prop_registry.h"
+#include "gestures/include/vector.h"
diff --git a/nixpkgs/pkgs/os-specific/linux/libnl-tiny/default.nix b/nixpkgs/pkgs/os-specific/linux/libnl-tiny/default.nix
new file mode 100644
index 000000000000..2f5d1d0999a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnl-tiny/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchgit, cmake, pkg-config }:
+
+stdenv.mkDerivation {
+  pname = "libnl-tiny";
+  version = "unstable-2023-07-27";
+
+  src = fetchgit {
+    url = "https://git.openwrt.org/project/libnl-tiny.git";
+    rev = "bc92a280186f9becc53c0f17e4e43cfbdeec7e7b";
+    hash = "sha256-/d6so8hfBOyp8NbUhPZ0aRj6gXO/RLgwCQnAT7N/rF8=";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+
+  preConfigure = ''
+    sed -e 's|''${prefix}/@CMAKE_INSTALL_LIBDIR@|@CMAKE_INSTALL_FULL_LIBDIR@|g' \
+        -e 's|''${prefix}/@CMAKE_INSTALL_INCLUDEDIR@|@CMAKE_INSTALL_FULL_INCLUDEDIR@|g' \
+        -i libnl-tiny.pc.in
+  '';
+
+  meta = with lib; {
+    description = "Tiny OpenWrt fork of libnl";
+    homepage = "https://git.openwrt.org/?p=project/libnl-tiny.git;a=summary";
+    license = licenses.isc;
+    maintainers = with maintainers; [ mkg20001 ];
+    platforms = platforms.all;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libnl/default.nix b/nixpkgs/pkgs/os-specific/linux/libnl/default.nix
new file mode 100644
index 000000000000..5248c263b3b2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnl/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, file, lib, fetchFromGitHub, autoreconfHook, bison, flex, pkg-config
+, pythonSupport ? false, swig ? null, python ? null}:
+
+stdenv.mkDerivation rec {
+  pname = "libnl";
+  version = "3.7.0";
+
+  src = fetchFromGitHub {
+    repo = "libnl";
+    owner = "thom311";
+    rev = "libnl${lib.replaceStrings ["."] ["_"] version}";
+    sha256 = "sha256-Ty9NdWKWB29MTRfG5OJlSE0mSTN3Wy+sR4KtuExXcB4=";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" ] ++ lib.optional pythonSupport "py";
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ autoreconfHook bison flex pkg-config file ]
+    ++ lib.optional pythonSupport swig;
+
+  postBuild = lib.optionalString (pythonSupport) ''
+      cd python
+      ${python.pythonOnBuildForHost.interpreter} setup.py install --prefix=../pythonlib
+      cd -
+  '';
+
+  postFixup = lib.optionalString pythonSupport ''
+    mv "pythonlib/" "$py"
+  '';
+
+  passthru = {
+    inherit pythonSupport;
+  };
+
+  meta = with lib; {
+    homepage = "http://www.infradead.org/~tgr/libnl/";
+    description = "Linux Netlink interface library suite";
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ fpletz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix b/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix
new file mode 100644
index 000000000000..77e629b03074
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }:
+
+stdenv.mkDerivation rec {
+  pname = "libnss-mysql";
+  version = "1.7.1";
+
+  src = fetchFromGitHub {
+    owner = "saknopper";
+    repo = "libnss-mysql";
+    rev = "v${version}";
+    sha256 = "1fhsswa3h2nkhjkyjxxqnj07rlx6bmfvd8j521snimx2jba8h0d6";
+  };
+
+  nativeBuildInputs = [ autoreconfHook which ];
+  buildInputs = [ libmysqlclient ];
+
+  configureFlags = [ "--sysconfdir=/etc" ];
+  installFlags = [ "sysconfdir=$(out)/etc" ];
+  postInstall = ''
+    rm -r $out/etc
+  '';
+
+  meta = with lib; {
+    description = "MySQL module for the Solaris Nameservice Switch (NSS)";
+    homepage = "https://github.com/saknopper/libnss-mysql";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ netali ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libnvme/default.nix b/nixpkgs/pkgs/os-specific/linux/libnvme/default.nix
new file mode 100644
index 000000000000..129bb49e81e9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnvme/default.nix
@@ -0,0 +1,81 @@
+{ fetchFromGitHub
+, json_c
+, keyutils
+, lib
+, meson
+, ninja
+, openssl
+, perl
+, pkg-config
+, python3
+, stdenv
+, swig
+, systemd
+, fetchpatch
+# ImportError: cannot import name 'mlog' from 'mesonbuild'
+, withDocs ? stdenv.hostPlatform.canExecute stdenv.buildPlatform
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "libnvme";
+  version = "1.6";
+
+  outputs = [ "out" ] ++ lib.optionals withDocs [ "man" ];
+
+  src = fetchFromGitHub {
+    owner = "linux-nvme";
+    repo = "libnvme";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-7bvjsmt16/6RycSDKIECtJ4ES7NTaspU6IMpUw0sViA=";
+  };
+
+  patches = [
+    # included in next release
+    (fetchpatch {
+      url = "https://github.com/linux-nvme/libnvme/commit/ff742e792725c316ba6de0800188bf36751bd1d1.patch";
+      hash = "sha256-IUjPUBmGQC4oAKFFlBrjonqD2YdyNPC9siK4t/t2slE=";
+    })
+  ];
+
+  postPatch = ''
+    patchShebangs scripts
+  '';
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    perl # for kernel-doc
+    pkg-config
+    python3.pythonOnBuildForHost
+    swig
+  ];
+
+  buildInputs = [
+    keyutils
+    json_c
+    openssl
+    systemd
+    python3
+  ];
+
+  mesonFlags = [
+    "-Ddocs=man"
+    (lib.mesonBool "tests" finalAttrs.doCheck)
+    (lib.mesonBool "docs-build" withDocs)
+  ];
+
+  preConfigure = ''
+    export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$SOURCE_DATE_EPOCH)"
+  '';
+
+  # mocked ioctl conflicts with the musl one: https://github.com/NixOS/nixpkgs/pull/263768#issuecomment-1782877974
+  doCheck = !stdenv.hostPlatform.isMusl;
+
+  meta = with lib; {
+    description = "C Library for NVM Express on Linux";
+    homepage = "https://github.com/linux-nvme/libnvme";
+    maintainers = with maintainers; [ fogti vifino ];
+    license = with licenses; [ lgpl21Plus ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix b/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix
new file mode 100644
index 000000000000..0dab09de4c1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, numactl, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "libpsm2";
+  version = "12.0.1";
+
+  preConfigure= ''
+    export UDEVDIR=$out/etc/udev
+    substituteInPlace ./Makefile --replace "udevrulesdir}" "prefix}/etc/udev";
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ numactl ];
+
+  makeFlags = [
+    # Disable blanket -Werror to avoid build failures
+    # on fresh toolchains like gcc-11.
+    "WERROR="
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+    "UDEVDIR=/etc/udev"
+    "LIBPSM2_COMPAT_CONF_DIR=/etc"
+  ];
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "opa-psm2";
+    rev = "PSM2_${version}";
+    sha256 = "sha256-MzocxY+X2a5rJvTo+gFU0U10YzzazR1IxzgEporJyhI=";
+  };
+
+  postInstall = ''
+    mv $out/usr/* $out
+    rmdir $out/usr
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/intel/opa-psm2";
+    description = "The PSM2 library supports a number of fabric media and stacks";
+    license = with licenses; [ gpl2 bsd3 ];
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ maintainers.bzizou ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix b/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix
new file mode 100644
index 000000000000..a35ab1dcc01c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
+, glib, systemd, udev, libevdev, gitMinimal, check, valgrind, swig, python3
+, json-glib, libunistring }:
+
+stdenv.mkDerivation rec {
+  pname = "libratbag";
+  version = "0.17";
+
+  src = fetchFromGitHub {
+    owner  = "libratbag";
+    repo   = "libratbag";
+    rev    = "v${version}";
+    sha256 = "sha256-TQ8DVj4yqq3IA0oGnLDz+QNTyNRmGqspEjkPeBmXNew=";
+  };
+
+  nativeBuildInputs = [
+    meson ninja pkg-config gitMinimal swig check valgrind
+  ];
+
+  buildInputs = [
+    glib systemd udev libevdev json-glib libunistring
+    (python3.withPackages (ps: with ps; [ evdev pygobject3 ]))
+  ];
+
+  mesonFlags = [
+    "-Dsystemd-unit-dir=./lib/systemd/system/"
+  ];
+
+  meta = with lib; {
+    description = "Configuration library for gaming mice";
+    homepage    = "https://github.com/libratbag/libratbag";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ mvnetbiz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix b/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix
new file mode 100644
index 000000000000..695012effc5c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix
@@ -0,0 +1,85 @@
+{ lib, stdenv, fetchurl, fetchpatch, buildPackages, pcre, pkg-config, libsepol
+, enablePython ? !stdenv.hostPlatform.isStatic, swig ? null, python3 ? null
+, fts
+}:
+
+assert enablePython -> swig != null && python3 != null;
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "libselinux";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  outputs = [ "bin" "out" "dev" "man" ] ++ optional enablePython "py";
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libselinux-${version}.tar.gz";
+    sha256 = "0mvh793g7fg6wb6zqhkdyrv80x6k84ypqwi8ii89c91xcckyxzdc";
+  };
+
+  patches = [
+    # Make it possible to disable shared builds (for pkgsStatic).
+    #
+    # We can't use fetchpatch because it processes includes/excludes
+    # /after/ stripping the prefix, which wouldn't work here because
+    # there would be no way to distinguish between
+    # e.g. libselinux/src/Makefile and libsepol/src/Makefile.
+    #
+    # This is a static email, so we shouldn't have to worry about
+    # normalizing the patch.
+    (fetchurl {
+      url = "https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is/raw";
+      sha256 = "16a2s2ji9049892i15yyqgp4r20hi1hij4c1s4s8law9jsx65b3n";
+      postFetch = ''
+        mv "$out" $TMPDIR/patch
+        ${buildPackages.patchutils_0_3_3}/bin/filterdiff \
+            -i 'a/libselinux/*' --strip 1 <$TMPDIR/patch >"$out"
+      '';
+    })
+  ];
+
+  nativeBuildInputs = [ pkg-config python3 ] ++ optionals enablePython [ swig ];
+  buildInputs = [ libsepol pcre fts ] ++ optionals enablePython [ python3 ];
+
+  # drop fortify here since package uses it by default, leading to compile error:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+  hardeningDisable = [ "fortify" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "INCDIR=$(dev)/include/selinux"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN5DIR=$(man)/share/man/man5"
+    "MAN8DIR=$(man)/share/man/man8"
+    "SBINDIR=$(bin)/sbin"
+    "SHLIBDIR=$(out)/lib"
+
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ optionals stdenv.hostPlatform.isStatic [
+    "DISABLE_SHARED=y"
+  ] ++ optionals enablePython [
+    "PYTHON=${python3.pythonOnBuildForHost.interpreter}"
+    "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
+  ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace src/procattr.c \
+      --replace "#include <unistd.h>" ""
+  '';
+
+  preInstall = optionalString enablePython ''
+    mkdir -p $py/${python3.sitePackages}/selinux
+  '';
+
+  installTargets = [ "install" ] ++ optional enablePython "install-pywrap";
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "SELinux core library";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix b/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix
new file mode 100644
index 000000000000..2f5a0f7172ca
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, fetchurl, pkg-config, bison, flex, libsepol, libselinux, bzip2, audit
+, enablePython ? true, swig ? null, python ? null
+}:
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "libsemanage";
+  version = "3.5";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libsemanage-${version}.tar.gz";
+    sha256 = "sha256-9TU05QJHU4KA7Q12xs6B2Ps5Ob1kytuJ2hDbpC5A3Zw=";
+   };
+
+  outputs = [ "out" "dev" "man" ] ++ optional enablePython "py";
+
+  strictDeps = true;
+
+  nativeBuildInputs = [ bison flex pkg-config ] ++ optional enablePython swig;
+  buildInputs = [ libsepol libselinux bzip2 audit ]
+    ++ optional enablePython python;
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN5DIR=$(man)/share/man/man5"
+    "PYTHON=python"
+    "PYPREFIX=python"
+    "PYTHONLIBDIR=$(py)/${python.sitePackages}"
+    "DEFAULT_SEMANAGE_CONF_LOCATION=$(out)/etc/selinux/semanage.conf"
+  ];
+
+  # The following turns the 'clobbered' error into a warning
+  # which should fix the following error:
+  #
+  # semanage_store.c: In function 'semanage_exec_prog':
+  # semanage_store.c:1278:6: error: variable 'i' might be clobbered by 'longjmp' or 'vfork' [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wclobbered-Werror=clobbered8;;]
+  #  1278 |  int i;
+  #       |      ^
+  # cc1: all warnings being treated as errors
+  env.NIX_CFLAGS_COMPILE = toString [ "-Wno-error=clobbered" ];
+
+  installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
+
+  enableParallelBuilding = true;
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "Policy management tools for SELinux";
+    license = lib.licenses.lgpl21;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix b/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix
new file mode 100644
index 000000000000..5d1c1cfc89c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, fetchpatch, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "libsepol";
+  version = "3.5";
+  se_url = "https://github.com/SELinuxProject/selinux/releases/download";
+
+  outputs = [ "bin" "out" "dev" "man" ];
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libsepol-${version}.tar.gz";
+    sha256 = "sha256-eP2vaZJNt4C6x4VG5D2cRAdLrXmMLEFdC5u5bQZe6KI=";
+  };
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+    substituteInPlace src/Makefile --replace 'all: $(LIBA) $(LIBSO)' 'all: $(LIBA)'
+    sed -i $'/^\t.*LIBSO/d' src/Makefile
+  '';
+
+  nativeBuildInputs = [ flex ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "BINDIR=$(bin)/bin"
+    "INCDIR=$(dev)/include/sepol"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN8DIR=$(man)/share/man/man8"
+    "SHLIBDIR=$(out)/lib"
+  ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  enableParallelBuilding = true;
+
+  passthru = { inherit se_url; };
+
+  meta = with lib; {
+    description = "SELinux binary policy manipulation library";
+    homepage = "http://userspace.selinuxproject.org";
+    platforms = platforms.linux;
+    maintainers = [ ];
+    license = lib.licenses.gpl2Plus;
+    pkgConfigModules = [ "libselinux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix b/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix
new file mode 100644
index 000000000000..df4337a6caff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix
@@ -0,0 +1,50 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl
+, pkg-config, autoreconfHook, help2man, gettext, libxml2, perl, python3, doxygen
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libsmbios";
+  version = "2.4.3";
+
+  src = fetchFromGitHub {
+    owner = "dell";
+    repo = "libsmbios";
+    rev = "v${version}";
+    sha256 = "0krwwydyvb9224r884y1mlmzyxhlfrcqw73vi1j8787rl0gl5a2i";
+  };
+
+  patches = [
+    (fetchurl {
+      name = "musl.patch";
+      url = "https://git.alpinelinux.org/aports/plain/community/libsmbios/fixes.patch?id=bdc4f67889c958c1266fa5d0cab71c3cd639122f";
+      sha256 = "aVVc52OovDYvqWRyKcRAi62daa9AalkKvnVOGvrTmRk=";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook doxygen gettext libxml2 help2man perl pkg-config ];
+
+  buildInputs = [ python3 ];
+
+  configureFlags = [ "--disable-graphviz" ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    mkdir -p $out/include
+    cp -a src/include/smbios_c $out/include/
+    cp -a out/public-include/smbios_c $out/include/
+  '';
+
+  # remove forbidden reference to $TMPDIR
+  preFixup = ''
+    patchelf --shrink-rpath --allowed-rpath-prefixes "$NIX_STORE" "$out/sbin/smbios-sys-info-lite"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/dell/libsmbios";
+    description = "A library to obtain BIOS information";
+    license = with licenses; [ osl21 gpl2Plus ];
+    maintainers = with maintainers; [ ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix b/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix
new file mode 100644
index 000000000000..5b8aa329b783
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchgit, pkg-config, asciidoc, xmlto, docbook_xml_dtd_45, docbook_xsl, meson, ninja, cunit }:
+
+stdenv.mkDerivation rec {
+  pname = "libtraceevent";
+  version = "1.7.3";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git";
+    rev = "libtraceevent-${version}";
+    sha256 = "sha256-poF+Cqcdj0KIgEJWW7XDAlRLz2/Egi948s1M24ETvBo=";
+  };
+
+  postPatch = ''
+    chmod +x Documentation/install-docs.sh.in
+    patchShebangs --build check-manpages.sh Documentation/install-docs.sh.in
+  '';
+
+  outputs = [ "out" "dev" "devman" "doc" ];
+  nativeBuildInputs = [ meson ninja pkg-config asciidoc xmlto docbook_xml_dtd_45 docbook_xsl ];
+
+  ninjaFlags = [ "all" "docs" ];
+
+  doCheck = true;
+  checkInputs = [ cunit ];
+
+  meta = with lib; {
+    description = "Linux kernel trace event library";
+    homepage    = "https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/";
+    license     = licenses.lgpl21Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ wentasah ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix b/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix
new file mode 100644
index 000000000000..3e9c9115645d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix
@@ -0,0 +1,63 @@
+{ lib
+, stdenv
+, fetchgit
+, pkg-config
+, libtraceevent
+, asciidoc
+, xmlto
+, docbook_xml_dtd_45
+, docbook_xsl
+, coreutils
+, valgrind
+, sourceHighlight
+, meson
+, flex
+, bison
+, ninja
+, cunit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libtracefs";
+  version = "1.7.0";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git";
+    rev = "libtracefs-${version}";
+    sha256 = "sha256-64eXFFdnZHHf4C3vbADtPuIMsfJ85VZ6t8A1gIc1CW0=";
+  };
+
+  postPatch = ''
+    chmod +x samples/extract-example.sh
+    patchShebangs --build check-manpages.sh samples/extract-example.sh Documentation/install-docs.sh.in
+  '';
+
+  outputs = [ "out" "dev" "devman" "doc" ];
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+    asciidoc
+    xmlto
+    docbook_xml_dtd_45
+    docbook_xsl
+    valgrind
+    sourceHighlight
+    flex
+    bison
+  ];
+  buildInputs = [ libtraceevent ];
+
+  ninjaFlags = [ "all" "docs" ];
+
+  doCheck = true;
+  checkInputs = [ cunit ];
+
+  meta = with lib; {
+    description = "Linux kernel trace file system library";
+    homepage    = "https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/";
+    license     = licenses.lgpl21Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ wentasah ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix b/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix
new file mode 100644
index 000000000000..642dd534232b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "libudev0-shim";
+  version = "1";
+
+  src = fetchFromGitHub {
+    owner = "archlinux";
+    repo = "libudev0-shim";
+    rev = "v${version}";
+    sha256 = "1460qm6rp1cqnns39lj24z7191m8sbpvbjabqbzb55dkdd2kw50z";
+  };
+
+  buildInputs = [ udev ];
+
+  installPhase = ''
+    name="$(echo libudev.so.*)"
+    install -Dm755 "$name" "$out/lib/$name"
+    ln -s "$name" "$out/lib/libudev.so.0"
+  '';
+
+  meta = with lib; {
+    description = "Shim to preserve libudev.so.0 compatibility";
+    homepage = "https://github.com/archlinux/libudev0-shim";
+    platforms = platforms.linux;
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix b/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix
new file mode 100644
index 000000000000..653094c91884
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix
@@ -0,0 +1,27 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "libvolume_id";
+  version = "0.81.1";
+
+  src = fetchurl {
+    url = "https://www.marcuscom.com/downloads/libvolume_id-${version}.tar.bz2";
+    sha256 = "029z04vdxxsl8gycm9whcljhv6dy4b12ybsxdb99jr251gl1ifs5";
+  };
+
+  preBuild = "
+    makeFlagsArray=(prefix=$out E=echo RANLIB=${stdenv.cc.targetPrefix}ranlib INSTALL='install -c')
+  ";
+
+  # Work around a broken Makefile.
+  postInstall = "
+    rm $out/lib/libvolume_id.so.0
+    cp -f libvolume_id.so.0 $out/lib/
+  ";
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    homepage = "http://www.marcuscom.com/downloads/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix b/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix
new file mode 100644
index 000000000000..5f87a89496b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, stdenv
+, fetchurl
+, cmake
+, pkg-config
+, libxml2
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libwebcam";
+  version = "0.2.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/${pname}/source/${pname}-src-${version}.tar.gz";
+    sha256 = "0hcxv8di83fk41zjh0v592qm7c0v37a3m3n3lxavd643gff1k99w";
+  };
+
+  patches = [
+    ./uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
+  ];
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libxml2 ];
+
+  postPatch = ''
+    substituteInPlace ./uvcdynctrl/CMakeLists.txt \
+      --replace "/lib/udev" "$out/lib/udev"
+
+    substituteInPlace ./uvcdynctrl/udev/scripts/uvcdynctrl \
+      --replace 'debug=0' 'debug=''${NIX_UVCDYNCTRL_UDEV_DEBUG:-0}' \
+      --replace 'uvcdynctrlpath=uvcdynctrl' "uvcdynctrlpath=$out/bin/uvcdynctrl"
+
+    substituteInPlace ./uvcdynctrl/udev/rules/80-uvcdynctrl.rules \
+      --replace "/lib/udev" "$out/lib/udev"
+  '';
+
+
+  preConfigure = ''
+    cmakeFlagsArray=(
+      $cmakeFlagsArray
+      "-DCMAKE_INSTALL_PREFIX=$out"
+    )
+  '';
+
+  meta = with lib; {
+    description = "The webcam-tools package";
+    platforms = platforms.linux;
+    license = licenses.lgpl3;
+    maintainers = with maintainers; [ jraygauthier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch b/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
new file mode 100644
index 000000000000..07e5f0bf852b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
@@ -0,0 +1,65 @@
+diff --git a/uvcdynctrl/main.c b/uvcdynctrl/main.c
+index b7befd1..f3a768c 100644
+--- a/uvcdynctrl/main.c
++++ b/uvcdynctrl/main.c
+@@ -674,27 +674,31 @@ get_filename (const char *dir_path, const char *vid)
+ 	printf ( "checking dir: %s \n", dir_path);
+ 	while ((dp = readdir(dir)) != NULL) 
+ 	{
+-		if((dp->d_type == DT_DIR) && (fnmatch("[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]", dp->d_name, 0) == 0))
++		if((dp->d_type == DT_DIR || dp->d_type == DT_LNK ) && (fnmatch("[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]", dp->d_name, 0) == 0))
+ 		{
+ 			if( strcasecmp(vid, dp->d_name) != 0)
+ 			{
+ 				/*doesn't match - clean up and move to the next entry*/
+ 				continue;
+ 			}
+-			
++
+ 			char *tmp = path_cat (dir_path, dp->d_name);
+-			printf("found dir: %s \n", dp->d_name);
++
+ 			DIR * subdir = opendir(tmp);
+-			while ((sdp = readdir(subdir)) != NULL) 
++			if ( subdir != NULL )
+ 			{
+-				if( fnmatch("*.xml", sdp->d_name, 0) == 0 )
++				printf("found dir: %s \n", dp->d_name);
++				while ((sdp = readdir(subdir)) != NULL) 
+ 				{
+-					file_list[nf-1] = path_cat (tmp, sdp->d_name);
+-					printf("found: %s \n", file_list[nf-1]);
+-					nf++;
+-					file_list = realloc(file_list,nf*sizeof(file_list));
+-					file_list[nf-1] = NULL;   
+-				} 
++					if( fnmatch("*.xml", sdp->d_name, 0) == 0 )
++					{
++						file_list[nf-1] = path_cat (tmp, sdp->d_name);
++						printf("found: %s \n", file_list[nf-1]);
++						nf++;
++						file_list = realloc(file_list,nf*sizeof(file_list));
++						file_list[nf-1] = NULL;   
++					} 
++				}
+ 			}
+ 			closedir(subdir);
+ 			free (tmp);
+@@ -869,9 +873,15 @@ main (int argc, char **argv)
+ 			pid_set = 1; /*flag pid.xml check*/
+ 			//printf("vid:%s pid:%s\n", vid, pid);
+ 		}
+-		
++
++		const char* dataDir = getenv( "NIX_UVCDYNCTRL_DATA_DIR" );
++		// When unavailable, fallback on data dir specified at build time.
++		if ( !dataDir ) {
++			dataDir = DATA_DIR;
++		}
++
+ 		/* get xml file list from DATA_DIR/vid/ */ 
+-		char **xml_files = get_filename (DATA_DIR, vid);
++		char **xml_files = get_filename (dataDir, vid);
+  
+ 		/*check for pid.xml*/
+ 		char fname[9];
diff --git a/nixpkgs/pkgs/os-specific/linux/libzbc/default.nix b/nixpkgs/pkgs/os-specific/linux/libzbc/default.nix
new file mode 100644
index 000000000000..94f5c93f949b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libzbc/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, autoreconfHook
+, fetchFromGitHub
+, gtk3
+, libtool
+, pkg-config
+, guiSupport ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libzbc";
+  version = "5.13.0";
+
+  src = fetchFromGitHub {
+    owner = "westerndigitalcorporation";
+    repo = "libzbc";
+    rev = "v${version}";
+    sha256 = "6xkA96bgQ2Ik1vEwkw7hwjMbjMSlopzv5ziTh60Mjx0=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    libtool
+  ] ++ lib.optionals guiSupport [ pkg-config ];
+
+  buildInputs = lib.optionals guiSupport [ gtk3 ];
+
+  configureFlags = lib.optional guiSupport "--enable-gui";
+
+  meta = with lib; {
+    description = "ZBC device manipulation library";
+    homepage = "https://github.com/westerndigitalcorporation/libzbc";
+    maintainers = [ maintainers.fogti ];
+    license = with licenses; [ bsd2 lgpl3Plus ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libzbd/default.nix b/nixpkgs/pkgs/os-specific/linux/libzbd/default.nix
new file mode 100644
index 000000000000..0c77f73cf2fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libzbd/default.nix
@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, autoconf-archive
+, autoreconfHook
+, fetchFromGitHub
+, gtk3
+, libtool
+, pkg-config
+, guiSupport ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libzbd";
+  version = "2.0.4";
+
+  src = fetchFromGitHub {
+    owner = "westerndigitalcorporation";
+    repo = "libzbd";
+    rev = "v${version}";
+    sha256 = "sha256-iMQjOWsgsS+uI8mqoOXHRAV1+SIu1McUAcrsY+/zcu8=";
+  };
+
+  nativeBuildInputs = [
+    autoconf-archive # this can be removed with the next release
+    autoreconfHook
+    libtool
+  ] ++ lib.optionals guiSupport [ pkg-config ];
+
+  buildInputs = lib.optionals guiSupport [ gtk3 ];
+
+  configureFlags = lib.optional guiSupport "--enable-gui";
+
+  meta = with lib; {
+    description = "Zoned block device manipulation library and tools";
+    homepage = "https://github.com/westerndigitalcorporation/libzbd";
+    maintainers = [ maintainers.fogti ];
+    license = with licenses; [ lgpl3Plus gpl3Plus ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/light/default.nix b/nixpkgs/pkgs/os-specific/linux/light/default.nix
new file mode 100644
index 000000000000..6caa8e394508
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/light/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, coreutils }:
+
+stdenv.mkDerivation rec {
+  version = "1.2.2";
+  pname = "light";
+  src = fetchFromGitHub {
+    owner = "haikarainen";
+    repo = "light";
+    rev = "v${version}";
+    sha256 = "1a70zcf88ifsnwll486aicjnh48zisdf8f7vi34ihw61kdadsq9s";
+  };
+
+  patches = [
+    # Pull upstream fix for -fno-common toolchains:
+    #  https://github.com/haikarainen/light/pull/135
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/haikarainen/light/commit/eae912ca7ff3356805e47739114861d2b6ae7ec0.patch";
+      sha256 = "15jp8hm5scl0myiy1jmvd6m52lhx5jscvi3rgb5siwakmnkgzx9j";
+    })
+  ];
+
+  configureFlags = [ "--with-udev" ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  # ensure udev rules can find the commands used
+  postPatch = ''
+    substituteInPlace 90-backlight.rules \
+      --replace '/bin/chgrp' '${coreutils}/bin/chgrp' \
+      --replace '/bin/chmod' '${coreutils}/bin/chmod'
+  '';
+
+  meta = {
+    description = "GNU/Linux application to control backlights";
+    homepage = "https://haikarainen.github.io/light/";
+    license = lib.licenses.gpl3;
+    maintainers = with lib.maintainers; [ puffnfresh dtzWill ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lightum/default.nix b/nixpkgs/pkgs/os-specific/linux/lightum/default.nix
new file mode 100644
index 000000000000..e9925b95bcd6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lightum/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, libX11, libXScrnSaver, libXext, glib, dbus, pkg-config, systemd }:
+
+stdenv.mkDerivation {
+  pname = "lightum";
+  version = "unstable-2014-06-07";
+
+  src = fetchFromGitHub {
+    owner = "poliva";
+    repo = "lightum";
+    rev = "123e6babe0669b23d4c1dfa5511088608ff2baa8";
+    sha256 = "sha256-dzWUVY2srgk6BM6jZ7FF+snxnPopz3fx9nq+mVkmogc=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [
+    dbus
+    glib
+    libX11
+    libXScrnSaver
+    libXext
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace Makefile \
+      --replace "libsystemd-login" "libsystemd"
+  '';
+
+  installPhase = ''
+    make install prefix=$out bindir=$out/bin docdir=$out/share/doc \
+      mandir=$out/share/man INSTALL="install -c" INSTALLDATA="install -c -m 644"
+  '';
+
+  meta = {
+    description = "MacBook automatic light sensor daemon";
+    homepage = "https://github.com/poliva/lightum";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ puffnfresh ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix b/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix
new file mode 100644
index 000000000000..01607be58fc4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix
@@ -0,0 +1,105 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, which
+, pkg-config
+, glib
+, gtk3
+, iw
+, makeWrapper
+, qrencode
+, hostapd
+, getopt
+, dnsmasq
+, iproute2
+, flock
+, iptables
+, gawk
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, networkmanager
+, procps
+}:
+
+
+stdenv.mkDerivation rec {
+  pname = "linux-wifi-hotspot";
+  version = "4.6.0";
+
+  src = fetchFromGitHub {
+    owner = "lakinduakash";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-u9OdSpdxnjHOrK6PP/SFvGRtezssoZSoJFGVdRbOIPU=";
+  };
+
+  nativeBuildInputs = [
+    which
+    pkg-config
+    makeWrapper
+    qrencode
+    hostapd
+  ];
+
+  buildInputs = [
+    glib
+    gtk3
+  ];
+
+  outputs = [ "out" ];
+
+  postPatch = ''
+    substituteInPlace ./src/scripts/Makefile \
+      --replace "etc" "$out/etc"
+    substituteInPlace ./src/scripts/wihotspot \
+      --replace "/usr" "$out"
+    substituteInPlace ./src/desktop/wifihotspot.desktop \
+      --replace "/usr" "$out"
+    substituteInPlace ./src/scripts/policies/polkit.policy \
+      --replace "/usr" "$out"
+  '';
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  postInstall = ''
+    wrapProgram $out/bin/create_ap \
+      --prefix PATH : ${lib.makeBinPath [
+          coreutils
+          dnsmasq
+          flock
+          gawk
+          getopt
+          gnugrep
+          gnused
+          hostapd
+          iproute2
+          iptables
+          iw
+          kmod
+          networkmanager
+          procps
+          which
+        ]}
+
+    wrapProgram $out/bin/wihotspot-gui \
+      --prefix PATH : ${lib.makeBinPath [ iw ]} \
+      --prefix PATH : "${placeholder "out"}/bin"
+
+    wrapProgram $out/bin/wihotspot \
+      --prefix PATH : ${lib.makeBinPath [ iw ]} \
+      --prefix PATH : "${placeholder "out"}/bin"
+  '';
+
+  meta = with lib; {
+    description = "Feature-rich wifi hotspot creator for Linux which provides both GUI and command-line interface";
+    homepage = "https://github.com/lakinduakash/linux-wifi-hotspot";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ onny ];
+    platforms = platforms.unix;
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix b/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix
new file mode 100644
index 000000000000..e5a1443d3225
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchurl, linuxHeaders } :
+
+
+stdenv.mkDerivation rec {
+  pname = "linuxptp";
+  version = "4.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linuxptp/${pname}-${version}.tgz";
+    hash = "sha256-4XQ9RPggiJfjCJXaNXnmcP+Rm5FP60talJ8+Qh3d5TU=";
+  };
+
+  postPatch = ''
+    substituteInPlace incdefs.sh --replace \
+       '/usr/include/linux/' "${linuxHeaders}/include/linux/"
+  '';
+
+  makeFlags = [ "prefix=" ];
+
+  preInstall = ''
+    export DESTDIR=$out
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux";
+    homepage = "https://linuxptp.sourceforge.net/";
+    maintainers = [ maintainers.markuskowa ];
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix b/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix
new file mode 100644
index 000000000000..317801bb3cdd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "liquidtux-${version}-${kernel.version}";
+  version = "unstable-2021-12-16";
+
+  src = fetchFromGitHub {
+    owner = "liquidctl";
+    repo = "liquidtux";
+    rev = "342defc0e22ea58f8ab2ab0f191ad3fd302c44cb";
+    sha256 = "12rc3vzfq8vnq9x9ca6swk5ag0xkpgkzmga8ga7q80mah9kxbaax";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install nzxt-grid3.ko nzxt-kraken2.ko nzxt-kraken3.ko nzxt-smart2.ko -Dm444 -t ${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel hwmon drivers for AIO liquid coolers and other devices";
+    homepage = "https://github.com/liquidctl/liquidtux";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ nickhu ];
+    broken = lib.versionOlder kernel.version "5.10";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lkrg/default.nix b/nixpkgs/pkgs/os-specific/linux/lkrg/default.nix
new file mode 100644
index 000000000000..4d6118f8b9f8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lkrg/default.nix
@@ -0,0 +1,53 @@
+{ lib, stdenv, fetchpatch, fetchFromGitHub, kernel }:
+let
+  isKernelRT = (kernel.structuredExtraConfig ? PREEMPT_RT) && (kernel.structuredExtraConfig.PREEMPT_RT == lib.kernel.yes);
+in
+stdenv.mkDerivation rec {
+  name = "${pname}-${version}-${kernel.version}";
+  pname = "lkrg";
+  version = "0.9.5";
+
+  src = fetchFromGitHub {
+    owner = "lkrg-org";
+    repo = "lkrg";
+    rev = "v${version}";
+    sha256 = "sha256-+yIKkTvfVbLnFBoXSKGebB1A8KqpaRmsLh8SsNuI9Dc=";
+  };
+  patches = [
+    (fetchpatch {
+      name = "fix-aarch64.patch";
+      url = "https://github.com/lkrg-org/lkrg/commit/a4e5c00f13f7081b346bc3736e4c035e3d17d3f7.patch";
+      sha256 = "sha256-DPscqi+DySHwFxGuGe7P2itPkoyb3XGu5Xp2S/ezP4Y=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  dontConfigure = true;
+
+  prePatch = ''
+    substituteInPlace Makefile --replace "KERNEL := " "KERNEL ?= "
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    install -D lkrg.ko $out/lib/modules/${kernel.modDirVersion}/extra/lkrg.ko
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "LKRG Linux Kernel module";
+    longDescription = "LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.";
+    homepage = "https://lkrg.org/";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ chivay ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.10" || kernel.kernelAtLeast "6.1" || isKernelRT;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix
new file mode 100644
index 000000000000..24915143fbd0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix
@@ -0,0 +1,18 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "lksctp-tools";
+  version = "1.0.17";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/lksctp/lksctp-tools-${version}.tar.gz";
+    sha256 = "05da6c2v3acc18ndvmkrag6x5lf914b7s0xkkr6wkvrbvd621sqs";
+  };
+
+  meta = with lib; {
+    description = "Linux Kernel Stream Control Transmission Protocol Tools";
+    homepage = "https://lksctp.sourceforge.net/";
+    license = with licenses; [ gpl2 lgpl21 ]; # library is lgpl21
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix
new file mode 100644
index 000000000000..9b37b7c7e63e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix
@@ -0,0 +1,67 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, bash
+, bison
+, flex
+, which
+, perl
+, sensord ? false
+, rrdtool ? null
+}:
+
+assert sensord -> rrdtool != null;
+
+stdenv.mkDerivation rec {
+  pname = "lm-sensors";
+  version = "3.6.0";
+  dashedVersion = lib.replaceStrings [ "." ] [ "-" ] version;
+
+  src = fetchFromGitHub {
+    owner = "lm-sensors";
+    repo = "lm-sensors";
+    rev = "V${dashedVersion}";
+    hash = "sha256-9lfHCcODlS7sZMjQhK0yQcCBEoGyZOChx/oM0CU37sY=";
+  };
+
+  # Upstream build system have knob to enable and disable building of static
+  # library, shared library is built unconditionally.
+  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+    sed -i 'lib/Module.mk' -e '/LIBTARGETS :=/,+1d; /-m 755/ d'
+    substituteInPlace prog/sensors/Module.mk --replace 'lib/$(LIBSHBASENAME)' ""
+  '';
+
+  nativeBuildInputs = [ bison flex which ];
+  # bash is required for correctly replacing the shebangs in all tools for cross-compilation.
+  buildInputs = [ bash perl ]
+    ++ lib.optional sensord rrdtool;
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "AR=${stdenv.cc.targetPrefix}ar"
+  ] ++ lib.optional sensord "PROG_EXTRA=sensord";
+
+  installFlags = [
+    "ETCDIR=${placeholder "out"}/etc"
+  ];
+
+  # Making regexp to patch-out installing of .so symlinks from Makefile is
+  # complicated, it is easier to remove them post-install.
+  postInstall = ''
+    mkdir -p $out/share/doc/${pname}
+    cp -r configs doc/* $out/share/doc/${pname}
+  '' + lib.optionalString stdenv.hostPlatform.isStatic ''
+    rm $out/lib/*.so*
+  '';
+
+  meta = with lib; {
+    homepage = "https://hwmon.wiki.kernel.org/lm_sensors";
+    changelog = "https://raw.githubusercontent.com/lm-sensors/lm-sensors/V${dashedVersion}/CHANGES";
+    description = "Tools for reading hardware sensors";
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ pmy ];
+    platforms = platforms.linux;
+    mainProgram = "sensors";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix b/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix
new file mode 100644
index 000000000000..1ea2de63560b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix
@@ -0,0 +1,67 @@
+{ lib, stdenv, fetchurl, bash, flex, bison, valgrind }:
+
+stdenv.mkDerivation rec {
+  pname = "lockdep";
+
+  # it would be nice to be able to pick a kernel version in sync with something
+  # else we already ship, but it seems userspace lockdep isn't very well maintained
+  # and appears broken in many kernel releases
+  version = "5.0.21";
+  fullver = "5.0.21";
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "1my2m9hvnvdrvzcg0fgqgaga59y2cd5zlpv7xrfj2nn98sjhglwq";
+  };
+
+  # ensure *this* kernel's userspace-headers are picked up before we
+  # fall back to those in glibc, as they will be from a mismatched
+  # kernel version
+  postPatch = ''
+    substituteInPlace tools/lib/lockdep/Makefile \
+      --replace 'CONFIG_INCLUDES =' $'CONFIG_INCLUDES = -I../../../usr/include\n#'
+  '';
+
+  nativeBuildInputs = [ flex bison ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: lockdep.o:/build/linux-5.0.21/tools/lib/lockdep/../../include/linux/rcu.h:5: multiple definition of
+  #     `rcu_scheduler_active'; common.o:/build/linux-5.0.21/tools/lib/lockdep/../../include/linux/rcu.h:5: first defined here
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  buildPhase = ''
+    make defconfig
+    make headers_install
+    cd tools/lib/lockdep
+    make
+  '';
+
+  doCheck = true;
+  nativeCheckInputs = [ valgrind ];
+  checkPhase = ''
+    # there are more /bin/bash references than just shebangs
+    for f in lockdep run_tests.sh tests/*.sh; do
+      substituteInPlace $f \
+        --replace '/bin/bash' '${bash}/bin/bash'
+    done
+
+    ./run_tests.sh
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib $out/include
+
+    cp -R include/liblockdep $out/include
+    make install DESTDIR=$out prefix=""
+
+    substituteInPlace $out/bin/lockdep --replace "./liblockdep.so" "$out/lib/liblockdep.so.$fullver"
+  '';
+
+  meta = {
+    description = "Userspace locking validation tool built on the Linux kernel";
+    homepage    = "https://kernel.org/";
+    license     = lib.licenses.gpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix b/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix
new file mode 100644
index 000000000000..7ab10bfac124
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix
@@ -0,0 +1,21 @@
+{ substituteAll, lib
+, coreutils, getopt
+}:
+
+substituteAll {
+  name = "lsb_release";
+
+  src = ./lsb_release.sh;
+
+  dir = "bin";
+  isExecutable = true;
+
+  inherit coreutils getopt;
+
+  meta = with lib; {
+    description = "Prints certain LSB (Linux Standard Base) and Distribution information";
+    license = [ licenses.mit ];
+    maintainers = with maintainers; [ primeos ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh b/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh
new file mode 100644
index 000000000000..ae524181e88a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh
@@ -0,0 +1,190 @@
+#! @shell@
+
+set -o errexit
+set -o nounset
+
+show_help() {
+  @coreutils@/bin/cat << EOF
+Usage: lsb_release [options]
+
+Options:
+  -h, --help         show this help message and exit
+  -v, --version      show LSB modules this system supports
+  -i, --id           show distributor ID
+  -d, --description  show description of this distribution
+  -r, --release      show release number of this distribution
+  -c, --codename     show code name of this distribution
+  -a, --all          show all of the above information
+  -s, --short        show requested information in short format
+EOF
+  exit 0
+}
+
+# Potential command-line options.
+version=0
+id=0
+description=0
+release=0
+codename=0
+all=0
+short=0
+
+@getopt@/bin/getopt --test > /dev/null && rc=$? || rc=$?
+if [[ $rc -ne 4 ]]; then
+  # This shouldn't happen.
+  echo "Warning: Enhanced getopt not supported, please open an issue in nixpkgs." >&2
+else
+  # Define all short and long options.
+  SHORT=hvidrcas
+  LONG=help,version,id,description,release,codename,all,short
+
+  # Parse all options.
+  PARSED=`@getopt@/bin/getopt --options $SHORT --longoptions $LONG --name "$0" -- "$@"`
+
+  eval set -- "$PARSED"
+fi
+
+
+# Process each argument, and set the appropriate flag if we recognize it.
+while [[ $# -ge 1 ]]; do
+  case "$1" in
+    -v|--version)
+      version=1
+      ;;
+    -i|--id)
+      id=1
+      ;;
+    -d|--description)
+      description=1
+      ;;
+    -r|--release)
+      release=1
+      ;;
+    -c|--codename)
+      codename=1
+      ;;
+    -a|--all)
+      all=1
+      ;;
+    -s|--short)
+      short=1
+      ;;
+    -h|--help)
+      show_help
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "lsb_release: unrecognized option '$1'"
+      echo "Type 'lsb_release -h' for a list of available options."
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+#  Read our variables.
+if [[ -e /etc/os-release ]]; then
+  . /etc/os-release
+  OS_RELEASE_FOUND=1
+else
+  # This is e.g. relevant for the Nix build sandbox and compatible with the
+  # original lsb_release binary:
+  OS_RELEASE_FOUND=0
+  NAME="n/a"
+  PRETTY_NAME="(none)"
+  VERSION_ID="n/a"
+  VERSION_CODENAME="n/a"
+fi
+
+# Default output
+if [[ "$version" = "0" ]] && [[ "$id" = "0" ]] && \
+   [[ "$description" = "0" ]] && [[ "$release" = "0" ]] && \
+   [[ "$codename" = "0" ]] && [[ "$all" = "0" ]]; then
+  if [[ "$OS_RELEASE_FOUND" = "1" ]]; then
+    echo "No LSB modules are available." >&2
+  else
+    if [[ "$short" = "0" ]]; then
+      printf "LSB Version:\tn/a\n"
+    else
+      printf "n/a\n"
+    fi
+  fi
+  exit 0
+fi
+
+# Now output the data - The order of these was chosen to match
+# what the original lsb_release used.
+
+SHORT_OUTPUT=""
+append_short_output() {
+  if [[ "$1" = "n/a" ]]; then
+    SHORT_OUTPUT+=" $1"
+  else
+    SHORT_OUTPUT+=" \"$1\""
+  fi
+}
+
+if [[ "$all" = "1" ]] || [[ "$version" = "1" ]]; then
+  if [[ "$OS_RELEASE_FOUND" = "1" ]]; then
+    if [[ "$short" = "0" ]]; then
+      echo "No LSB modules are available." >&2
+    else
+      append_short_output "n/a"
+    fi
+  else
+    if [[ "$short" = "0" ]]; then
+      printf "LSB Version:\tn/a\n"
+    else
+      append_short_output "n/a"
+    fi
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$id" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Distributor ID:\t$NAME\n"
+  else
+    append_short_output "$NAME"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$description" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Description:\t$PRETTY_NAME\n"
+  else
+    append_short_output "$PRETTY_NAME"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$release" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Release:\t$VERSION_ID\n"
+  else
+    append_short_output "$VERSION_ID"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$codename" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Codename:\t$VERSION_CODENAME\n"
+  else
+    append_short_output "$VERSION_CODENAME"
+  fi
+fi
+
+if [[ "$short" = "1" ]]; then
+  # Output in one line without the first space:
+  echo "${SHORT_OUTPUT:1}"
+fi
+
+# For compatibility with the original lsb_release:
+if [[ "$OS_RELEASE_FOUND" = "0" ]]; then
+  if [[ "$all" = "1" ]] || [[ "$id" = "1" ]] || \
+     [[ "$description" = "1" ]] || [[ "$release" = "1" ]] || \
+     [[ "$codename" = "1" ]]; then
+    exit 3
+  fi
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix b/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix
new file mode 100644
index 000000000000..10da88b691d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "lsirec";
+  version = "unstable-2019-03-03";
+
+  src = fetchFromGitHub {
+    owner = "marcan";
+    repo = "lsirec";
+    rev = "2dfb6dc92649feb01a3ddcfd117d4a99098084f2";
+    sha256 = "sha256-8v+KKjAJlJNpUT0poedRTQfPiDiwahrosXD35Bmh3jM=";
+  };
+
+  buildInputs = [ python3 ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 'lsirec' "$out/bin/lsirec"
+    install -Dm755 'sbrtool.py' "$out/bin/sbrtool"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "LSI SAS2008/SAS2108 low-level recovery tool for Linux";
+    homepage = "https://github.com/marcan/lsirec";
+    platforms = platforms.linux;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ Luflosi ];
+    # never built on aarch64-linux since first introduction in nixpkgs
+    broken = stdenv.isLinux && stdenv.isAarch64;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix b/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix
new file mode 100644
index 000000000000..d880e6a60e03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchurl
+, kmod
+, coreutils
+}:
+
+stdenv.mkDerivation rec {
+  pname = "lsiutil";
+  version = "1.72";
+
+  src = fetchurl {
+    url = "https://github.com/exactassembly/meta-xa-stm/raw/f96cf6e13f3c9c980f5651510dd96279b9b2af4f/recipes-support/lsiutil/files/lsiutil-${version}.tar.gz";
+    sha256 = "sha256-aTi+EogY1aDWYq3anjRkjz1mzINVfUPQbOPHthxrvS4=";
+  };
+
+  postPatch = ''
+    substituteInPlace lsiutil.c \
+      --replace /sbin/modprobe "${kmod}/bin/modprobe" \
+      --replace /bin/mknod "${coreutils}/bin/mknod"
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    gcc -Wall -O lsiutil.c -o lsiutil
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    install -Dm755 lsiutil "$out/bin/lsiutil"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/exactassembly/meta-xa-stm/tree/master/recipes-support/lsiutil/files";
+    description = "Configuration utility for MPT adapters (FC, SCSI, and SAS/SATA)";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix b/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix
new file mode 100644
index 000000000000..d87820f24664
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "lsscsi";
+  version = "0.32";
+
+  src = fetchurl {
+    url = "http://sg.danny.cz/scsi/lsscsi-${version}.tgz";
+    sha256 = "sha256-CoAOnpTcoqtwLWXXJ3eujK4Hjj100Ly+1kughJ6AKaE=";
+  };
+
+  preConfigure = ''
+    substituteInPlace Makefile.in --replace /usr "$out"
+  '';
+
+  meta = with lib; {
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix b/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix
new file mode 100644
index 000000000000..89b49068d40c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "lttng-modules-${kernel.version}";
+  version = "2.13.10";
+
+  src = fetchFromGitHub {
+    owner = "lttng";
+    repo = "lttng-modules";
+    rev = "v${version}";
+    hash = "sha256-R5qwB1ayw0KueMBSSxm0TwINt78N6w356kY7WGBX0zM=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  installTargets = [ "modules_install" ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel modules for LTTng tracing";
+    homepage = "https://lttng.org/";
+    license = with licenses; [ lgpl21Only gpl2Only mit ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.bjornfor ];
+    broken = (lib.versions.majorMinor kernel.modDirVersion) == "5.10" || (lib.versions.majorMinor kernel.modDirVersion) == "5.4";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix b/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix
new file mode 100644
index 000000000000..b2f6b0aa8a23
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix
@@ -0,0 +1,4 @@
+import ./common.nix {
+  version = "2.03.22";
+  hash = "sha256-TFppI70aznzgRHRgioSTfOBTupGxrOnwsAFyaOcy3Hw=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix b/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix
new file mode 100644
index 000000000000..27a160033b11
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix
@@ -0,0 +1,161 @@
+{ version, hash }:
+
+{ lib, stdenv
+, fetchurl
+, pkg-config
+, coreutils
+, libuuid
+, libaio
+, substituteAll
+, enableCmdlib ? false
+, enableDmeventd ? false
+, udevSupport ? !stdenv.hostPlatform.isStatic, udev
+, onlyLib ? stdenv.hostPlatform.isStatic
+  # Otherwise we have a infinity recursion during static compilation
+, enableUtilLinux ? !stdenv.hostPlatform.isStatic, util-linux
+, enableVDO ? false, vdo
+, enableMdadm ? false, mdadm
+, enableMultipath ? false, multipath-tools
+, nixosTests
+}:
+
+# configure: error: --enable-dmeventd requires --enable-cmdlib to be used as well
+assert enableDmeventd -> enableCmdlib;
+
+stdenv.mkDerivation rec {
+  pname = "lvm2" + lib.optionalString enableDmeventd "-with-dmeventd" + lib.optionalString enableVDO "-with-vdo";
+  inherit version;
+
+  src = fetchurl {
+    urls = [
+      "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
+      "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
+    ];
+    inherit hash;
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    libaio
+  ] ++ lib.optionals udevSupport [
+    udev
+  ] ++ lib.optionals (!onlyLib) [
+    libuuid
+  ] ++ lib.optionals enableVDO [
+    vdo
+  ];
+
+  configureFlags = [
+    "--disable-readline"
+    "--enable-pkgconfig"
+    "--with-default-locking-dir=/run/lock/lvm"
+    "--with-default-run-dir=/run/lvm"
+    "--with-systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    "--with-systemd-run=/run/current-system/systemd/bin/systemd-run"
+  ] ++ lib.optionals (!enableCmdlib) [
+    "--bindir=${placeholder "bin"}/bin"
+    "--sbindir=${placeholder "bin"}/bin"
+    "--libdir=${placeholder "lib"}/lib"
+    "--with-libexecdir=${placeholder "lib"}/libexec"
+  ] ++ lib.optional enableCmdlib "--enable-cmdlib"
+  ++ lib.optionals enableDmeventd [
+    "--enable-dmeventd"
+    "--with-dmeventd-pidfile=/run/dmeventd/pid"
+    "--with-default-dm-run-dir=/run/dmeventd"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ] ++ lib.optionals udevSupport [
+    "--enable-udev_rules"
+    "--enable-udev_sync"
+  ] ++ lib.optionals enableVDO [
+    "--enable-vdo"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "--enable-static_link"
+  ];
+
+  preConfigure = ''
+    sed -i /DEFAULT_SYS_DIR/d Makefile.in
+    sed -i /DEFAULT_PROFILE_DIR/d conf/Makefile.in
+
+    substituteInPlace make.tmpl.in --replace "@systemdsystemunitdir@" "$out/lib/systemd/system"
+    substituteInPlace libdm/make.tmpl.in --replace "@systemdsystemunitdir@" "$out/lib/systemd/system"
+
+    substituteInPlace scripts/blk_availability_systemd_red_hat.service.in \
+      --replace '/usr/bin/true' '${coreutils}/bin/true'
+  '';
+
+  postConfigure = ''
+    sed -i 's|^#define LVM_CONFIGURE_LINE.*$|#define LVM_CONFIGURE_LINE "<removed>"|g' ./include/configure.h
+  '';
+
+  patches = [
+    # fixes paths to and checks for tools
+    (substituteAll (let
+      optionalTool = cond: pkg: if cond then pkg else "/run/current-system/sw";
+    in {
+      src = ./fix-blkdeactivate.patch;
+      inherit coreutils;
+      util_linux = optionalTool enableUtilLinux util-linux;
+      mdadm = optionalTool enableMdadm mdadm;
+      multipath_tools = optionalTool enableMultipath multipath-tools;
+      vdo = optionalTool enableVDO vdo;
+    }))
+    # Musl fix from Alpine
+    ./fix-stdio-usage.patch
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    ./no-shared.patch
+  ];
+
+  doCheck = false; # requires root
+
+  makeFlags = lib.optionals udevSupport [
+    "SYSTEMD_GENERATOR_DIR=${placeholder "out"}/lib/systemd/system-generators"
+  ] ++ lib.optionals onlyLib [
+    "libdm.device-mapper"
+  ];
+
+  # To prevent make install from failing.
+  installFlags = [ "OWNER=" "GROUP=" "confdir=$(out)/etc" ];
+
+  # Install systemd stuff.
+  installTargets = [ "install" ] ++ lib.optionals udevSupport [
+    "install_systemd_generators"
+    "install_systemd_units"
+    "install_tmpfiles_configuration"
+  ];
+
+  installPhase = lib.optionalString onlyLib ''
+    install -D -t $out/lib libdm/ioctl/libdevmapper.${if stdenv.hostPlatform.isStatic then "a" else "so"}
+    make -C libdm install_include
+    make -C libdm install_pkgconfig
+  '';
+
+  # only split bin and lib out from out if cmdlib isn't enabled
+  outputs = [
+    "out"
+  ] ++ lib.optionals (!onlyLib) [
+    "dev"
+    "man"
+  ] ++ lib.optionals (!onlyLib && !enableCmdlib) [
+    "bin"
+    "lib"
+  ];
+
+  postInstall = lib.optionalString (enableCmdlib != true) ''
+    moveToOutput lib/libdevmapper.so $lib
+  '';
+
+  passthru.tests = {
+    installer = nixosTests.installer.lvm;
+    lvm2 = nixosTests.lvm2;
+  };
+
+  meta = with lib; {
+    homepage = "http://sourceware.org/lvm2/";
+    description = "Tools to support Logical Volume Management (LVM) on Linux";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2 bsd2 lgpl21 ];
+    maintainers = with maintainers; [ raskin ajs124 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch
new file mode 100644
index 000000000000..db8cfaeae9e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch
@@ -0,0 +1,51 @@
+diff --git a/scripts/blkdeactivate.sh.in b/scripts/blkdeactivate.sh.in
+index 7c517b87b..e51a33778 100644
+--- a/scripts/blkdeactivate.sh.in
++++ b/scripts/blkdeactivate.sh.in
+@@ -34,11 +34,11 @@ TOOL=blkdeactivate
+ DEV_DIR="/dev"
+ SYS_BLK_DIR="/sys/block"
+ 
+-MDADM="/sbin/mdadm"
+-MOUNTPOINT="/bin/mountpoint"
+-MPATHD="/sbin/multipathd"
+-UMOUNT="/bin/umount"
+-VDO="/bin/vdo"
++MDADM="@mdadm@/bin/mdadm"
++MOUNTPOINT="@util_linux@/bin/mountpoint"
++MPATHD="@multipath_tools@/bin/multipathd"
++UMOUNT="@util_linux@/bin/umount"
++VDO="@vdo@/bin/vdo"
+ 
+ sbindir="@SBINDIR@"
+ DMSETUP="$sbindir/dmsetup"
+@@ -48,7 +48,7 @@ if "$UMOUNT" --help | grep -- "--all-targets" >"$DEV_DIR/null"; then
+ 	UMOUNT_OPTS="--all-targets "
+ else
+ 	UMOUNT_OPTS=""
+-	FINDMNT="/bin/findmnt -r --noheadings -u -o TARGET"
++	FINDMNT="@util_linux@/bin/findmnt -r --noheadings -u -o TARGET"
+ 	FINDMNT_READ="read -r mnt"
+ fi
+ DMSETUP_OPTS=""
+@@ -57,10 +57,10 @@ MDADM_OPTS=""
+ MPATHD_OPTS=""
+ VDO_OPTS=""
+ 
+-LSBLK="/bin/lsblk -r --noheadings -o TYPE,KNAME,NAME,MOUNTPOINT"
++LSBLK="@util_linux@/bin/lsblk -r --noheadings -o TYPE,KNAME,NAME,MOUNTPOINT"
+ LSBLK_VARS="local devtype local kname local name local mnt"
+ LSBLK_READ="read -r devtype kname name mnt"
+-SORT_MNT="/bin/sort -r -u -k 4"
++SORT_MNT="@coreutils@/bin/sort -r -u -k 4"
+ 
+ # Do not show tool errors by default (only done/skipping summary
+ # message provided by this script) and no verbose mode by default.
+@@ -102,6 +102,7 @@ declare -A SKIP_VG_LIST=()
+ # (list is an associative array!)
+ #
+ declare -A SKIP_UMOUNT_LIST=(["/"]=1 \
++                             ["/nix"]=1 ["/nix/store"]=1 \
+                              ["/lib"]=1 ["/lib64"]=1 \
+                              ["/bin"]=1 ["/sbin"]=1 \
+                              ["/var"]=1 ["/var/log"]=1 \
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch
new file mode 100644
index 000000000000..98cdc6eb3ec9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch
@@ -0,0 +1,66 @@
+From 63b1c7332bee6080bffecf9ce9d75ff15d799166 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 16 Nov 2022 10:42:39 +0100
+Subject: [PATCH] fix stdio usage
+
+---
+ lib/commands/toolcontext.c | 4 ++--
+ tools/lvmcmdline.c         | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/commands/toolcontext.c b/lib/commands/toolcontext.c
+index b630554a9..f20080d18 100644
+--- a/lib/commands/toolcontext.c
++++ b/lib/commands/toolcontext.c
+@@ -1667,7 +1667,7 @@ struct cmd_context *create_toolcontext(unsigned is_clvmd,
+ 	/* FIXME Make this configurable? */
+ 	reset_lvm_errno(1);
+ 
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	/* Set in/out stream buffering before glibc */
+ 	if (set_buffering
+ #ifdef SYS_gettid
+@@ -2045,7 +2045,7 @@ void destroy_toolcontext(struct cmd_context *cmd)
+ 		dm_hash_destroy(cmd->cft_def_hash);
+ 
+ 	dm_device_list_destroy(&cmd->cache_dm_devs);
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	if (cmd->linebuffer) {
+ 		/* Reset stream buffering to defaults */
+ 		if (is_valid_fd(STDIN_FILENO) &&
+diff --git a/tools/lvmcmdline.c b/tools/lvmcmdline.c
+index a5bb6a5c5..0ebfa375c 100644
+--- a/tools/lvmcmdline.c
++++ b/tools/lvmcmdline.c
+@@ -3422,7 +3422,7 @@ static int _check_standard_fds(void)
+ 	int err = is_valid_fd(STDERR_FILENO);
+ 
+ 	if (!is_valid_fd(STDIN_FILENO) &&
+-	    !(stdin = fopen(_PATH_DEVNULL, "r"))) {
++	    !freopen(_PATH_DEVNULL, "r", stdin)) {
+ 		if (err)
+ 			perror("stdin stream open");
+ 		else
+@@ -3432,7 +3432,7 @@ static int _check_standard_fds(void)
+ 	}
+ 
+ 	if (!is_valid_fd(STDOUT_FILENO) &&
+-	    !(stdout = fopen(_PATH_DEVNULL, "w"))) {
++	    !freopen(_PATH_DEVNULL, "w", stdout)) {
+ 		if (err)
+ 			perror("stdout stream open");
+ 		/* else no stdout */
+@@ -3440,7 +3440,7 @@ static int _check_standard_fds(void)
+ 	}
+ 
+ 	if (!is_valid_fd(STDERR_FILENO) &&
+-	    !(stderr = fopen(_PATH_DEVNULL, "w"))) {
++	    !freopen(_PATH_DEVNULL, "w", stderr)) {
+ 		printf("stderr stream open: %s\n",
+ 		       strerror(errno));
+ 		return 0;
+-- 
+2.38.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.patch b/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.patch
new file mode 100644
index 000000000000..23a82a0fa294
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.patch
@@ -0,0 +1,46 @@
+diff --git a/libdm/Makefile.in b/libdm/Makefile.in
+index 2758648e6..f305a12b0 100644
+--- a/libdm/Makefile.in
++++ b/libdm/Makefile.in
+@@ -47,7 +47,6 @@ endif
+ 
+ LIB_SHARED = $(interface)/libdevmapper.$(LIB_SUFFIX)
+ LIB_VERSION = $(LIB_VERSION_DM)
+-TARGETS = libdevmapper.$(LIB_SUFFIX) libdevmapper.$(LIB_SUFFIX).$(LIB_VERSION) .symver_check
+ 
+ CFLOW_LIST = $(SOURCES)
+ CFLOW_LIST_TARGET = libdevmapper.cflow
+diff --git a/libdm/make.tmpl.in b/libdm/make.tmpl.in
+index a731687c2..9366cdf1c 100644
+--- a/libdm/make.tmpl.in
++++ b/libdm/make.tmpl.in
+@@ -314,7 +314,7 @@ SUBDIRS.cflow := $(SUBDIRS:=.cflow)
+ SUBDIRS.clean := $(SUBDIRS:=.clean)
+ SUBDIRS.distclean := $(SUBDIRS:=.distclean)
+ 
+-TARGETS += $(LIB_SHARED) $(LIB_STATIC)
++TARGETS += $(LIB_STATIC)
+ 
+ all: $(SUBDIRS) $(TARGETS)
+ 
+@@ -431,7 +431,6 @@ DEFS+=-D_FILE_OFFSET_BITS=64
+ 
+ ifneq (,$(LIB_SHARED))
+ 
+-TARGETS += $(LIB_SHARED).$(LIB_VERSION)
+ $(LIB_SHARED).$(LIB_VERSION): $(OBJECTS) $(LDDEPS)
+ 	@echo "    [CC] $@"
+ ifeq ("@LIB_SUFFIX@","so")
+diff --git a/make.tmpl.in b/make.tmpl.in
+index b73176f5a..6100d0dfd 100644
+--- a/make.tmpl.in
++++ b/make.tmpl.in
+@@ -368,7 +368,7 @@ SUBDIRS.cflow := $(SUBDIRS:=.cflow)
+ SUBDIRS.clean := $(SUBDIRS:=.clean)
+ SUBDIRS.distclean := $(SUBDIRS:=.distclean)
+ 
+-TARGETS += $(LIB_SHARED) $(LIB_STATIC)
++TARGETS += $(LIB_STATIC)
+ 
+ INTERNAL_LIBS = \
+ 	$(top_builddir)/libdaemon/client/libdaemonclient.a \
diff --git a/nixpkgs/pkgs/os-specific/linux/lxc/default.nix b/nixpkgs/pkgs/os-specific/linux/lxc/default.nix
new file mode 100644
index 000000000000..49f16db002f3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxc/default.nix
@@ -0,0 +1,106 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, perl, docbook2x
+, docbook_xml_dtd_45, python3Packages, pam, fetchpatch
+
+# Optional Dependencies
+, libapparmor ? null, gnutls ? null, libselinux ? null, libseccomp ? null
+, libcap ? null, systemd ? null
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  pname = "lxc";
+  version = "4.0.12";
+
+  src = fetchurl {
+    url = "https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz";
+    sha256 = "1vyk2j5w9gfyh23w3ar09cycyws16mxh3clbb33yhqzwcs1jy96v";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook pkg-config perl docbook2x python3Packages.wrapPython
+  ];
+  buildInputs = [
+    pam libapparmor gnutls libselinux libseccomp libcap
+    python3Packages.python python3Packages.setuptools systemd
+  ];
+
+  patches = [
+    ./support-db2x.patch
+
+    # Backport of https://github.com/lxc/lxc/pull/4179 for glibc-2.36 build
+    (fetchpatch {
+      url = "https://github.com/lxc/lxc/commit/c1115e1503bf955c97f4cf3b925a6a9f619764c3.patch";
+      sha256 = "sha256-aC1XQesRJfkyQnloB3NvR4p/1WITrqkGYzw50PDxDrs=";
+      excludes = [ "meson.build" ];
+    })
+  ];
+
+  postPatch = ''
+    sed -i '/chmod u+s/d' src/lxc/Makefile.am
+  '';
+
+  XML_CATALOG_FILES = "${docbook_xml_dtd_45}/xml/dtd/docbook/catalog.xml";
+
+  configureFlags = [
+    "--enable-pam"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--disable-api-docs"
+    "--with-init-script=none"
+    "--with-distro=nixos" # just to be sure it is "unknown"
+  ] ++ optional (libapparmor != null) "--enable-apparmor"
+    ++ optional (libselinux != null) "--enable-selinux"
+    ++ optional (libseccomp != null) "--enable-seccomp"
+    ++ optional (libcap != null) "--enable-capabilities"
+    ++ [
+    "--disable-examples"
+    "--enable-python"
+    "--disable-lua"
+    "--enable-bash"
+    (if doCheck then "--enable-tests" else "--disable-tests")
+    "--with-rootfs-path=/var/lib/lxc/rootfs"
+  ];
+
+  doCheck = false;
+
+  installFlags = [
+    "localstatedir=\${TMPDIR}"
+    "sysconfdir=\${out}/etc"
+    "sysconfigdir=\${out}/etc/default"
+    "bashcompdir=\${out}/share/bash-completion/completions"
+    "READMEdir=\${TMPDIR}/var/lib/lxc/rootfs"
+    "LXCPATH=\${TMPDIR}/var/lib/lxc"
+  ];
+
+  postInstall = ''
+    wrapPythonPrograms
+
+    completions=(
+      lxc-attach lxc-cgroup lxc-console lxc-destroy lxc-device lxc-execute
+      lxc-freeze lxc-info lxc-monitor lxc-snapshot lxc-stop lxc-unfreeze
+    )
+    pushd $out/share/bash-completion/completions/
+      mv lxc lxc-start
+      for completion in ''${completions[@]}; do
+        ln -sfn lxc-start $completion
+      done
+    popd
+  '';
+
+  meta = {
+    homepage = "https://linuxcontainers.org/";
+    description = "Userspace tools for Linux Containers, a lightweight virtualization system";
+    license = licenses.lgpl21Plus;
+
+    longDescription = ''
+      LXC is the userspace control package for Linux Containers, a
+      lightweight virtual system mechanism sometimes described as
+      "chroot on steroids". LXC builds up from chroot to implement
+      complete virtual systems, adding resource management and isolation
+      mechanisms to Linux’s existing process management infrastructure.
+    '';
+
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch b/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch
new file mode 100644
index 000000000000..16715992d35f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch
@@ -0,0 +1,16 @@
+diff --git a/configure.ac b/configure.ac
+index 84f8699..dce9033 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -192,9 +192,9 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
+ 	AC_SUBST(db2xman)
+ fi
+ AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$db2xman" != "x"])
+-AM_CONDITIONAL([USE_DOCBOOK2X], [test "x$db2xman" != "xdocbook2man"])
++AM_CONDITIONAL([USE_DOCBOOK2X], [test "x$db2xman" != "no-no-no"])
+ 
+-if test "x$db2xman" = "xdocbook2man"; then
++if test "x$db2xman" = "no-no-no"; then
+ 	docdtd="\"-//Davenport//DTD DocBook V3.0//EN\""
+ else
+ 	docdtd="\"-//OASIS//DTD DocBook XML\" \"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd\""
diff --git a/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix b/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix
new file mode 100644
index 000000000000..96477c5f4426
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix
@@ -0,0 +1,55 @@
+{ config, lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, help2man, fuse
+, util-linux, makeWrapper
+, enableDebugBuild ? config.lxcfs.enableDebugBuild or false }:
+
+with lib;
+stdenv.mkDerivation rec {
+  pname = "lxcfs";
+  version = "4.0.12";
+
+  src = fetchFromGitHub {
+    owner = "lxc";
+    repo = "lxcfs";
+    rev = "lxcfs-${version}";
+    sha256 = "sha256-+wp29GD+toXGfQbPGYbDJ7/P+FY1uQY4uK3OQxTE9GM=";
+  };
+
+  postPatch = ''
+    sed -i -e '1i #include <sys/pidfd.h>' src/bindings.c
+  '';
+
+  nativeBuildInputs = [ pkg-config help2man autoreconfHook makeWrapper ];
+  buildInputs = [ fuse ];
+
+  preConfigure = lib.optionalString enableDebugBuild ''
+    sed -i 's,#AM_CFLAGS += -DDEBUG,AM_CFLAGS += -DDEBUG,' Makefile.am
+  '';
+
+  configureFlags = [
+    "--with-init-script=systemd"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [ "SYSTEMD_UNIT_DIR=\${out}/lib/systemd" ];
+
+  postInstall = ''
+    # `mount` hook requires access to the `mount` command from `util-linux`:
+    wrapProgram "$out/share/lxcfs/lxc.mount.hook" \
+      --prefix PATH : "${util-linux}/bin"
+  '';
+
+  postFixup = ''
+    # liblxcfs.so is reloaded with dlopen()
+    patchelf --set-rpath "$(patchelf --print-rpath "$out/bin/lxcfs"):$out/lib" "$out/bin/lxcfs"
+  '';
+
+  meta = {
+    description = "FUSE filesystem for LXC";
+    homepage = "https://linuxcontainers.org/lxcfs";
+    changelog = "https://linuxcontainers.org/lxcfs/news/";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix b/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix
new file mode 100644
index 000000000000..c862fd4e1675
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, texinfo }:
+
+stdenv.mkDerivation rec {
+  pname = "macchanger";
+  version = "1.7.0";
+
+  src = fetchFromGitHub {
+    owner = "alobbs";
+    repo = "macchanger";
+    rev = version;
+    sha256 = "1hypx6sxhd2b1nsxj314hpkhj7q4x9p2kfaaf20rjkkkig0nck9r";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/02-fix_usage_message.patch";
+      sha256 = "0pxljmq0l0znylbhms09i19qwil74gm8gx3xx2ffx00dajaizj18";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/06-update_OUI_list.patch";
+      sha256 = "04kbd784z9nwkjva5ckkvb0yb3pim9valb1viywn1yyh577d0y7w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/08-fix_random_MAC_choice.patch";
+      sha256 = "1vz3appxxsdf1imzrn57amazfwlbrvx6g78b6n88aqgwzy5dm34d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/check-random-device-read-errors.patch";
+      sha256 = "0pra6qnk39crjlidspg3l6hpaqiw43cypahx793l59mqn956cngc";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/verify-changed-MAC.patch";
+      sha256 = "0vjhf2fnj1hlghjl821p6idrfc8hmd4lgps5lf1l68ylqvwjw0zj";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook texinfo ];
+
+  outputs = [ "out" "info" ];
+
+  meta = with lib; {
+    description = "A utility for viewing/manipulating the MAC address of network interfaces";
+    maintainers = with maintainers; [ joachifm dotlambda ];
+    license = licenses.gpl2Plus;
+    homepage = "https://github.com/alobbs/macchanger";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix b/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix
new file mode 100644
index 000000000000..3add5eb227f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix
@@ -0,0 +1,31 @@
+{ fetchFromGitHub, kernel, lib, stdenv }:
+
+stdenv.mkDerivation {
+  pname = "mba6x_bl";
+  version = "unstable-2017-12-30";
+
+  src = fetchFromGitHub {
+    owner = "patjak";
+    repo = "mba6x_bl";
+    rev = "639719f516b664051929c2c0c1140ea4bf30ce81";
+    sha256 = "sha256-QwxBpNa5FitKO+2ne54IIcRgwVYeNSQWI4f2hPPB8ls=";
+  };
+
+  enableParallelBuilding = true;
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "MacBook Air 6,1 and 6,2 (mid 2013) backlight driver";
+    homepage = "https://github.com/patjak/mba6x_bl";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.simonvandel ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix b/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
new file mode 100644
index 000000000000..0b4fec4dfb4e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, kernel, fetchFromGitHub, }:
+
+stdenv.mkDerivation rec {
+  pname = "mbp2018-bridge-drv";
+  version = "2020-01-31";
+
+  src = fetchFromGitHub {
+    owner = "MCMrARM";
+    repo = "mbp2018-bridge-drv";
+    rev = "b43fcc069da73e051072fde24af4014c9c487286";
+    sha256 = "sha256-o6yGiR+Y5SnX1johdi7fQWP5ts7HdDMqeju75UOhgik=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  buildPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
+      -j$NIX_BUILD_CORES M=$(pwd) modules $makeFlags
+  '';
+
+  installPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build  \
+      INSTALL_MOD_PATH=$out M=$(pwd) modules_install $makeFlags
+  '';
+
+  meta = with lib; {
+    description = "A driver for MacBook models 2018 and newer, which makes the keyboard, mouse and audio output work.";
+    longDescription = ''
+      A driver for MacBook models 2018 and newer, implementing the VHCI (required for mouse/keyboard/etc.) and audio functionality.
+    '';
+    homepage = "https://github.com/MCMrARM/mbp2018-bridge-drv";
+    license = lib.licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ lib.maintainers.hlolli ];
+    broken = kernel.kernelOlder "5.4";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix b/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix
new file mode 100644
index 000000000000..50fc74d7fa0a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "mbpfan";
+  version = "2.4.0";
+  src = fetchFromGitHub {
+    owner = "dgraziotin";
+    repo = "mbpfan";
+    rev = "v${version}";
+    sha256 = "sha256-F9IWUcILOuLn5K4zRSU5jn+1Wk1xy0CONSI6JTXU2pA=";
+  };
+  installPhase = ''
+    mkdir -p $out/bin $out/etc
+    cp bin/mbpfan $out/bin
+    cp mbpfan.conf $out/etc
+  '';
+  meta = with lib; {
+    description = "Daemon that uses input from coretemp module and sets the fan speed using the applesmc module";
+    homepage = "https://github.com/dgraziotin/mbpfan";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix b/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix
new file mode 100644
index 000000000000..524225763742
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, bison, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "mceinject";
+  version = "unstable-2013-01-19";
+
+  src = fetchFromGitHub {
+    owner  = "andikleen";
+    repo   = "mce-inject";
+    rev    = "4cbe46321b4a81365ff3aafafe63967264dbfec5";
+    sha256 = "0gjapg2hrlxp8ssrnhvc19i3r1xpcnql7xv0zjgbv09zyha08g6z";
+  };
+
+  nativeBuildInputs = [ flex bison ];
+
+  env.NIX_CFLAGS_COMPILE = "-Os -g -Wall";
+
+  NIX_LDFLAGS = [ "-lpthread" ];
+
+  makeFlags = [ "prefix=" ];
+
+  enableParallelBuilding = true;
+
+  installFlags = [ "destdir=$(out)" "manprefix=/share" ];
+
+  meta = with lib; {
+    description = "A tool to inject machine checks into x86 kernel for testing";
+    longDescription = ''
+      mce-inject allows to inject machine check errors on the software level
+      into a running Linux kernel. This is intended for validation of the
+      kernel machine check handler.
+    '';
+    homepage = "https://github.com/andikleen/mce-inject/";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ arkivm ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix b/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix
new file mode 100644
index 000000000000..916c79a4298d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "mcelog";
+  version = "180";
+
+  src = fetchFromGitHub {
+    owner  = "andikleen";
+    repo   = "mcelog";
+    rev    = "v${version}";
+    sha256 = "1xy1082c67yd48idg5vwvrw7yx74gn6jj2d9c67d0rh6yji091ki";
+  };
+
+  postPatch = ''
+    for i in mcelog.conf paths.h; do
+      substituteInPlace $i --replace /etc $out/etc
+    done
+    touch mcelog.conf.5 # avoid regeneration requiring Python
+
+    substituteInPlace Makefile --replace '"unknown"' '"${version}"'
+
+    for i in triggers/*; do
+      substituteInPlace $i --replace 'logger' '${util-linux}/bin/logger'
+    done
+  '';
+
+  enableParallelBuilding = true;
+
+  installFlags = [ "DESTDIR=$(out)" "prefix=" "DOCDIR=/share/doc" ];
+
+  postInstall = ''
+    mkdir -p $out/lib/systemd/system
+    substitute mcelog.service $out/lib/systemd/system/mcelog.service \
+      --replace /usr/sbin $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Log x86 machine checks: memory, IO, and CPU hardware errors";
+    longDescription = ''
+      The mcelog daemon accounts memory and some other errors in various ways
+      on modern x86 Linux systems. The daemon can be queried and/or execute
+      triggers when configurable error thresholds are exceeded. This is used to
+      implement a range of automatic predictive failure analysis algorithms,
+      including bad page offlining and automatic cache error handling. All
+      errors are logged to /var/log/mcelog or syslog or the journal.
+    '';
+    homepage = "http://mcelog.org/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix b/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix
new file mode 100644
index 000000000000..e7aa16d3dd39
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, util-linux, coreutils, fetchurl, groff, system-sendmail, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "mdadm";
+  version = "4.2";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/raid/mdadm/mdadm-${version}.tar.xz";
+    sha256 = "sha256-RhwhVnCGS7dKTRo2IGhKorL4KW3/oGdD8m3aVVes8B0=";
+  };
+
+  patches = [ ./no-self-references.patch ];
+
+  makeFlags = [
+    "NIXOS=1" "INSTALL=install" "BINDIR=$(out)/sbin"
+    "SYSTEMD_DIR=$(out)/lib/systemd/system"
+    "MANDIR=$(out)/share/man" "RUN_DIR=/dev/.mdadm"
+    "STRIP="
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  installFlags = [ "install-systemd" ];
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ udev ];
+
+  nativeBuildInputs = [ groff ];
+
+  postPatch = ''
+    sed -e 's@/lib/udev@''${out}/lib/udev@' \
+        -e 's@ -Werror @ @' \
+        -e 's@/usr/sbin/sendmail@${system-sendmail}/bin/sendmail@' -i Makefile
+    sed -i \
+        -e 's@/usr/bin/basename@${coreutils}/bin/basename@g' \
+        -e 's@BINDIR/blkid@${util-linux}/bin/blkid@g' \
+        *.rules
+  '';
+
+  # This is to avoid self-references, which causes the initrd to explode
+  # in size and in turn prevents mdraid systems from booting.
+  postFixup = ''
+    grep -r $out $out/bin && false || true
+  '';
+
+  meta = with lib; {
+    description = "Programs for managing RAID arrays under Linux";
+    homepage = "http://neil.brown.name/blog/mdadm";
+    license = licenses.gpl2;
+    mainProgram = "mdadm";
+    maintainers = with maintainers; [ ekleog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch b/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch
new file mode 100644
index 000000000000..3b3dc4d84609
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch
@@ -0,0 +1,124 @@
+diff --git a/Makefile b/Makefile
+index 2a51d813..a31ac48a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -63,6 +63,9 @@ endif
+ ifdef DEBIAN
+ CPPFLAGS += -DDEBIAN
+ endif
++ifdef NIXOS
++CPPFLAGS += -DNIXOS
++endif
+ ifdef DEFAULT_OLD_METADATA
+  CPPFLAGS += -DDEFAULT_OLD_METADATA
+  DEFAULT_METADATA=0.90
+@@ -129,6 +132,7 @@ endif
+ INSTALL = /usr/bin/install
+ DESTDIR =
+ BINDIR  = /sbin
++INSTALL_BINDIR = ${BINDIR}
+ MANDIR  = /usr/share/man
+ MAN4DIR = $(MANDIR)/man4
+ MAN5DIR = $(MANDIR)/man5
+@@ -253,16 +257,16 @@ sha1.o : sha1.c sha1.h md5.h
+ install : install-bin install-man install-udev
+ 
+ install-static : mdadm.static install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-tcc : mdadm.tcc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-uclibc : mdadm.uclibc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-klibc : mdadm.klibc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-man: mdadm.8 md.4 mdadm.conf.5 mdmon.8
+ 	$(INSTALL) -D -m 644 mdadm.8 $(DESTDIR)$(MAN8DIR)/mdadm.8
+@@ -305,7 +309,7 @@ install-bin: mdadm mdmon
+ 	$(INSTALL) -D $(STRIP) -m 755 mdmon $(DESTDIR)$(BINDIR)/mdmon
+ 
+ uninstall:
+-	rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(BINDIR)/mdadm
++	rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ test: mdadm mdmon test_stripe swap_super raid6check
+ 	@echo "Please run './test' as root"
+diff --git a/policy.c b/policy.c
+index eee9ef63..9f916e9d 100644
+--- a/policy.c
++++ b/policy.c
+@@ -817,12 +817,39 @@ char *find_rule(struct rule *rule, char *rule_type)
+ #define UDEV_RULE_FORMAT \
+ "ACTION==\"add\", SUBSYSTEM==\"block\", " \
+ "ENV{DEVTYPE}==\"%s\", ENV{ID_PATH}==\"%s\", " \
+-"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n"
++"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n"
+ 
+ #define UDEV_RULE_FORMAT_NOTYPE \
+ "ACTION==\"add\", SUBSYSTEM==\"block\", " \
+ "ENV{ID_PATH}==\"%s\", " \
+-"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n"
++"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n"
++
++#ifdef NIXOS
++const char *get_mdadm_bindir(void)
++{
++	static char *bindir = NULL;
++	if (bindir != NULL) {
++		return bindir;
++	} else {
++		int len;
++		bindir = xmalloc(1025);
++		len = readlink("/proc/self/exe", bindir, 1024);
++		if (len > 0) {
++			char *basename;
++			if ((basename = strrchr(bindir, '/')) != NULL)
++				*basename = '\0';
++			else
++				*(bindir + len) = '\0';
++		} else {
++			*bindir = '\0';
++		}
++		return bindir;
++	}
++}
++#define SELF get_mdadm_bindir()
++#else
++#define SELF BINDIR
++#endif
+ 
+ /* Write rule in the rule file. Use format from UDEV_RULE_FORMAT */
+ int write_rule(struct rule *rule, int fd, int force_part)
+@@ -836,9 +863,9 @@ int write_rule(struct rule *rule, int fd, int force_part)
+ 	if (force_part)
+ 		typ = type_part;
+ 	if (typ)
+-		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth);
++		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth, SELF);
+ 	else
+-		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth);
++		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth, SELF);
+ 	return write(fd, line, strlen(line)) == (int)strlen(line);
+ }
+ 
+diff --git a/util.c b/util.c
+index 3d05d074..e004a798 100644
+--- a/util.c
++++ b/util.c
+@@ -1913,7 +1913,9 @@ int start_mdmon(char *devnm)
+ 	char pathbuf[1024];
+ 	char *paths[4] = {
+ 		pathbuf,
++#ifndef NIXOS
+ 		BINDIR "/mdmon",
++#endif
+ 		"./mdmon",
+ 		NULL
+ 	};
diff --git a/nixpkgs/pkgs/os-specific/linux/mdevctl/default.nix b/nixpkgs/pkgs/os-specific/linux/mdevctl/default.nix
new file mode 100644
index 000000000000..80c3c1316d85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdevctl/default.nix
@@ -0,0 +1,42 @@
+{ lib
+, rustPlatform
+, fetchCrate
+, docutils
+, installShellFiles
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "mdevctl";
+  version = "1.2.0";
+
+  src = fetchCrate {
+    inherit pname version;
+    hash = "sha256-0X/3DWNDPOgSNNTqcj44sd7DNGFt+uGBjkc876dSgU8=";
+  };
+
+  cargoHash = "sha256-TmumQBWuH5fJOe2qzcDtEGbmCs2G9Gfl8mH7xifzRGc=";
+
+  nativeBuildInputs = [
+    docutils
+    installShellFiles
+  ];
+
+  postInstall = ''
+    ln -s mdevctl $out/bin/lsmdev
+
+    install -Dm444 60-mdevctl.rules -t $out/lib/udev/rules.d
+
+    installManPage $releaseDir/build/mdevctl-*/out/mdevctl.8
+    ln -s mdevctl.8 $out/share/man/man8/lsmdev.8
+
+    installShellCompletion $releaseDir/build/mdevctl-*/out/{lsmdev,mdevctl}.bash
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/mdevctl/mdevctl";
+    description = "A mediated device management utility for linux";
+    license = licenses.lgpl21Only;
+    maintainers = with maintainers; [ edwtjo ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/metastore/default.nix b/nixpkgs/pkgs/os-specific/linux/metastore/default.nix
new file mode 100644
index 000000000000..c9875297186e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/metastore/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, libbsd, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "1.1.2";
+  pname = "metastore";
+
+  src = fetchFromGitHub {
+    owner = "przemoc";
+    repo = "metastore";
+    rev = "v${version}";
+    sha256 = "0mb10wfckswqgi0bq25ncgabnd3iwj7s7hhg3wpcyfgckdynwizv";
+  };
+
+  buildInputs = [ libbsd ];
+  installFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "Store and restore metadata from a filesystem";
+    homepage = "https://software.przemoc.net/#metastore";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ sstef ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix b/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix
new file mode 100644
index 000000000000..3c82cdec29fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, linux-firmware, libarchive }:
+
+stdenv.mkDerivation {
+  pname = "amd-ucode";
+  version = linux-firmware.version;
+
+  src = linux-firmware;
+
+  sourceRoot = ".";
+
+  nativeBuildInputs = [ libarchive ];
+
+  buildPhase = ''
+    mkdir -p kernel/x86/microcode
+    find ${linux-firmware}/lib/firmware/amd-ucode -name \*.bin -print0 | sort -z |\
+      xargs -0 -I{} sh -c 'cat {} >> kernel/x86/microcode/AuthenticAMD.bin'
+  '';
+
+  installPhase = ''
+    mkdir -p $out
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/AuthenticAMD.bin
+    echo kernel/x86/microcode/AuthenticAMD.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/amd-ucode.img
+  '';
+
+  meta = with lib; {
+    description = "AMD Processor microcode patch";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix b/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix
new file mode 100644
index 000000000000..de51beb2cc18
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, libarchive, iucode-tool }:
+
+stdenv.mkDerivation rec {
+  pname = "microcode-intel";
+  version = "20231114";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "Intel-Linux-Processor-Microcode-Data-Files";
+    rev = "microcode-${version}";
+    hash = "sha256-cZ7APDjwjarPCzk1HWxqIXdGwNOl6HG0KSCtffmEhx0=";
+  };
+
+  nativeBuildInputs = [ iucode-tool libarchive ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out kernel/x86/microcode
+    iucode_tool -w kernel/x86/microcode/GenuineIntel.bin intel-ucode/
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/GenuineIntel.bin
+    echo kernel/x86/microcode/GenuineIntel.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/intel-ucode.img
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.intel.com/";
+    changelog = "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/${src.rev}";
+    description = "Microcode for Intel processors";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix b/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix
new file mode 100644
index 000000000000..d27e3ca6987b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitLab, autoreconfHook, fetchpatch, argp-standalone }:
+
+stdenv.mkDerivation rec {
+  pname = "iucode-tool";
+  version = "2.3.1";
+
+  src = fetchFromGitLab {
+    owner  = "iucode-tool";
+    repo   = "iucode-tool";
+    rev    = "v${version}";
+    sha256 = "04dlisw87dd3q3hhmkqc5dd58cp22fzx3rzah7pvcyij135yjc3a";
+  };
+
+  patches = [
+    # build fix for musl libc, pending upstream review
+    # https://gitlab.com/iucode-tool/iucode-tool/-/merge_requests/4
+    (fetchpatch {
+      url = "https://gitlab.com/iucode-tool/iucode-tool/-/commit/fda4aaa4727601dbe817fac001f234c19420351a.patch";
+      hash = "sha256-BxYrXALpZFyJtFrgU5jFmzd1dIMPmpNgvYArgkwGt/w=";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = lib.optional stdenv.hostPlatform.isMusl argp-standalone;
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel® 64 and IA-32 processor microcode tool";
+    homepage = "https://gitlab.com/iucode-tool/iucode-tool";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = [ "x86_64-linux" "i686-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix b/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix
new file mode 100644
index 000000000000..eb58dc553676
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mingetty";
+  version = "1.08";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingetty/mingetty-${version}.tar.gz";
+    sha256 = "05yxrp44ky2kg6qknk1ih0kvwkgbn9fbz77r3vci7agslh5wjm8g";
+  };
+
+  preInstall = ''
+    mkdir -p $out/sbin $out/share/man/man8
+    makeFlagsArray=(SBINDIR=$out/sbin MANDIR=$out/share/man/man8)
+  '';
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/mingetty";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/2.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/2.nix
new file mode 100644
index 000000000000..5eea877803a5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/2.nix
@@ -0,0 +1,157 @@
+{ lib
+, derivationWithMeta
+, fetchurl
+, kaem
+, tinycc
+, gnumake
+, gnupatch
+, coreutils
+, mescc-tools-extra
+, bash_2_05
+}:
+let
+  pname = "bash";
+  version = "2.05b";
+
+  src = fetchurl {
+    url = "mirror://gnu/bash/bash-${version}.tar.gz";
+    sha256 = "1r1z2qdw3rz668nxrzwa14vk2zcn00hw7mpjn384picck49d80xs";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/bash-2.05b/bash-2.05b.kaem
+  liveBootstrap = "https://github.com/fosslinux/live-bootstrap/raw/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/bash-2.05b";
+
+  main_mk = fetchurl {
+    url = "${liveBootstrap}/mk/main.mk";
+    sha256 = "0hj29q3pq3370p18sxkpvv9flb7yvx2fs96xxlxqlwa8lkimd0j4";
+  };
+
+  common_mk = fetchurl {
+    url = "${liveBootstrap}/mk/common.mk";
+    sha256 = "09rigxxf85p2ybnq248sai1gdx95yykc8jmwi4yjx389zh09mcr8";
+  };
+
+  builtins_mk = fetchurl {
+    url = "${liveBootstrap}/mk/builtins.mk";
+    sha256 = "0939dy5by1xhfmsjj6w63nlgk509fjrhpb2crics3dpcv7prl8lj";
+  };
+
+  patches = [
+    # mes libc does not have locale support
+    (fetchurl {
+      url = "${liveBootstrap}/patches/mes-libc.patch";
+      sha256 = "0zksdjf6zbb3p4hqg6plq631y76hhhgab7kdvf7cnpk8bcykn12z";
+    })
+    # int name, namelen; is wrong for mes libc, it is char* name, so we modify tinycc
+    # to reflect this.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/tinycc.patch";
+      sha256 = "042d2kr4a8klazk1hlvphxr6frn4mr53k957aq3apf6lbvrjgcj2";
+    })
+    # add ifdef's for features we don't want
+    (fetchurl {
+      url = "${liveBootstrap}/patches/missing-defines.patch";
+      sha256 = "1q0k1kj5mrvjkqqly7ki5575a5b3hy1ywnmvhrln318yh67qnkj4";
+    })
+    # mes libc + setting locale = not worky
+    (fetchurl {
+      url = "${liveBootstrap}/patches/locale.patch";
+      sha256 = "1p1q1slhafsgj8x4k0dpn9h6ryq5fwfx7dicbbxhldbw7zvnnbx9";
+    })
+    # We do not have /dev at this stage of the bootstrap, including /dev/tty
+    (fetchurl {
+      url = "${liveBootstrap}/patches/dev-tty.patch";
+      sha256 = "1315slv5f7ziajqyxg4jlyanf1xwd06xw14y6pq7xpm3jzjk55j9";
+    })
+  ];
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    coreutils
+  ];
+
+  passthru.runCommand = name: env: buildCommand:
+    derivationWithMeta ({
+      inherit name buildCommand;
+      builder = "${bash_2_05}/bin/bash";
+      args = [
+        "-e"
+        (builtins.toFile "bash-builder.sh" ''
+          export CONFIG_SHELL=$SHELL
+
+          # Normalize the NIX_BUILD_CORES variable. The value might be 0, which
+          # means that we're supposed to try and auto-detect the number of
+          # available CPU cores at run-time. We don't have nproc to detect the
+          # number of available CPU cores so default to 1 if not set.
+          NIX_BUILD_CORES="''${NIX_BUILD_CORES:-1}"
+          if [ $NIX_BUILD_CORES -le 0 ]; then
+            NIX_BUILD_CORES=1
+          fi
+          export NIX_BUILD_CORES
+
+          bash -eux $buildCommandPath
+        '')
+      ];
+      passAsFile = [ "buildCommand" ];
+
+      SHELL = "${bash_2_05}/bin/bash";
+      PATH = lib.makeBinPath ((env.nativeBuildInputs or []) ++ [
+        bash_2_05
+        coreutils
+        # provides untar, ungz, and unbz2
+        mescc-tools-extra
+      ]);
+    } // (builtins.removeAttrs env [ "nativeBuildInputs" ]));
+
+  passthru.tests.get-version = result:
+    kaem.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/bash --version
+      mkdir ''${out}
+    '';
+
+  meta = with lib; {
+    description = "GNU Bourne-Again Shell, the de facto standard shell on Linux";
+    homepage = "https://www.gnu.org/software/bash";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output bash.tar
+  untar --file bash.tar
+  rm bash.tar
+  cd bash-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+
+  # Configure
+  cp ${main_mk} Makefile
+  cp ${builtins_mk} builtins/Makefile
+  cp ${common_mk} common.mk
+  touch config.h
+  touch include/version.h
+  touch include/pipesize.h
+
+  # Build
+  make \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    mkbuiltins
+  cd builtins
+  make \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    libbuiltins.a
+  cd ..
+  make CC="tcc -B ${tinycc.libs}/lib"
+
+  # Install
+  install -D bash ''${out}/bin/bash
+  ln -s bash ''${out}/bin/sh
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/default.nix
new file mode 100644
index 000000000000..86fa3a58687b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/default.nix
@@ -0,0 +1,117 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bootBash
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+, gnutar
+, gawk
+, gzip
+, diffutils
+, tinycc
+, derivationWithMeta
+, bash
+, coreutils
+}:
+let
+  pname = "bash";
+  version = "5.2.15";
+
+  src = fetchurl {
+    url = "mirror://gnu/bash/bash-${version}.tar.gz";
+    sha256 = "132qng0jy600mv1fs95ylnlisx2wavkkgpb19c6kmz7lnmjhjwhk";
+  };
+
+  patches = [
+    # flush output for generated code
+    ./mksignames-flush.patch
+  ];
+in
+bootBash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    coreutils
+    tinycc.compiler
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+    gnutar
+    gawk
+    gzip
+    diffutils
+  ];
+
+  passthru.runCommand = name: env: buildCommand:
+    derivationWithMeta ({
+      inherit name buildCommand;
+      builder = "${bash}/bin/bash";
+      args = [
+        "-e"
+        (builtins.toFile "bash-builder.sh" ''
+          export CONFIG_SHELL=$SHELL
+
+          # Normalize the NIX_BUILD_CORES variable. The value might be 0, which
+          # means that we're supposed to try and auto-detect the number of
+          # available CPU cores at run-time.
+          NIX_BUILD_CORES="''${NIX_BUILD_CORES:-1}"
+          if ((NIX_BUILD_CORES <= 0)); then
+            guess=$(nproc 2>/dev/null || true)
+            ((NIX_BUILD_CORES = guess <= 0 ? 1 : guess))
+          fi
+          export NIX_BUILD_CORES
+
+          bash -eux $buildCommandPath
+        '')
+      ];
+      passAsFile = [ "buildCommand" ];
+
+      SHELL = "${bash}/bin/bash";
+      PATH = lib.makeBinPath ((env.nativeBuildInputs or []) ++ [
+        bash
+        coreutils
+      ]);
+    } // (builtins.removeAttrs env [ "nativeBuildInputs" ]));
+
+  passthru.tests.get-version = result:
+    bootBash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/bash --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU Bourne-Again Shell, the de facto standard shell on Linux";
+    homepage = "https://www.gnu.org/software/bash";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd bash-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export AR="tcc -ar"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --without-bash-malloc
+
+  # Build
+  make -j $NIX_BUILD_CORES SHELL=bash
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+  ln -s bash $out/bin/sh
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/mksignames-flush.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/mksignames-flush.patch
new file mode 100644
index 000000000000..6e64dfa7fa3a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bash/mksignames-flush.patch
@@ -0,0 +1,10 @@
+--- a/support/mksignames.c
++++ b/support/mksignames.c
+@@ -68,6 +68,7 @@ write_signames (stream)
+   fprintf (stream, "};\n\n");
+   fprintf (stream, "#define initialize_signames()\n\n");
+ #endif
++  fflush(stream);
+ }
+ 
+ int
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/default.nix
new file mode 100644
index 000000000000..71e391efb550
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/default.nix
@@ -0,0 +1,114 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, coreutils
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+, gawk
+, diffutils
+, gnutar
+, xz
+, tinycc
+}:
+
+let
+  # Based on https://github.com/ZilchOS/bootstrap-from-tcc/blob/2e0c68c36b3437386f786d619bc9a16177f2e149/using-nix/2a1-static-binutils.nix
+  pname = "binutils";
+  version = "2.41";
+
+  src = fetchurl {
+    url = "mirror://gnu/binutils/binutils-${version}.tar.xz";
+    hash = "sha256-rppXieI0WeWWBuZxRyPy0//DHAMXQZHvDQFb3wYAdFA=";
+  };
+
+  patches = [
+    # Make binutils output deterministic by default.
+    ./deterministic.patch
+  ];
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--build=${buildPlatform.config}"
+    "--host=${hostPlatform.config}"
+    "--with-sysroot=/"
+    "--enable-deterministic-archives"
+    # depends on bison
+    "--disable-gprofng"
+
+    # Turn on --enable-new-dtags by default to make the linker set
+    # RUNPATH instead of RPATH on binaries.  This is important because
+    # RUNPATH can be overridden using LD_LIBRARY_PATH at runtime.
+    "--enable-new-dtags"
+
+    # By default binutils searches $libdir for libraries. This brings in
+    # libbfd and libopcodes into a default visibility. Drop default lib
+    # path to force users to declare their use of these libraries.
+    "--with-lib-path=:"
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+    gawk
+    diffutils
+    gnutar
+    xz
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/ld --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "Tools for manipulating binaries (linker, assembler, etc.)";
+    homepage = "https://www.gnu.org/software/binutils";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  cp ${src} binutils.tar.xz
+  unxz binutils.tar.xz
+  tar xf binutils.tar
+  rm binutils.tar
+  cd binutils-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+  sed -i 's|/bin/sh|${bash}/bin/bash|' \
+    missing install-sh mkinstalldirs
+  # see libtool's 74c8993c178a1386ea5e2363a01d919738402f30
+  sed -i 's/| \$NL2SP/| sort | $NL2SP/' ltmain.sh
+  # alias makeinfo to true
+  mkdir aliases
+  ln -s ${coreutils}/bin/true aliases/makeinfo
+  export PATH="$(pwd)/aliases/:$PATH"
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export AR="tcc -ar"
+  export lt_cv_sys_max_cmd_len=32768
+  export CFLAGS="-D__LITTLE_ENDIAN__=1"
+  bash ./configure ${lib.concatStringsSep " " configureFlags}
+
+  # Build
+  make -j $NIX_BUILD_CORES all-libiberty all-gas all-bfd all-libctf all-zlib all-gprof
+  make all-ld # race condition on ld/.deps/ldwrite.Po, serialize
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/deterministic.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/deterministic.patch
new file mode 100644
index 000000000000..736e0aca6ce1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/binutils/deterministic.patch
@@ -0,0 +1,12 @@
+diff -ur orig/binutils-2.23.1/ld/ldlang.c binutils-2.23.1/ld/ldlang.c
+--- orig/ld/ldlang.c
++++ new/ld/ldlang.c
+@@ -3095,6 +3095,8 @@
+                           ldfile_output_machine))
+     einfo (_("%P%F:%s: can not set architecture: %E\n"), name);
+ 
++  link_info.output_bfd->flags |= BFD_DETERMINISTIC_OUTPUT;
++
+   link_info.hash = bfd_link_hash_table_create (link_info.output_bfd);
+   if (link_info.hash == NULL)
+     einfo (_("%P%F: can not create hash table: %E\n"));
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bzip2/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bzip2/default.nix
new file mode 100644
index 000000000000..05da061ac263
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/bzip2/default.nix
@@ -0,0 +1,55 @@
+{ lib
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnutar
+, gzip
+}:
+let
+  pname = "bzip2";
+  version = "1.0.8";
+
+  src = fetchurl {
+    url = "https://sourceware.org/pub/bzip2/bzip2-${version}.tar.gz";
+    sha256 = "0s92986cv0p692icqlw1j42y9nld8zd83qwhzbqd61p1dqbh6nmb";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/bzip2 --help
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "High-quality data compression program";
+    homepage = "https://www.sourceware.org/bzip2";
+    license = licenses.bsdOriginal;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd bzip2-${version}
+
+  # Build
+  make \
+    -j $NIX_BUILD_CORES \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    AR="tcc -ar" \
+    bzip2 bzip2recover
+
+  # Install
+  make install -j $NIX_BUILD_CORES PREFIX=$out
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/default.nix
new file mode 100644
index 000000000000..9d7480d239f2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/default.nix
@@ -0,0 +1,117 @@
+{ lib
+, fetchurl
+, kaem
+, tinycc
+, gnumake
+, gnupatch
+}:
+let
+  pname = "bootstrap-coreutils";
+  version = "5.0";
+
+  src = fetchurl {
+    url = "mirror://gnu/coreutils/coreutils-${version}.tar.gz";
+    sha256 = "10wq6k66i8adr4k08p0xmg87ff4ypiazvwzlmi7myib27xgffz62";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/a8752029f60217a5c41c548b16f5cdd2a1a0e0db/sysa/coreutils-5.0/coreutils-5.0.kaem
+  liveBootstrap = "https://github.com/fosslinux/live-bootstrap/raw/a8752029f60217a5c41c548b16f5cdd2a1a0e0db/sysa/coreutils-5.0";
+
+  makefile = fetchurl {
+    url = "${liveBootstrap}/mk/main.mk";
+    sha256 = "0njg4xccxfqrslrmlb8ls7h6hlnfmdx42nvxwmca8flvczwrplfd";
+  };
+
+  patches = [
+    # modechange.h uses functions defined in sys/stat.h, so we need to move it to
+    # after sys/stat.h include.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/modechange.patch";
+      sha256 = "04xa4a5w2syjs3xs6qhh8kdzqavxnrxpxwyhc3qqykpk699p3ms5";
+    })
+    # mbstate_t is a struct that is required. However, it is not defined by mes libc.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/mbstate.patch";
+      sha256 = "0rz3c0sflgxjv445xs87b83i7gmjpl2l78jzp6nm3khdbpcc53vy";
+    })
+    # strcoll() does not exist in mes libc, change it to strcmp.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/ls-strcmp.patch";
+      sha256 = "0lx8rz4sxq3bvncbbr6jf0kyn5bqwlfv9gxyafp0541dld6l55p6";
+    })
+    # getdate.c is pre-compiled from getdate.y
+    # At this point we don't have bison yet and in any case getdate.y does not
+    # compile when generated with modern bison.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/touch-getdate.patch";
+      sha256 = "1xd3z57lvkj7r8vs5n0hb9cxzlyp58pji7d335snajbxzwy144ma";
+    })
+    # touch: add -h to change symlink timestamps, where supported
+    (fetchurl {
+      url = "${liveBootstrap}/patches/touch-dereference.patch";
+      sha256 = "0wky5r3k028xwyf6g6ycwqxzc7cscgmbymncjg948vv4qxsxlfda";
+    })
+    # strcoll() does not exist in mes libc, change it to strcmp.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/expr-strcmp.patch";
+      sha256 = "19f31lfsm1iwqzvp2fyv97lmqg4730prfygz9zip58651jf739a9";
+    })
+    # strcoll() does not exist in mes libc, change it to strcmp.
+    # hard_LC_COLLATE is used but not declared when HAVE_SETLOCALE is unset.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/sort-locale.patch";
+      sha256 = "0bdch18mpyyxyl6gyqfs0wb4pap9flr11izqdyxccx1hhz0a2i6c";
+    })
+    # don't assume fopen cannot return stdin or stdout.
+    (fetchurl {
+      url = "${liveBootstrap}/patches/uniq-fopen.patch";
+      sha256 = "0qs6shyxl9j4h34v5j5sgpxrr4gjfljd2hxzw416ghwc3xzv63fp";
+    })
+  ];
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+  ];
+
+  meta = with lib; {
+    description = "The GNU Core Utilities";
+    homepage = "https://www.gnu.org/software/coreutils";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output coreutils.tar
+  untar --file coreutils.tar
+  rm coreutils.tar
+  cd coreutils-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+
+  # Configure
+  catm config.h
+  cp lib/fnmatch_.h lib/fnmatch.h
+  cp lib/ftw_.h lib/ftw.h
+  cp lib/search_.h lib/search.h
+  rm src/dircolors.h
+
+  # Build
+  make -f ${makefile} \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    PREFIX=''${out}
+
+  # Check
+  ./src/echo "Hello coreutils!"
+
+  # Install
+  ./src/mkdir -p ''${out}/bin
+  make -f ${makefile} install PREFIX=''${out}
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/musl.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/musl.nix
new file mode 100644
index 000000000000..14584e0a7e6d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/coreutils/musl.nix
@@ -0,0 +1,74 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnugrep
+, gnused
+, gawk
+, gnutar
+, gzip
+}:
+let
+  pname = "bootstrap-coreutils-musl";
+  version = "9.4";
+
+  src = fetchurl {
+    url = "mirror://gnu/coreutils/coreutils-${version}.tar.gz";
+    hash = "sha256-X2ANkJOXOwr+JTk9m8GMRPIjJlf0yg2V6jHHAutmtzk=";
+  };
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--build=${buildPlatform.config}"
+    "--host=${hostPlatform.config}"
+    # musl 1.1.x doesn't use 64bit time_t
+    "--disable-year2038"
+    # libstdbuf.so fails in static builds
+    "--enable-no-install-program=stdbuf"
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/cat --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "The GNU Core Utilities";
+    homepage = "https://www.gnu.org/software/coreutils";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd coreutils-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export LD=tcc
+  bash ./configure ${lib.concatStringsSep " " configureFlags}
+
+  # Build
+  make -j $NIX_BUILD_CORES AR="tcc -ar" MAKEINFO="true"
+
+  # Install
+  make -j $NIX_BUILD_CORES install MAKEINFO="true"
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/default.nix
new file mode 100644
index 000000000000..a246b587dd4f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/default.nix
@@ -0,0 +1,229 @@
+{ lib
+, config
+, buildPlatform
+, hostPlatform
+, fetchurl
+, checkMeta
+}:
+
+lib.makeScope
+  # Prevent using top-level attrs to protect against introducing dependency on
+  # non-bootstrap packages by mistake. Any top-level inputs must be explicitly
+  # declared here.
+  (extra: lib.callPackageWith ({ inherit lib config buildPlatform hostPlatform fetchurl checkMeta; } // extra))
+  (self: with self; {
+
+    bash_2_05 = callPackage ./bash/2.nix { tinycc = tinycc-mes; };
+
+    bash = callPackage ./bash {
+      bootBash = bash_2_05;
+      tinycc = tinycc-musl;
+      coreutils = coreutils-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    binutils = callPackage ./binutils {
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    bzip2 = callPackage ./bzip2 {
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    coreutils = callPackage ./coreutils { tinycc = tinycc-mes; };
+    coreutils-musl = callPackage ./coreutils/musl.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    diffutils = callPackage ./diffutils {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    findutils = callPackage ./findutils {
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    gawk-mes = callPackage ./gawk/mes.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+      gnused = gnused-mes;
+    };
+
+    gawk = callPackage ./gawk {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+      bootGawk = gawk-mes;
+    };
+
+    gcc46 = callPackage ./gcc/4.6.nix {
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+      # FIXME: not sure why new gawk doesn't work
+      gawk = gawk-mes;
+    };
+    gcc46-cxx = callPackage ./gcc/4.6.cxx.nix {
+      gcc = gcc46;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+      # FIXME: not sure why new gawk doesn't work
+      gawk = gawk-mes;
+    };
+
+    gcc8 = callPackage ./gcc/8.nix {
+      gcc = gcc46-cxx;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-latest;
+      # FIXME: not sure why new gawk doesn't work
+      gawk = gawk-mes;
+    };
+
+    gcc-latest = callPackage ./gcc/latest.nix {
+      gcc = gcc8;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-latest;
+      # FIXME: not sure why new gawk doesn't work
+      gawk = gawk-mes;
+    };
+
+    gnugrep = callPackage ./gnugrep {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+    };
+
+    gnumake = callPackage ./gnumake { tinycc = tinycc-mes; };
+
+    gnumake-musl = callPackage ./gnumake/musl.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gawk = gawk-mes;
+      gnumakeBoot = gnumake;
+    };
+
+    gnupatch = callPackage ./gnupatch { tinycc = tinycc-mes; };
+
+    gnused = callPackage ./gnused {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnused = gnused-mes;
+    };
+    gnused-mes = callPackage ./gnused/mes.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+    };
+
+    gnutar = callPackage ./gnutar/mes.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+      gnused = gnused-mes;
+    };
+
+    gnutar-musl = callPackage ./gnutar/musl.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnused = gnused-mes;
+    };
+
+    # FIXME: better package naming scheme
+    gnutar-latest = callPackage ./gnutar/latest.nix {
+      gcc = gcc46;
+      gnumake = gnumake-musl;
+      gnutarBoot = gnutar-musl;
+    };
+
+    gzip = callPackage ./gzip {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+      gnused = gnused-mes;
+    };
+
+    heirloom = callPackage ./heirloom {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+    };
+
+    heirloom-devtools = callPackage ./heirloom-devtools { tinycc = tinycc-mes; };
+
+    linux-headers = callPackage ./linux-headers { bash = bash_2_05; };
+
+    ln-boot = callPackage ./ln-boot { };
+
+    mes = lib.recurseIntoAttrs (callPackage ./mes { });
+    mes-libc = callPackage ./mes/libc.nix { };
+
+    musl11 = callPackage ./musl/1.1.nix {
+      bash = bash_2_05;
+      tinycc = tinycc-mes;
+      gnused = gnused-mes;
+    };
+
+    musl = callPackage ./musl {
+      gcc = gcc46;
+      gnumake = gnumake-musl;
+    };
+
+    stage0-posix = callPackage ./stage0-posix { };
+
+    inherit (self.stage0-posix) kaem m2libc mescc-tools mescc-tools-extra;
+
+    tinycc-bootstrappable = lib.recurseIntoAttrs (callPackage ./tinycc/bootstrappable.nix { });
+    tinycc-mes = lib.recurseIntoAttrs (callPackage ./tinycc/mes.nix { });
+    tinycc-musl = lib.recurseIntoAttrs (callPackage ./tinycc/musl.nix {
+      bash = bash_2_05;
+      musl = musl11;
+    });
+
+    xz = callPackage ./xz {
+      bash = bash_2_05;
+      tinycc = tinycc-musl;
+      gnumake = gnumake-musl;
+      gnutar = gnutar-musl;
+    };
+
+    inherit (callPackage ./utils.nix { }) derivationWithMeta writeTextFile writeText;
+
+    test = kaem.runCommand "minimal-bootstrap-test" {} ''
+      echo ${bash.tests.get-version}
+      echo ${bash_2_05.tests.get-version}
+      echo ${binutils.tests.get-version}
+      echo ${bzip2.tests.get-version}
+      echo ${coreutils-musl.tests.get-version}
+      echo ${diffutils.tests.get-version}
+      echo ${findutils.tests.get-version}
+      echo ${gawk-mes.tests.get-version}
+      echo ${gawk.tests.get-version}
+      echo ${gcc46.tests.get-version}
+      echo ${gcc46-cxx.tests.hello-world}
+      echo ${gcc8.tests.hello-world}
+      echo ${gcc-latest.tests.hello-world}
+      echo ${gnugrep.tests.get-version}
+      echo ${gnused.tests.get-version}
+      echo ${gnused-mes.tests.get-version}
+      echo ${gnutar.tests.get-version}
+      echo ${gnutar-musl.tests.get-version}
+      echo ${gnutar-latest.tests.get-version}
+      echo ${gzip.tests.get-version}
+      echo ${heirloom.tests.get-version}
+      echo ${mes.compiler.tests.get-version}
+      echo ${musl.tests.hello-world}
+      echo ${tinycc-mes.compiler.tests.chain}
+      echo ${tinycc-musl.compiler.tests.hello-world}
+      echo ${xz.tests.get-version}
+      mkdir ''${out}
+    '';
+  })
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/diffutils/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/diffutils/default.nix
new file mode 100644
index 000000000000..24cd643b3497
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/diffutils/default.nix
@@ -0,0 +1,71 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnugrep
+, gnused
+, gawk
+, gnutar
+, xz
+}:
+let
+  pname = "diffutils";
+  # last version that can be built by tinycc-musl 0.9.27
+  version = "3.8";
+
+  src = fetchurl {
+    url = "mirror://gnu/diffutils/diffutils-${version}.tar.xz";
+    hash = "sha256-pr3X0bMSZtEcT03mwbdI1GB6sCMa9RiPwlM9CuJDj+w=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    gnutar
+    xz
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/diff --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "Commands for showing the differences between files (diff, cmp, etc.)";
+    homepage = "https://www.gnu.org/software/diffutils/diffutils.html";
+    license = licenses.gpl3Only;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  cp ${src} diffutils.tar.xz
+  unxz diffutils.tar.xz
+  tar xf diffutils.tar
+  rm diffutils.tar
+  cd diffutils-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config}
+
+  # Build
+  make -j $NIX_BUILD_CORES AR="tcc -ar"
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/findutils/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/findutils/default.nix
new file mode 100644
index 000000000000..97418d218fb9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/findutils/default.nix
@@ -0,0 +1,75 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnugrep
+, gnused
+, gawk
+, gnutar
+, xz
+}:
+let
+  pname = "findutils";
+  version = "4.9.0";
+
+  src = fetchurl {
+    url = "mirror://gnu/findutils/findutils-${version}.tar.xz";
+    hash = "sha256-or+4wJ1DZ3DtxZ9Q+kg+eFsWGjt7nVR1c8sIBl/UYv4=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    gnutar
+    xz
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/find --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU Find Utilities, the basic directory searching utilities of the GNU operating system";
+    homepage = "https://www.gnu.org/software/findutils";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  cp ${src} findutils.tar.xz
+  unxz findutils.tar.xz
+  tar xf findutils.tar
+  rm findutils.tar
+  cd findutils-${version}
+
+  # Patch
+  # configure fails to accurately detect PATH_MAX support
+  sed -i 's/chdir_long/chdir/' gl/lib/save-cwd.c
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export AR="tcc -ar"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config}
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/common.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/common.nix
new file mode 100644
index 000000000000..d95c66d86337
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/common.nix
@@ -0,0 +1,11 @@
+{ lib }:
+
+{
+  meta = with lib; {
+    description = "GNU implementation of the Awk programming language";
+    homepage = "https://www.gnu.org/software/gawk";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/default.nix
new file mode 100644
index 000000000000..879b98bf00c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnugrep
+, gnused
+, gnutar
+, gzip
+, bootGawk
+}:
+let
+  inherit (import ./common.nix { inherit lib; }) meta;
+  pname = "gawk";
+  version = "5.2.2";
+
+  src = fetchurl {
+    url = "mirror://gnu/gawk/gawk-${version}.tar.gz";
+    hash = "sha256-lFrvfM/xAfILIqEIArwAXplKsrjqPnJMwaGXxi9B9lA=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+    gnutar
+    gzip
+    bootGawk
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/awk --version
+      mkdir $out
+    '';
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd gawk-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export AR="tcc -ar"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config}
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/mes.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/mes.nix
new file mode 100644
index 000000000000..c14399309306
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/mes.nix
@@ -0,0 +1,70 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+}:
+let
+  inherit (import ./common.nix { inherit lib; }) meta;
+  pname = "gawk-mes";
+  # >=3.1.x is incompatible with mes-libc
+  version = "3.0.6";
+
+  src = fetchurl {
+    url = "mirror://gnu/gawk/gawk-${version}.tar.gz";
+    sha256 = "1z4bibjm7ldvjwq3hmyifyb429rs2d9bdwkvs0r171vv1khpdwmb";
+  };
+
+  patches = [
+    # for reproducibility don't generate date stamp
+    ./no-stamp.patch
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/awk --version
+      mkdir $out
+    '';
+} ''
+  # Unpack
+  ungz --file ${src} --output gawk.tar
+  untar --file gawk.tar
+  rm gawk.tar
+  cd gawk-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export ac_cv_func_getpgrp_void=yes
+  export ac_cv_func_tzset=yes
+  bash ./configure \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-nls \
+    --prefix=$out
+
+  # Build
+  make gawk
+
+  # Install
+  install -D gawk $out/bin/gawk
+  ln -s gawk $out/bin/awk
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/no-stamp.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/no-stamp.patch
new file mode 100644
index 000000000000..74af25ba2106
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gawk/no-stamp.patch
@@ -0,0 +1,10 @@
+--- configure
++++ configure
+@@ -3676,7 +3676,6 @@ cat >> $CONFIG_STATUS <<EOF
+ 
+ EOF
+ cat >> $CONFIG_STATUS <<\EOF
+-date > stamp-h
+ exit 0
+ EOF
+ chmod +x $CONFIG_STATUS
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.cxx.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.cxx.nix
new file mode 100644
index 000000000000..277c5e82cc3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.cxx.nix
@@ -0,0 +1,140 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, coreutils
+, gcc
+, musl
+, binutils
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+, gawk
+, diffutils
+, findutils
+, gnutar
+, gzip
+}:
+let
+  pname = "gcc-cxx";
+  version = "4.6.4";
+
+  src = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-core-${version}.tar.gz";
+    sha256 = "173kdb188qg79pcz073cj9967rs2vzanyjdjyxy9v0xb0p5sad75";
+  };
+
+  ccSrc = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-g++-${version}.tar.gz";
+    sha256 = "1fqqk5zkmdg4vmqzdmip9i42q6b82i3f6yc0n86n9021cr7ms2k9";
+  };
+
+  gmpVersion = "4.3.2";
+  gmp = fetchurl {
+    url = "mirror://gnu/gmp/gmp-${gmpVersion}.tar.gz";
+    sha256 = "15rwq54fi3s11izas6g985y9jklm3xprfsmym3v1g6xr84bavqvv";
+  };
+
+  mpfrVersion = "2.4.2";
+  mpfr = fetchurl {
+    url = "mirror://gnu/mpfr/mpfr-${mpfrVersion}.tar.gz";
+    sha256 = "0dxn4904dra50xa22hi047lj8kkpr41d6vb9sd4grca880c7wv94";
+  };
+
+  mpcVersion = "1.0.3";
+  mpc = fetchurl {
+    url = "mirror://gnu/mpc/mpc-${mpcVersion}.tar.gz";
+    sha256 = "1hzci2zrrd7v3g1jk35qindq05hbl0bhjcyyisq9z209xb3fqzb1";
+  };
+
+  patches = [
+    # Remove hardcoded NATIVE_SYSTEM_HEADER_DIR
+    ./no-system-headers.patch
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    gcc
+    binutils
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+    gawk
+    diffutils
+    findutils
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.hello-world = result:
+    bash.runCommand "${pname}-simple-program-${version}" {
+        nativeBuildInputs = [ binutils musl result ];
+      } ''
+        cat <<EOF >> test.c
+        #include <stdio.h>
+        int main() {
+          printf("Hello World!\n");
+          return 0;
+        }
+        EOF
+        musl-gcc -o test test.c
+        ./test
+        mkdir $out
+      '';
+
+  meta = with lib; {
+    description = "GNU Compiler Collection, version ${version}";
+    homepage = "https://gcc.gnu.org";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  tar xzf ${ccSrc}
+  tar xzf ${gmp}
+  tar xzf ${mpfr}
+  tar xzf ${mpc}
+  cd gcc-${version}
+
+  ln -s ../gmp-${gmpVersion} gmp
+  ln -s ../mpfr-${mpfrVersion} mpfr
+  ln -s ../mpc-${mpcVersion} mpc
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+  # doesn't recognise musl
+  sed -i 's|"os/gnu-linux"|"os/generic"|' libstdc++-v3/configure.host
+
+  # Configure
+  export CC="gcc -Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export CFLAGS_FOR_TARGET="-Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export C_INCLUDE_PATH="${musl}/include"
+  export CPLUS_INCLUDE_PATH="$C_INCLUDE_PATH"
+  export LIBRARY_PATH="${musl}/lib"
+
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --with-native-system-header-dir=${musl}/include \
+    --with-build-sysroot=${musl} \
+    --enable-languages=c,c++ \
+    --disable-bootstrap \
+    --disable-libmudflap \
+    --disable-libstdcxx-pch \
+    --disable-lto \
+    --disable-multilib
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.nix
new file mode 100644
index 000000000000..8b56dff58829
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/4.6.nix
@@ -0,0 +1,145 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, binutils
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+, gawk
+, diffutils
+, findutils
+, gnutar
+, gzip
+}:
+let
+  pname = "gcc";
+  version = "4.6.4";
+
+  src = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-core-${version}.tar.gz";
+    sha256 = "173kdb188qg79pcz073cj9967rs2vzanyjdjyxy9v0xb0p5sad75";
+  };
+
+  ccSrc = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-g++-${version}.tar.gz";
+    sha256 = "1fqqk5zkmdg4vmqzdmip9i42q6b82i3f6yc0n86n9021cr7ms2k9";
+  };
+
+  gmpVersion = "4.3.2";
+  gmp = fetchurl {
+    url = "mirror://gnu/gmp/gmp-${gmpVersion}.tar.gz";
+    sha256 = "15rwq54fi3s11izas6g985y9jklm3xprfsmym3v1g6xr84bavqvv";
+  };
+
+  mpfrVersion = "2.4.2";
+  mpfr = fetchurl {
+    url = "mirror://gnu/mpfr/mpfr-${mpfrVersion}.tar.gz";
+    sha256 = "0dxn4904dra50xa22hi047lj8kkpr41d6vb9sd4grca880c7wv94";
+  };
+
+  mpcVersion = "1.0.3";
+  mpc = fetchurl {
+    url = "mirror://gnu/mpc/mpc-${mpcVersion}.tar.gz";
+    sha256 = "1hzci2zrrd7v3g1jk35qindq05hbl0bhjcyyisq9z209xb3fqzb1";
+  };
+
+  patches = [
+    # Remove hardcoded NATIVE_SYSTEM_HEADER_DIR
+    ./no-system-headers.patch
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    binutils
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+    gawk
+    diffutils
+    findutils
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/gcc --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU Compiler Collection, version ${version}";
+    homepage = "https://gcc.gnu.org";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  tar xzf ${ccSrc}
+  tar xzf ${gmp}
+  tar xzf ${mpfr}
+  tar xzf ${mpc}
+  cd gcc-${version}
+
+  ln -s ../gmp-${gmpVersion} gmp
+  ln -s ../mpfr-${mpfrVersion} mpfr
+  ln -s ../mpc-${mpcVersion} mpc
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export C_INCLUDE_PATH="${tinycc.libs}/include:$(pwd)/mpfr/src"
+  export CPLUS_INCLUDE_PATH="$C_INCLUDE_PATH"
+
+  # Avoid "Link tests are not allowed after GCC_NO_EXECUTABLES"
+  export lt_cv_shlibpath_overrides_runpath=yes
+  export ac_cv_func_memcpy=yes
+  export ac_cv_func_strerror=yes
+
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --with-native-system-header-dir=${tinycc.libs}/include \
+    --with-build-sysroot=${tinycc.libs}/include \
+    --disable-bootstrap \
+    --disable-decimal-float \
+    --disable-libatomic \
+    --disable-libcilkrts \
+    --disable-libgomp \
+    --disable-libitm \
+    --disable-libmudflap \
+    --disable-libquadmath \
+    --disable-libsanitizer \
+    --disable-libssp \
+    --disable-libvtv \
+    --disable-lto \
+    --disable-lto-plugin \
+    --disable-multilib \
+    --disable-plugin \
+    --disable-threads \
+    --enable-languages=c \
+    --enable-static \
+    --disable-shared \
+    --enable-threads=single \
+    --disable-libstdcxx-pch \
+    --disable-build-with-cxx
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/8.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/8.nix
new file mode 100644
index 000000000000..ea9fdaf8854a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/8.nix
@@ -0,0 +1,141 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, coreutils
+, gcc
+, musl
+, binutils
+, gnumake
+, gnused
+, gnugrep
+, gawk
+, diffutils
+, findutils
+, gnutar
+, gzip
+, bzip2
+, xz
+}:
+let
+  pname = "gcc";
+  version = "8.5.0";
+
+  src = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.xz";
+    hash = "sha256-0wiEGlEbuDCmEAOXsAQtskzhH2Qtq26m7kSELlMl7VA=";
+  };
+
+  # last version to compile with gcc 4.6
+  gmpVersion = "6.2.1";
+  gmp = fetchurl {
+    url = "mirror://gnu/gmp/gmp-${gmpVersion}.tar.xz";
+    hash = "sha256-/UgpkSzd0S+EGBw0Ucx1K+IkZD6H+sSXtp7d2txJtPI=";
+  };
+
+  mpfrVersion = "4.2.1";
+  mpfr = fetchurl {
+    url = "mirror://gnu/mpfr/mpfr-${mpfrVersion}.tar.xz";
+    hash = "sha256-J3gHNTpnJpeJlpRa8T5Sgp46vXqaW3+yeTiU4Y8fy7I=";
+  };
+
+  mpcVersion = "1.3.1";
+  mpc = fetchurl {
+    url = "mirror://gnu/mpc/mpc-${mpcVersion}.tar.gz";
+    hash = "sha256-q2QkkvXPiCt0qgy3MM1BCoHtzb7IlRg86TDnBsHHWbg=";
+  };
+
+  islVersion = "0.24";
+  isl = fetchurl {
+    url = "https://gcc.gnu.org/pub/gcc/infrastructure/isl-${islVersion}.tar.bz2";
+    hash = "sha256-/PeN2WVsEOuM+fvV9ZoLawE4YgX+GTSzsoegoYmBRcA=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    gcc
+    binutils
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    diffutils
+    findutils
+    gnutar
+    gzip
+    bzip2
+    xz
+  ];
+
+  passthru.tests.hello-world = result:
+    bash.runCommand "${pname}-simple-program-${version}" {
+        nativeBuildInputs = [ binutils musl result ];
+      } ''
+        cat <<EOF >> test.c
+        #include <stdio.h>
+        int main() {
+          printf("Hello World!\n");
+          return 0;
+        }
+        EOF
+        musl-gcc -o test test.c
+        ./test
+        mkdir $out
+      '';
+
+  meta = with lib; {
+    description = "GNU Compiler Collection, version ${version}";
+    homepage = "https://gcc.gnu.org";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xf ${src}
+  tar xf ${gmp}
+  tar xf ${mpfr}
+  tar xf ${mpc}
+  tar xf ${isl}
+  cd gcc-${version}
+
+  ln -s ../gmp-${gmpVersion} gmp
+  ln -s ../mpfr-${mpfrVersion} mpfr
+  ln -s ../mpc-${mpcVersion} mpc
+  ln -s ../isl-${islVersion} isl
+
+  # Patch
+  # doesn't recognise musl
+  sed -i 's|"os/gnu-linux"|"os/generic"|' libstdc++-v3/configure.host
+
+  # Configure
+  export CC="gcc -Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export CXX="g++ -Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export CFLAGS_FOR_TARGET="-Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export C_INCLUDE_PATH="${musl}/include"
+  export CPLUS_INCLUDE_PATH="$C_INCLUDE_PATH"
+  export LIBRARY_PATH="${musl}/lib"
+
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --with-native-system-header-dir=/include \
+    --with-sysroot=${musl} \
+    --enable-languages=c,c++ \
+    --disable-bootstrap \
+    --disable-libmpx \
+    --disable-libsanitizer \
+    --disable-lto \
+    --disable-multilib \
+    --disable-plugin
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install-strip
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/latest.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/latest.nix
new file mode 100644
index 000000000000..fba3b731a004
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/latest.nix
@@ -0,0 +1,137 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, coreutils
+, gcc
+, musl
+, binutils
+, gnumake
+, gnused
+, gnugrep
+, gawk
+, diffutils
+, findutils
+, gnutar
+, gzip
+, bzip2
+, xz
+}:
+let
+  pname = "gcc";
+  version = "13.2.0";
+
+  src = fetchurl {
+    url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.xz";
+    hash = "sha256-4nXnZEKmBnNBon8Exca4PYYTFEAEwEE1KIY9xrXHQ9o=";
+  };
+
+  gmpVersion = "6.3.0";
+  gmp = fetchurl {
+    url = "mirror://gnu/gmp/gmp-${gmpVersion}.tar.xz";
+    hash = "sha256-o8K4AgG4nmhhb0rTC8Zq7kknw85Q4zkpyoGdXENTiJg=";
+  };
+
+  mpfrVersion = "4.2.1";
+  mpfr = fetchurl {
+    url = "mirror://gnu/mpfr/mpfr-${mpfrVersion}.tar.xz";
+    hash = "sha256-J3gHNTpnJpeJlpRa8T5Sgp46vXqaW3+yeTiU4Y8fy7I=";
+  };
+
+  mpcVersion = "1.3.1";
+  mpc = fetchurl {
+    url = "mirror://gnu/mpc/mpc-${mpcVersion}.tar.gz";
+    hash = "sha256-q2QkkvXPiCt0qgy3MM1BCoHtzb7IlRg86TDnBsHHWbg=";
+  };
+
+  islVersion = "0.24";
+  isl = fetchurl {
+    url = "https://gcc.gnu.org/pub/gcc/infrastructure/isl-${islVersion}.tar.bz2";
+    hash = "sha256-/PeN2WVsEOuM+fvV9ZoLawE4YgX+GTSzsoegoYmBRcA=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    gcc
+    binutils
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    diffutils
+    findutils
+    gnutar
+    gzip
+    bzip2
+    xz
+  ];
+
+  passthru.tests.hello-world = result:
+    bash.runCommand "${pname}-simple-program-${version}" {
+        nativeBuildInputs = [ binutils musl result ];
+      } ''
+        cat <<EOF >> test.c
+        #include <stdio.h>
+        int main() {
+          printf("Hello World!\n");
+          return 0;
+        }
+        EOF
+        musl-gcc -o test test.c
+        ./test
+        mkdir $out
+      '';
+
+  meta = with lib; {
+    description = "GNU Compiler Collection, version ${version}";
+    homepage = "https://gcc.gnu.org";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xf ${src}
+  tar xf ${gmp}
+  tar xf ${mpfr}
+  tar xf ${mpc}
+  tar xf ${isl}
+  cd gcc-${version}
+
+  ln -s ../gmp-${gmpVersion} gmp
+  ln -s ../mpfr-${mpfrVersion} mpfr
+  ln -s ../mpc-${mpcVersion} mpc
+  ln -s ../isl-${islVersion} isl
+
+  # Patch
+  # force musl even if host triple is gnu
+  sed -i 's|"os/gnu-linux"|"os/generic"|' libstdc++-v3/configure.host
+
+  # Configure
+  export CC="gcc -Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export CXX="g++ -Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export CFLAGS_FOR_TARGET="-Wl,-dynamic-linker -Wl,${musl}/lib/libc.so"
+  export LIBRARY_PATH="${musl}/lib"
+
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --with-native-system-header-dir=/include \
+    --with-sysroot=${musl} \
+    --enable-languages=c,c++ \
+    --disable-bootstrap \
+    --disable-libsanitizer \
+    --disable-lto \
+    --disable-multilib \
+    --disable-plugin
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install-strip
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/no-system-headers.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/no-system-headers.patch
new file mode 100644
index 000000000000..318553bf916b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gcc/no-system-headers.patch
@@ -0,0 +1,11 @@
+--- a/gcc/Makefile.in
++++ b/gcc/Makefile.in
+@@ -440,7 +440,7 @@ LINKER_PLUGIN_API_H = $(srcdir)/../include/plugin-api.h
+ LTO_SYMTAB_H = $(srcdir)/../include/lto-symtab.h
+ 
+ # Default native SYSTEM_HEADER_DIR, to be overridden by targets.
+-NATIVE_SYSTEM_HEADER_DIR = /usr/include
++# NATIVE_SYSTEM_HEADER_DIR = /usr/include
+ # Default cross SYSTEM_HEADER_DIR, to be overridden by targets.
+ CROSS_SYSTEM_HEADER_DIR = @CROSS_SYSTEM_HEADER_DIR@
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/default.nix
new file mode 100644
index 000000000000..b2899961dfa2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, fetchurl
+, bash
+, tinycc
+, gnumake
+}:
+let
+  pname = "gnugrep";
+  version = "2.4";
+
+  src = fetchurl {
+    url = "mirror://gnu/grep/grep-${version}.tar.gz";
+    sha256 = "05iayw5sfclc476vpviz67hdy03na0pz2kb5csa50232nfx34853";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/grep-2.4
+  makefile = fetchurl {
+    url = "https://github.com/fosslinux/live-bootstrap/raw/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/grep-2.4/mk/main.mk";
+    sha256 = "08an9ljlqry3p15w28hahm6swnd3jxizsd2188przvvsj093j91k";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/grep --version
+      mkdir ''${out}
+    '';
+
+  meta = with lib; {
+    description = "GNU implementation of the Unix grep command";
+    homepage = "https://www.gnu.org/software/grep";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "grep";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output grep.tar
+  untar --file grep.tar
+  rm grep.tar
+  cd grep-${version}
+
+  # Configure
+  cp ${makefile} Makefile
+
+  # Build
+  make CC="tcc -B ${tinycc.libs}/lib"
+
+  # Install
+  make install PREFIX=$out
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0001-No-impure-bin-sh.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0001-No-impure-bin-sh.patch
new file mode 100644
index 000000000000..58ee2d6fe09b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0001-No-impure-bin-sh.patch
@@ -0,0 +1,35 @@
+From e00a5257a6ca5fedbf68b09eee7df3502971a057 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sat, 24 Apr 2021 10:11:40 +0200
+Subject: [PATCH 1/2] No impure bin sh
+
+default_shell is used to populuate default shell used to execute jobs.
+Unless SHELL is set to a different value this would be /bin/sh.
+Our stdenv provides sh in form of bash anyway. Having this value not
+hard-coded has some advantages:
+
+- It would ensure that on all systems it uses sh from its PATH rather
+  than /bin/sh, which helps as different systems might have different
+  shells there (bash vs. dash)
+- In the past I had issues with LD_PRELOAD with BEAR, where /bin/sh
+  used a different glibc than BEAR which came from my development shell.
+---
+ src/job.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/job.c b/src/job.c
+index ae1f18b..6b4ddb3 100644
+--- a/src/job.c
++++ b/src/job.c
+@@ -77,7 +77,7 @@ char * vms_strsignal (int status);
+ 
+ #else
+ 
+-const char *default_shell = "/bin/sh";
++const char *default_shell = "sh";
+ int batch_mode_shell = 0;
+ 
+ #endif
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0002-remove-impure-dirs.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0002-remove-impure-dirs.patch
new file mode 100644
index 000000000000..e62aee7d9993
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0002-remove-impure-dirs.patch
@@ -0,0 +1,40 @@
+From 795d63d3c8b5c0dbb7e544954f75507b371b7228 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sat, 24 Apr 2021 10:20:16 +0200
+Subject: [PATCH 2/2] remove impure dirs
+
+---
+ src/read.c   | 3 ---
+ src/remake.c | 2 --
+ 2 files changed, 5 deletions(-)
+
+diff --git a/src/read.c b/src/read.c
+index fa197fb..defacfb 100644
+--- a/src/read.c
++++ b/src/read.c
+@@ -109,9 +109,6 @@ static const char *default_include_directories[] =
+ #endif
+     INCLUDEDIR,
+ #ifndef _AMIGA
+-    "/usr/gnu/include",
+-    "/usr/local/include",
+-    "/usr/include",
+ #endif
+     0
+   };
+diff --git a/src/remake.c b/src/remake.c
+index fb237c5..94bff7d 100644
+--- a/src/remake.c
++++ b/src/remake.c
+@@ -1601,8 +1601,6 @@ library_search (const char *lib, FILE_TIMESTAMP *mtime_ptr)
+   static const char *dirs[] =
+     {
+ #ifndef _AMIGA
+-      "/lib",
+-      "/usr/lib",
+ #endif
+ #if defined(WINDOWS32) && !defined(LIBDIR)
+ /*
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0003-tinycc-support.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0003-tinycc-support.patch
new file mode 100644
index 000000000000..e2e3f3395153
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/0003-tinycc-support.patch
@@ -0,0 +1,58 @@
+diff --git a/src/dir.c b/src/dir.c
+index 3e94b98..cfaa6a2 100644
+--- a/src/dir.c
++++ b/src/dir.c
+@@ -1331,10 +1331,9 @@ local_stat (const char *path, struct stat *buf)
+ 
+ /* Similarly for lstat.  */
+ #if !defined(lstat) && !defined(WINDOWS32) || defined(VMS)
+-# ifndef VMS
+-#  ifndef HAVE_SYS_STAT_H
++// mes-libc implements but does not declare lstat
++# if (!defined(VMS) && !defined(HAVE_SYS_STAT_H)) || defined(__TINYC__)
+ int lstat (const char *path, struct stat *sbuf);
+-#  endif
+ # else
+     /* We are done with the fake lstat.  Go back to the real lstat */
+ #   ifdef lstat
+diff --git a/src/job.c b/src/job.c
+index ea88561..8388a82 100644
+--- a/src/job.c
++++ b/src/job.c
+@@ -2052,7 +2052,8 @@ job_next_command (struct child *child)
+ static int
+ load_too_high (void)
+ {
+-#if defined(__MSDOS__) || defined(VMS) || defined(_AMIGA) || defined(__riscos__)
++// mes-libc does not support getloadavg
++#if defined(__MSDOS__) || defined(VMS) || defined(_AMIGA) || defined(__riscos__) || defined (__TINYC__)
+   return 1;
+ #else
+   static double last_sec;
+diff --git a/src/main.c b/src/main.c
+index a9d3a64..664d40f 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -2770,7 +2770,7 @@ main (int argc, char **argv, char **envp)
+               char *b = alloca (40);
+               sprintf (b, "MAKE_RESTARTS=%s%u",
+                        OUTPUT_IS_TRACED () ? "-" : "", restarts);
+-              putenv (b);
++              // mes-libc does not support putenv
+             }
+ 
+           fflush (stdout);
+diff --git a/src/misc.c b/src/misc.c
+index eb14f40..bffca82 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -653,7 +653,8 @@ get_tmppath ()
+ 
+ # ifdef HAVE_MKTEMP
+   path = get_tmptemplate ();
+-  if (*mktemp (path) == '\0')
++  // tinycc: "src/misc.c:656: error: pointer expected"
++  if (!strcmp(mktemp (path), ""))
+     {
+       OSS (error, NILF,
+            _("cannot generate temp path from %s: %s"), path, strerror (errno));
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/default.nix
new file mode 100644
index 000000000000..823d314f2802
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/default.nix
@@ -0,0 +1,190 @@
+{ lib
+, fetchurl
+, kaem
+, tinycc
+, gnupatch
+}:
+let
+  pname = "gnumake";
+  version = "4.4.1";
+
+  src = fetchurl {
+    url = "mirror://gnu/make/make-${version}.tar.gz";
+    sha256 = "1cwgcmwdn7gqn5da2ia91gkyiqs9birr10sy5ykpkaxzcwfzn5nx";
+  };
+
+  patches = [
+    # Replaces /bin/sh with sh, see patch file for reasoning
+    ./0001-No-impure-bin-sh.patch
+    # Purity: don't look for library dependencies (of the form `-lfoo') in /lib
+    # and /usr/lib. It's a stupid feature anyway. Likewise, when searching for
+    # included Makefiles, don't look in /usr/include and friends.
+    ./0002-remove-impure-dirs.patch
+    # Fixes for tinycc. See comments in patch file for reasoning
+    ./0003-tinycc-support.patch
+  ];
+
+  CFLAGS = [
+    "-I./src"
+    "-I./lib"
+    "-DHAVE_CONFIG_H"
+    "-DMAKE_MAINTAINER_MODE"
+    "-DLIBDIR=\\\"${placeholder "out"}/lib\\\""
+    "-DLOCALEDIR=\\\"/fake-locale\\\""
+    "-DPOSIX=1"
+    # mes-libc doesn't implement osync_* methods
+    "-DNO_OUTPUT_SYNC=1"
+    # mes-libc doesn't define O_TMPFILE
+    "-DO_TMPFILE=020000000"
+  ] ++ config;
+
+  /*
+    Maintenance notes:
+
+    Generated by
+        ./configure \
+          --build i686-pc-linux-gnu \
+          --host i686-pc-linux-gnu \
+          CC="${tinycc.compiler}/bin/tcc -B ${tinycc.libs}/lib" \
+          ac_cv_func_dup=no
+    - `ac_cv_func_dup` disabled as mes-libc doesn't implement tmpfile()
+
+    The output src/config.h was then manually filtered, removing definitions that
+    didn't have uses in the source code
+  */
+  config = [
+    "-DFILE_TIMESTAMP_HI_RES=0"
+    "-DHAVE_ALLOCA"
+    "-DHAVE_ALLOCA_H"
+    "-DHAVE_ATEXIT"
+    "-DHAVE_DECL_BSD_SIGNAL=0"
+    "-DHAVE_DECL_GETLOADAVG=0"
+    "-DHAVE_DECL_SYS_SIGLIST=0"
+    "-DHAVE_DECL__SYS_SIGLIST=0"
+    "-DHAVE_DECL___SYS_SIGLIST=0"
+    "-DHAVE_DIRENT_H"
+    "-DHAVE_DUP2"
+    "-DHAVE_FCNTL_H"
+    "-DHAVE_FDOPEN"
+    "-DHAVE_GETCWD"
+    "-DHAVE_GETTIMEOFDAY"
+    "-DHAVE_INTTYPES_H"
+    "-DHAVE_ISATTY"
+    "-DHAVE_LIMITS_H"
+    "-DHAVE_LOCALE_H"
+    "-DHAVE_MEMORY_H"
+    "-DHAVE_MKTEMP"
+    "-DHAVE_SA_RESTART"
+    "-DHAVE_SETVBUF"
+    "-DHAVE_SIGACTION"
+    "-DHAVE_SIGSETMASK"
+    "-DHAVE_STDINT_H"
+    "-DHAVE_STDLIB_H"
+    "-DHAVE_STRDUP"
+    "-DHAVE_STRERROR"
+    "-DHAVE_STRINGS_H"
+    "-DHAVE_STRING_H"
+    "-DHAVE_STRTOLL"
+    "-DHAVE_SYS_FILE_H"
+    "-DHAVE_SYS_PARAM_H"
+    "-DHAVE_SYS_RESOURCE_H"
+    "-DHAVE_SYS_SELECT_H"
+    "-DHAVE_SYS_STAT_H"
+    "-DHAVE_SYS_TIMEB_H"
+    "-DHAVE_SYS_TIME_H"
+    "-DHAVE_SYS_WAIT_H"
+    "-DHAVE_TTYNAME"
+    "-DHAVE_UMASK"
+    "-DHAVE_UNISTD_H"
+    "-DHAVE_WAITPID"
+    "-DMAKE_JOBSERVER"
+    "-DMAKE_SYMLINKS"
+    "-DPATH_SEPARATOR_CHAR=':'"
+    "-DSCCS_GET=\\\"get\\\""
+    "-DSTDC_HEADERS"
+    "-Dsig_atomic_t=int"
+    "-Dvfork=fork"
+  ];
+
+  # Maintenance note: list of source files derived from Basic.mk
+  make_SOURCES = [
+    "src/ar.c"
+    "src/arscan.c"
+    "src/commands.c"
+    "src/default.c"
+    "src/dir.c"
+    "src/expand.c"
+    "src/file.c"
+    "src/function.c"
+    "src/getopt.c"
+    "src/getopt1.c"
+    "src/guile.c"
+    "src/hash.c"
+    "src/implicit.c"
+    "src/job.c"
+    "src/load.c"
+    "src/loadapi.c"
+    "src/main.c"
+    "src/misc.c"
+    "src/output.c"
+    "src/read.c"
+    "src/remake.c"
+    "src/rule.c"
+    "src/shuffle.c"
+    "src/signame.c"
+    "src/strcache.c"
+    "src/variable.c"
+    "src/version.c"
+    "src/vpath.c"
+  ];
+  glob_SOURCES = [ "lib/fnmatch.c" "lib/glob.c" ];
+  remote_SOURCES = [ "src/remote-stub.c" ];
+  sources = make_SOURCES ++ glob_SOURCES ++ remote_SOURCES ++ [
+    "src/posixos.c"
+  ];
+
+  objects = map (x: lib.replaceStrings [".c"] [".o"] (builtins.baseNameOf x)) sources;
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [ tinycc.compiler gnupatch ];
+
+  meta = with lib; {
+    description = "A tool to control the generation of non-source files from sources";
+    homepage = "https://www.gnu.org/software/make";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "make";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output make.tar
+  untar --file make.tar
+  rm make.tar
+  cd make-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+
+  # Configure
+  catm src/config.h src/mkconfig.h src/mkcustom.h
+  cp lib/glob.in.h lib/glob.h
+  cp lib/fnmatch.in.h lib/fnmatch.h
+
+  # Compile
+  alias CC="tcc -B ${tinycc.libs}/lib ${lib.concatStringsSep " " CFLAGS}"
+  ${lib.concatMapStringsSep "\n" (f: "CC -c ${f}") sources}
+
+  # Link
+  CC -o make ${lib.concatStringsSep " " objects}
+
+  # Check
+  ./make --version
+
+  # Install
+  mkdir -p ''${out}/bin
+  cp ./make ''${out}/bin
+  chmod 555 ''${out}/bin/make
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/musl.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/musl.nix
new file mode 100644
index 000000000000..504095732e8c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnumake/musl.nix
@@ -0,0 +1,82 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumakeBoot
+, gnupatch
+, gnused
+, gnugrep
+, gawk
+, gnutar
+, gzip
+}:
+let
+  pname = "gnumake-musl";
+  version = "4.4.1";
+
+  src = fetchurl {
+    url = "mirror://gnu/make/make-${version}.tar.gz";
+    hash = "sha256-3Rb7HWe/q3mnL16DkHNcSePo5wtJRaFasfgd23hlj7M=";
+  };
+
+  patches = [
+    # Replaces /bin/sh with sh, see patch file for reasoning
+    ./0001-No-impure-bin-sh.patch
+    # Purity: don't look for library dependencies (of the form `-lfoo') in /lib
+    # and /usr/lib. It's a stupid feature anyway. Likewise, when searching for
+    # included Makefiles, don't look in /usr/include and friends.
+    ./0002-remove-impure-dirs.patch
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumakeBoot
+    gnupatch
+    gnused
+    gnugrep
+    gawk
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/make --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "A tool to control the generation of non-source files from sources";
+    homepage = "https://www.gnu.org/software/make";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "make";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd make-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np1 -i ${f}") patches}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config}
+
+  # Build
+  make AR="tcc -ar"
+
+  # Install
+  make install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnupatch/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnupatch/default.nix
new file mode 100644
index 000000000000..8e6f6696c68c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnupatch/default.nix
@@ -0,0 +1,107 @@
+{ lib
+, fetchurl
+, kaem
+, tinycc
+}:
+let
+  pname = "gnupatch";
+  # 2.6.x and later use features not implemented in mes-libc (eg. quotearg.h)
+  version = "2.5.9";
+
+  src = fetchurl {
+    url = "mirror://gnu/patch/patch-${version}.tar.gz";
+    sha256 = "12nv7jx3gxfp50y11nxzlnmqqrpicjggw6pcsq0wyavkkm3cddgc";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/patch-2.5.9/mk/main.mk
+  CFLAGS = [
+    "-I."
+    "-DHAVE_DECL_GETENV"
+    "-DHAVE_DECL_MALLOC"
+    "-DHAVE_DIRENT_H"
+    "-DHAVE_LIMITS_H"
+    "-DHAVE_GETEUID"
+    "-DHAVE_MKTEMP"
+    "-DPACKAGE_BUGREPORT="
+    "-Ded_PROGRAM=\\\"/nullop\\\""
+    "-Dmbstate_t=int" # When HAVE_MBRTOWC is not enabled uses of mbstate_t are always a no-op
+    "-DRETSIGTYPE=int"
+    "-DHAVE_MKDIR"
+    "-DHAVE_RMDIR"
+    "-DHAVE_FCNTL_H"
+    "-DPACKAGE_NAME=\\\"patch\\\""
+    "-DPACKAGE_VERSION=\\\"${version}\\\""
+    "-DHAVE_MALLOC"
+    "-DHAVE_REALLOC"
+    "-DSTDC_HEADERS"
+    "-DHAVE_STRING_H"
+    "-DHAVE_STDLIB_H"
+  ];
+
+  # Maintenance note: List of sources from Makefile.in
+  SRCS = [
+    "addext.c"
+    "argmatch.c"
+    "backupfile.c"
+    "basename.c"
+    "dirname.c"
+    "getopt.c"
+    "getopt1.c"
+    "inp.c"
+    "maketime.c"
+    "partime.c"
+    "patch.c"
+    "pch.c"
+    "quote.c"
+    "quotearg.c"
+    "quotesys.c"
+    "util.c"
+    "version.c"
+    "xmalloc.c"
+  ];
+  sources = SRCS ++ [
+    # mes-libc doesn't implement `error()`
+    "error.c"
+  ];
+
+  objects = map (x: lib.replaceStrings [".c"] [".o"] (builtins.baseNameOf x)) sources;
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [ tinycc.compiler ];
+
+  meta = with lib; {
+    description = "GNU Patch, a program to apply differences to files";
+    homepage = "https://www.gnu.org/software/patch";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "patch";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output patch.tar
+  untar --file patch.tar
+  rm patch.tar
+  cd patch-${version}
+
+  # Configure
+  catm config.h
+
+  # Build
+  alias CC="tcc -B ${tinycc.libs}/lib ${lib.concatStringsSep " " CFLAGS}"
+  ${lib.concatMapStringsSep "\n" (f: "CC -c ${f}") sources}
+
+  # Link
+  CC -o patch ${lib.concatStringsSep " " objects}
+
+  # Check
+  ./patch --version
+
+  # Install
+  mkdir -p ''${out}/bin
+  cp ./patch ''${out}/bin
+  chmod 555 ''${out}/bin/patch
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/common.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/common.nix
new file mode 100644
index 000000000000..658f05923ac3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/common.nix
@@ -0,0 +1,12 @@
+{ lib }:
+
+{
+  meta = with lib; {
+    description = "GNU sed, a batch stream editor";
+    homepage = "https://www.gnu.org/software/sed";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "sed";
+    platforms = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/default.nix
new file mode 100644
index 000000000000..ee566f93c164
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/default.nix
@@ -0,0 +1,63 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, gnumake
+, tinycc
+, gnused
+, gnugrep
+, gnutar
+, gzip
+}:
+
+let
+  inherit (import ./common.nix { inherit lib; }) meta;
+  pname = "gnused";
+  # last version that can be bootstrapped with our slightly buggy gnused-mes
+  version = "4.2";
+
+  src = fetchurl {
+    url = "mirror://gnu/sed/sed-${version}.tar.gz";
+    hash = "sha256-20XNY/0BDmUFN9ZdXfznaJplJ0UjZgbl5ceCk3Jn2YM=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    gnumake
+    tinycc.compiler
+    gnused
+    gnugrep
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/sed --version
+      mkdir ''${out}
+    '';
+} (''
+  # Unpack
+  tar xzf ${src}
+  cd sed-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export LD=tcc
+  ./configure \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-shared \
+    --disable-nls \
+    --disable-dependency-tracking \
+    --prefix=$out
+
+  # Build
+  make AR="tcc -ar"
+
+  # Install
+  make install
+'')
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/mes.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/mes.nix
new file mode 100644
index 000000000000..031b5b5f0db0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnused/mes.nix
@@ -0,0 +1,59 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, gnumake
+, tinycc
+}:
+
+let
+  inherit (import ./common.nix { inherit lib; }) meta;
+  pname = "gnused-mes";
+  # last version that can be compiled with mes-libc
+  version = "4.0.9";
+
+  src = fetchurl {
+    url = "mirror://gnu/sed/sed-${version}.tar.gz";
+    sha256 = "0006gk1dw2582xsvgx6y6rzs9zw8b36rhafjwm288zqqji3qfrf3";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/sed-4.0.9/sed-4.0.9.kaem
+  makefile = fetchurl {
+    url = "https://github.com/fosslinux/live-bootstrap/raw/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/sed-4.0.9/mk/main.mk";
+    sha256 = "0w1f5ri0g5zla31m6l6xyzbqwdvandqfnzrsw90dd6ak126w3mya";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    gnumake
+    tinycc.compiler
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/sed --version
+      mkdir ''${out}
+    '';
+} (''
+  # Unpack
+  ungz --file ${src} --output sed.tar
+  untar --file sed.tar
+  rm sed.tar
+  cd sed-${version}
+
+  # Configure
+  cp ${makefile} Makefile
+  catm config.h
+
+  # Build
+  make \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    LIBC=mes
+
+  # Install
+  make install PREFIX=$out
+'')
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/latest.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/latest.nix
new file mode 100644
index 000000000000..717ea9868fd9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/latest.nix
@@ -0,0 +1,71 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, gcc
+, musl
+, binutils
+, gnumake
+, gnused
+, gnugrep
+, gawk
+, gzip
+, gnutarBoot
+}:
+let
+  pname = "gnutar";
+  version = "1.35";
+
+  src = fetchurl {
+    url = "mirror://gnu/tar/tar-${version}.tar.gz";
+    hash = "sha256-FNVeMgY+qVJuBX+/Nfyr1TN452l4fv95GcN1WwLStX4=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    gcc
+    musl
+    binutils
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    gzip
+    gnutarBoot
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/tar --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU implementation of the `tar' archiver";
+    homepage = "https://www.gnu.org/software/tar";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "tar";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd tar-${version}
+
+  # Configure
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    CC=musl-gcc
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/mes.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/mes.nix
new file mode 100644
index 000000000000..e07561b3e7e5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/mes.nix
@@ -0,0 +1,65 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnused
+, gnugrep
+}:
+let
+  pname = "gnutar";
+  # >= 1.13 is incompatible with mes-libc
+  version = "1.12";
+
+  src = fetchurl {
+    url = "mirror://gnu/tar/tar-${version}.tar.gz";
+    sha256 = "02m6gajm647n8l9a5bnld6fnbgdpyi4i3i83p7xcwv0kif47xhy6";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/tar --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU implementation of the `tar' archiver";
+    homepage = "https://www.gnu.org/software/tar";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "tar";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output tar.tar
+  untar --file tar.tar
+  rm tar.tar
+  cd tar-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  bash ./configure \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-nls \
+    --prefix=$out
+
+  # Build
+  make AR="tcc -ar"
+
+  # Install
+  make install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/musl.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/musl.nix
new file mode 100644
index 000000000000..0818a0de39a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gnutar/musl.nix
@@ -0,0 +1,70 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnugrep
+, gnused
+}:
+let
+  # gnutar with musl preserves modify times, allowing make to not try
+  # rebuilding pregenerated files
+  pname = "gnutar-musl";
+  version = "1.12";
+
+  src = fetchurl {
+    url = "mirror://gnu/tar/tar-${version}.tar.gz";
+    hash = "sha256-xsN+iIsTbM76uQPFEUn0t71lnWnUrqISRfYQU6V6pgo=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/tar --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU implementation of the `tar' archiver";
+    homepage = "https://www.gnu.org/software/tar";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "tar";
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output tar.tar
+  untar --file tar.tar
+  rm tar.tar
+  cd tar-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export LD=tcc
+  export ac_cv_sizeof_unsigned_long=4
+  export ac_cv_sizeof_long_long=8
+  export ac_cv_header_netdb_h=no
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-nls
+
+  # Build
+  make AR="tcc -ar"
+
+  # Install
+  make install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gzip/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gzip/default.nix
new file mode 100644
index 000000000000..39353bf2b48b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/gzip/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnused
+, gnugrep
+}:
+let
+  pname = "gzip";
+  version = "1.2.4";
+
+  src = fetchurl {
+    url = "mirror://gnu/gzip/gzip-${version}.tar.gz";
+    sha256 = "0ryr5b00qz3xcdcv03qwjdfji8pasp0007ay3ppmk71wl8c1i90w";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/gzip --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "GNU zip compression program";
+    homepage = "https://www.gnu.org/software/gzip";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  ungz --file ${src} --output gzip.tar
+  untar --file gzip.tar
+  rm gzip.tar
+  cd gzip-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib -Dstrlwr=unused"
+  bash ./configure --prefix=$out
+
+  # Build
+  make
+
+  # Install
+  mkdir $out
+  make install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom-devtools/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom-devtools/default.nix
new file mode 100644
index 000000000000..88637811b953
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom-devtools/default.nix
@@ -0,0 +1,97 @@
+{ lib
+, fetchurl
+, kaem
+, tinycc
+, gnumake
+, gnupatch
+, coreutils
+}:
+let
+  pname = "heirloom-devtools";
+  version = "070527";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/heirloom/heirloom-devtools/heirloom-devtools-${version}.tar.bz2";
+    sha256 = "9f233d8b78e4351fe9dd2d50d83958a0e5af36f54e9818521458a08e058691ba";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/d918b984ad6fe4fc7680f3be060fd82f8c9fddd9/sysa/heirloom-devtools-070527/heirloom-devtools-070527.kaem
+  liveBootstrap = "https://github.com/fosslinux/live-bootstrap/raw/d918b984ad6fe4fc7680f3be060fd82f8c9fddd9/sysa/heirloom-devtools-070527";
+
+  patches = [
+    # Remove all kinds of wchar support. Mes Libc does not support wchar in any form
+    (fetchurl {
+      url = "${liveBootstrap}/patches/yacc_remove_wchar.patch";
+      sha256 = "0wgiz02bb7xzjy2gnbjp8y31qy6rc4b29v01zi32zh9lw54j68hc";
+    })
+    # Similarly to yacc, remove wchar. See yacc patch for further information
+    (fetchurl {
+      url = "${liveBootstrap}/patches/lex_remove_wchar.patch";
+      sha256 = "168dfngi51ljjqgd55wbvmffaq61gk48gak50ymnl1br92qkp4zh";
+    })
+  ];
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    coreutils
+  ];
+
+  meta = with lib; {
+    description = "Portable yacc and lex derived from OpenSolaris";
+    homepage = "https://heirloom.sourceforge.net/devtools.html";
+    license = with licenses; [ cddl bsdOriginalUC caldera ];
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  unbz2 --file ${src} --output heirloom-devtools.tar
+  untar --file heirloom-devtools.tar
+  rm heirloom-devtools.tar
+  build=''${NIX_BUILD_TOP}/heirloom-devtools-${version}
+  cd ''${build}
+
+  # Patch
+  ${lib.concatLines (map (f: "patch -Np0 -i ${f}") patches)}
+
+  # Build yacc
+  cd yacc
+  make -f Makefile.mk \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    AR="tcc -ar" \
+    CFLAGS="-DMAXPATHLEN=4096 -DEILSEQ=84 -DMB_LEN_MAX=100" \
+    LDFLAGS="-lgetopt" \
+    RANLIB=true \
+    LIBDIR=''${out}/lib
+
+  # Install yacc
+  install -D yacc ''${out}/bin/yacc
+  install -Dm 444 liby.a ''${out}/lib/liby.a
+  install -Dm 444 yaccpar ''${out}/lib/yaccpar
+
+  # Make yacc available to lex
+  PATH="''${out}/bin:''${PATH}"
+
+  # Build lex
+  cd ../lex
+  make -f Makefile.mk \
+    CC="tcc -B ${tinycc.libs}/lib" \
+    AR="tcc -ar" \
+    CFLAGS="-DEILSEQ=84 -DMB_LEN_MAX=100" \
+    LDFLAGS="-lgetopt" \
+    RANLIB=true \
+    LIBDIR=''${out}/lib
+
+  # Install lex
+  install -D lex ''${out}/bin/lex
+  install -Dm 444 ncform ''${out}/lib/lex/ncform
+  install -Dm 444 nceucform ''${out}/lib/lex/nceucform
+  install -Dm 444 nrform ''${out}/lib/lex/nrform
+  install -Dm 444 libl.a ''${out}/lib/libl.a
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/cp-no-socket.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/cp-no-socket.patch
new file mode 100644
index 000000000000..88d6e7d6fa4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/cp-no-socket.patch
@@ -0,0 +1,84 @@
+--- cp/cp.c
++++ cp/cp.c
+@@ -42,8 +42,6 @@ static const char sccsid[] USED = "@(#)cp.sl	1.84 (gritter) 3/4/06";
+ 
+ #include	<sys/types.h>
+ #include	<sys/stat.h>
+-#include	<sys/socket.h>
+-#include	<sys/un.h>
+ #include	<sys/time.h>
+ #include	<sys/resource.h>
+ #include	<fcntl.h>
+@@ -427,6 +425,7 @@ fdcopy(const char *src, const struct stat *ssp, const int sfd,
+ #endif
+ 
+ #ifdef	__linux__
++#ifdef	O_DIRECT
+ 	if (!bflag && !Dflag && ssp->st_size > 0) {
+ 		long long	sent;
+ 
+@@ -436,6 +435,7 @@ fdcopy(const char *src, const struct stat *ssp, const int sfd,
+ 		if (sent < 0)
+ 			goto err;
+ 	}
++#endif
+ #endif	/* __linux__ */
+ 	if (pagesize == 0)
+ 		if ((pagesize = 4096) < 0)
+@@ -702,37 +702,6 @@ symlinkcopy(const char *src, const struct stat *ssp,
+ 	}
+ }
+ 
+-static void
+-socketcopy(const char *src, const struct stat *ssp,
+-		const char *tgt, const struct stat *dsp)
+-{
+-	int	fd, addrsz;
+-	struct sockaddr_un	addr;
+-	size_t	len;
+-
+-	if (do_unlink(tgt, dsp) != OKAY)
+-		return;
+-	len = strlen(tgt);
+-	memset(&addr, 0, sizeof addr);
+-	addr.sun_family = AF_UNIX;
+-	addrsz = sizeof addr - sizeof addr.sun_path + len;
+-	if ((len >= sizeof addr.sun_path ? errno = ENAMETOOLONG, fd = -1, 1 :
+-			(strncpy(addr.sun_path,tgt,sizeof addr.sun_path), 0)) ||
+-			(fd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0 ||
+-			bind(fd, (struct sockaddr *)&addr, addrsz) < 0) {
+-		fprintf(stderr, "%s: cannot create socket %s\n%s: %s\n",
+-				progname, tgt,
+-				progname, strerror(errno));
+-		if (fd >= 0)
+-			close(fd);
+-		errcnt |= 01;
+-		return;
+-	}
+-	close(fd);
+-	if (pflag)
+-		permissions(tgt, ssp);
+-}
+-
+ static void
+ specialcopy(const char *src, const struct stat *ssp,
+ 		const char *tgt, const struct stat *dsp)
+@@ -748,9 +717,6 @@ specialcopy(const char *src, const struct stat *ssp,
+ 	case S_IFLNK:
+ 		symlinkcopy(src, ssp, tgt, dsp);
+ 		break;
+-	case S_IFSOCK:
+-		socketcopy(src, ssp, tgt, dsp);
+-		break;
+ 	case S_IFDOOR:
+ 		ignoring("door", src);
+ 		break;
+@@ -1043,7 +1009,7 @@ ln(const char *src, const char *tgt, struct stat *dsp, int level,
+ 		errcnt |= 01;
+ 		return;
+ 	}
+-#if (defined (SUS) || defined (S42)) && (defined (__linux__) || defined (__sun))
++#if (defined (SUS) || defined (S42)) && (defined (__linux__) || defined (__sun)) && !defined (__TINYC__)
+ 	if (sflag == 0) {
+ 		char	*rpbuf = alloca(PATH_MAX+1);
+ 		if (realpath(src, rpbuf) == NULL) {
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/default.nix
new file mode 100644
index 000000000000..182e515c2f1b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/default.nix
@@ -0,0 +1,130 @@
+{ lib
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnupatch
+, heirloom-devtools
+, heirloom
+}:
+let
+  pname = "heirloom";
+  version = "070715";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/heirloom/heirloom/${version}/heirloom-${version}.tar.bz2";
+    sha256 = "sha256-6zP3C8wBmx0OCkHx11UtRcV6FicuThxIY07D5ESWow8=";
+  };
+
+  patches = [
+    # we pre-generate nawk's proctab.c as meslibc is not capable of running maketab
+    # during build time (insufficient sscanf support)
+    ./proctab.patch
+
+    # disable utilities that don't build successfully
+    ./disable-programs.patch
+
+    # "tcc -ar" doesn't support creating empty archives
+    ./tcc-empty-ar.patch
+    # meslibc doesn't have seperate libm
+    ./dont-link-lm.patch
+    # meslibc's vprintf doesn't support %ll
+    ./vprintf.patch
+    # meslibc doesn't support sysconf()
+    ./sysconf.patch
+    # meslibc doesn't support locale
+    ./strcoll.patch
+    # meslibc doesn't support termios.h
+    ./termios.patch
+    # meslibc doesn't support utime.h
+    ./utime.patch
+    # meslibc doesn't support langinfo.h
+    ./langinfo.patch
+    # support building with meslibc
+    ./meslibc-support.patch
+    # remove socket functionality as unsupported by meslibc
+    ./cp-no-socket.patch
+  ];
+
+  makeFlags = [
+    # mk.config build options
+    "CC='tcc -B ${tinycc.libs}/lib -include ${./stubs.h} -include ${./musl.h}'"
+    "AR='tcc -ar'"
+    "RANLIB=true"
+    "STRIP=true"
+    "SHELL=${bash}/bin/sh"
+    "POSIX_SHELL=${bash}/bin/sh"
+    "DEFBIN=/bin"
+    "SV3BIN=/5bin"
+    "S42BIN=/5bin/s42"
+    "SUSBIN=/bin"
+    "SU3BIN=/5bin/posix2001"
+    "UCBBIN=/ucb"
+    "CCSBIN=/ccs/bin"
+    "DEFLIB=/lib"
+    "DEFSBIN=/bin"
+    "MANDIR=/share/man"
+    "LCURS=" # disable ncurses
+    "USE_ZLIB=0" # disable zlib
+    "IWCHAR='-I../libwchar'"
+    "LWCHAR='-L../libwchar -lwchar'"
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    heirloom-devtools
+  ];
+
+  passthru.sed =
+    bash.runCommand "${pname}-sed-${version}" {} ''
+      install -D ${heirloom}/bin/sed $out/bin/sed
+    '';
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/banner Hello Heirloom
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "The Heirloom Toolchest is a collection of standard Unix utilities";
+    homepage = "https://heirloom.sourceforge.net/tools.html";
+    license = with licenses; [
+      # All licenses according to LICENSE/
+      zlib
+      caldera
+      bsdOriginalUC
+      cddl
+      bsd3
+      gpl2Plus
+      lgpl21Plus
+      lpl-102
+      info-zip
+    ];
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  unbz2 --file ${src} --output heirloom.tar
+  untar --file heirloom.tar
+  rm heirloom.tar
+  cd heirloom-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+  cp ${./proctab.c} nawk/proctab.c
+
+  # Build
+  # These tools are required during later build steps
+  export PATH="$PATH:$PWD/ed:$PWD/nawk:$PWD/sed"
+  make ${lib.concatStringsSep " " makeFlags}
+
+  # Install
+  make install ROOT=$out ${lib.concatStringsSep " " makeFlags}
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/disable-programs.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/disable-programs.patch
new file mode 100644
index 000000000000..2b15ae296805
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/disable-programs.patch
@@ -0,0 +1,43 @@
+--- makefile
++++ makefile
+@@ -1,21 +1,24 @@
+-SHELL = /bin/sh
++SHELL = sh
+ 
+-SUBDIRS = build libwchar libcommon libuxre _install \
+-	banner basename bc bdiff bfs \
+-	cal calendar cat chmod chown \
+-	cksum cmp col comm copy cp cpio csplit cut \
+-	date dc dd deroff diff diff3 dircmp dirname df du \
++SUBDIRS = libwchar libcommon libuxre _install \
++	banner basename bdiff bfs \
++	cat chmod chown \
++	cksum cmp col comm copy cp csplit cut \
++	dc dirname \
+ 	echo ed env expand expr \
+-	factor file find fmt fmtmsg fold \
+-	getconf getopt grep groups hd head hostname id join \
+-	kill line listusers ln logins logname ls \
+-	mail man mesg mkdir mkfifo mknod more mvdir \
+-	nawk news nice nl nohup oawk od \
+-	paste pathchk pg pgrep pr printenv printf priocntl ps psrinfo pwd \
+-	random renice rm rmdir \
+-	sdiff sed setpgrp shl sleep sort spell split stty su sum sync \
+-	tabs tail tapecntl tar tcopy tee test time touch tr true tsort tty \
+-	ul uname uniq units users wc what who whoami whodo xargs yes
++	file fmt fold \
++	getopt grep hd head join \
++	kill line ln logname ls \
++	mesg mkdir mknod \
++	nl nohup od \
++	paste pathchk pgrep pr printenv printf pwd \
++	random rm rmdir \
++	sed sleep sort split sum \
++	tee test touch tr true tsort tty \
++	uniq units wc what whoami xargs yes
++
++# These depend on some coreutils that we need to build first
++SUBDIRS += bc nawk build
+ 
+ dummy: makefiles all
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/dont-link-lm.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/dont-link-lm.patch
new file mode 100644
index 000000000000..bf7a72b733ee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/dont-link-lm.patch
@@ -0,0 +1,44 @@
+--- csplit/Makefile.mk
++++ csplit/Makefile.mk
+@@ -1,19 +1,19 @@
+ all: csplit csplit_sus csplit_su3
+ 
+ csplit: csplit.o
+-	$(LD) $(LDFLAGS) csplit.o $(LCOMMON) $(LWCHAR) $(LIBS) -lm -o csplit
++	$(LD) $(LDFLAGS) csplit.o $(LCOMMON) $(LWCHAR) $(LIBS) -o csplit
+ 
+ csplit.o: csplit.c
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(XO6FL) $(LARGEF) $(IWCHAR) $(ICOMMON) -c csplit.c
+ 
+ csplit_sus: csplit_sus.o
+-	$(LD) $(LDFLAGS) csplit_sus.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -lm -o csplit_sus
++	$(LD) $(LDFLAGS) csplit_sus.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -o csplit_sus
+ 
+ csplit_sus.o: csplit.c
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(XO6FL) $(LARGEF) $(IUXRE) $(IWCHAR) $(ICOMMON) -DSUS -c csplit.c -o csplit_sus.o
+ 
+ csplit_su3: csplit_su3.o
+-	$(LD) $(LDFLAGS) csplit_su3.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -lm -o csplit_su3
++	$(LD) $(LDFLAGS) csplit_su3.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -o csplit_su3
+ 
+ csplit_su3.o: csplit.c
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(XO6FL) $(LARGEF) $(IUXRE) $(IWCHAR) $(ICOMMON) -DSU3 -c csplit.c -o csplit_su3.o
+--- nawk/Makefile.mk
++++ nawk/Makefile.mk
+@@ -3,13 +3,13 @@ all: awk awk_sus awk_su3
+ OBJ = awk.lx.o b.o lib.o main.o parse.o proctab.o run.o tran.o
+ 
+ awk: awk.g.o $(OBJ) version.o
+-	$(LD) $(LDFLAGS) awk.g.o $(OBJ) version.o $(LUXRE) -lm $(LCOMMON) $(LWCHAR) $(LIBS) -o awk
++	$(LD) $(LDFLAGS) awk.g.o $(OBJ) version.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -o awk
+ 
+ awk_sus: awk.g.o $(OBJ) version_sus.o
+-	$(LD) $(LDFLAGS) awk.g.o $(OBJ) version_sus.o $(LUXRE) -lm $(LCOMMON) $(LWCHAR) $(LIBS) -o awk_sus
++	$(LD) $(LDFLAGS) awk.g.o $(OBJ) version_sus.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -o awk_sus
+ 
+ awk_su3: awk.g.2001.o $(OBJ) version_su3.o
+-	$(LD) $(LDFLAGS) awk.g.2001.o $(OBJ) version_su3.o $(LUXRE) -lm $(LCOMMON) $(LWCHAR) $(LIBS) -o awk_su3
++	$(LD) $(LDFLAGS) awk.g.2001.o $(OBJ) version_su3.o $(LUXRE) $(LCOMMON) $(LWCHAR) $(LIBS) -o awk_su3
+ 
+ awk.g.c: awk.g.y
+ 	$(YACC) -d awk.g.y
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/langinfo.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/langinfo.patch
new file mode 100644
index 000000000000..a8ad842b37c8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/langinfo.patch
@@ -0,0 +1,99 @@
+--- nawk/main.c
++++ nawk/main.c
+@@ -35,7 +35,6 @@
+ #include <errno.h>
+ #include <string.h>
+ #include <locale.h>
+-#include <langinfo.h>
+ #include <libgen.h>
+ 
+ #define	CMDCLASS	""/*"UX:"*/	/* Command classification */
+--- sort/sort.c
++++ sort/sort.c
+@@ -63,7 +63,6 @@ static const char sccsid[] USED = "@(#)sort.sl	1.37 (gritter) 5/29/05";
+ #include <locale.h>
+ #include <wchar.h>
+ #include <wctype.h>
+-#include <langinfo.h>
+ #include <inttypes.h>
+ #include <errno.h>
+ 
+@@ -287,18 +286,6 @@ main(int argc, char **argv)
+ 	else
+ 		chkblank();
+ 	compare = cmpf = ccoll ? mb_cur_max > 1 ? cmpm : cmpa : cmpl;
+-	setlocale(LC_NUMERIC, "");
+-	arg = nl_langinfo(RADIXCHAR);
+-	if (mb_cur_max > 1)
+-		next(radixchar, arg, i);
+-	else
+-		radixchar = *arg & 0377;
+-	arg = nl_langinfo(THOUSEP);
+-	if (mb_cur_max > 1)
+-		next(thousep, arg, i);
+-	else
+-		thousep = *arg & 0377;
+-	setlocale(LC_TIME, "");
+ 	fields = smalloc(NF * sizeof *fields);
+ 	copyproto();
+ 	eargv = argv;
+@@ -1088,8 +1075,7 @@ cmp(const char *i, const char *j)
+ 		} else {
+ 			sa = elicpy(collba, pa, la, '\n', ignore, code);
+ 			sb = elicpy(collbb, pb, lb, '\n', ignore, code);
+-			n = fp->Mflg ? monthcmp(collba, collbb) :
+-				strcoll(collba, collbb);
++			n = strcmp(collba, collbb);
+ 			if (n)
+ 				return n > 0 ? -fp->rflg : fp->rflg;
+ 			pa = &pa[sa];
+@@ -1570,49 +1556,6 @@ upcdup(const char *s)
+ 	return r;
+ }
+ 
+-static const char	*months[12];
+-
+-#define	COPY_ABMON(m)	months[m-1] = upcdup(nl_langinfo(ABMON_##m))
+-
+-static void
+-fillmonths(void)
+-{
+-	COPY_ABMON(1);
+-	COPY_ABMON(2);
+-	COPY_ABMON(3);
+-	COPY_ABMON(4);
+-	COPY_ABMON(5);
+-	COPY_ABMON(6);
+-	COPY_ABMON(7);
+-	COPY_ABMON(8);
+-	COPY_ABMON(9);
+-	COPY_ABMON(10);
+-	COPY_ABMON(11);
+-	COPY_ABMON(12);
+-}
+-
+-static int
+-monthcoll(const char *s)
+-{
+-	int	i;
+-	char	u[MB_LEN_MAX*3+1];
+-
+-	cpcu3(u, s);
+-	for (i = 0; i < 12; i++)
+-		if (strcmp(u, months[i]) == 0)
+-			return i;
+-	return 0;
+-}
+-
+-
+-static int
+-monthcmp(const char *pa, const char *pb)
+-{
+-	if (months[0] == NULL)
+-		fillmonths();
+-	return monthcoll(pa) - monthcoll(pb);
+-}
+-
+ /*
+  * isblank() consumes half of execution time (in skip()) with
+  * glibc 2.3.1. Check if it contains only space and tab, and
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/meslibc-support.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/meslibc-support.patch
new file mode 100644
index 000000000000..f8f7daede3b0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/meslibc-support.patch
@@ -0,0 +1,322 @@
+--- _install/install_ucb.c
++++ _install/install_ucb.c
+@@ -267,7 +267,7 @@ cp(const char *src, const char *tgt, struct stat *dsp)
+ 	if (check(src, tgt, dsp, &sst) != OKAY)
+ 		return;
+ 	unlink(tgt);
+-	if ((dfd = creat(tgt, 0700)) < 0 || fchmod(dfd, 0700) < 0 ||
++	if ((dfd = creat(tgt, 0700)) < 0 || chmod(tgt, 0700) < 0 ||
+ 			fstat(dfd, &nst) < 0) {
+ 		fprintf(stderr, "%s: %s: %s\n", progname, src,
+ 				strerror(errno));
+--- libcommon/Makefile.mk
++++ libcommon/Makefile.mk
+@@ -15,7 +15,7 @@ CHECK: CHECK.c
+ headers: CHECK
+ 	one() { \
+ 		rm -f "$$1.h"; \
+-		if grep "$$1_h[	 ]*=[ 	]*[^0][	 ]*;" CHECK >/dev/null; \
++		if true; \
+ 		then \
+ 			ln -s "_$$1.h" "$$1.h"; \
+ 		fi; \
+--- libcommon/atoll.h
++++ libcommon/atoll.h
+@@ -1,8 +1,10 @@
+ /*	Sccsid @(#)atoll.h	1.4 (gritter) 7/18/04	*/
+ 
+ #if defined (__hpux) || defined (_AIX) || \
+-	defined (__FreeBSD__) && (__FreeBSD__) < 5
++	(defined (__FreeBSD__) && (__FreeBSD__) < 5) || defined (__TINYC__)
++#ifndef __TINYC__
+ extern long long strtoll(const char *nptr, char **endptr, int base);
+ extern unsigned long long strtoull(const char *nptr, char **endptr, int base);
++#endif
+ extern long long atoll(const char *nptr);
+ #endif	/* __hpux || _AIX || __FreeBSD__ < 5 */
+--- libcommon/blank.h
++++ libcommon/blank.h
+@@ -5,7 +5,7 @@
+  */
+ /*	Sccsid @(#)blank.h	1.3 (gritter) 5/1/04	*/
+ 
+-#ifndef	__dietlibc__
++#if !defined(__dietlibc__) && !defined(__TINYC__)
+ #ifndef	LIBCOMMON_BLANK_H
+ #define	LIBCOMMON_BLANK_H	1
+ 
+--- libcommon/getdir.c
++++ libcommon/getdir.c
+@@ -52,7 +52,7 @@ extern int	getdents(int, struct dirent *, size_t);
+ #undef	d_ino
+ #endif	/* __FreeBSD__ || __NetBSD__ || __OpenBSD__ || __DragonFly__
+ 	 || __APPLE__ */
+-#elif defined	(__dietlibc__)
++#elif defined	(__dietlibc__) || defined(__TINYC__)
+ #include	<dirent.h>
+ #include	<unistd.h>
+ #else		/* !__GLIBC__, !__dietlibc__ */
+--- libcommon/memalign.c
++++ libcommon/memalign.c
+@@ -23,7 +23,7 @@
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (_AIX) || \
+ 	defined (__NetBSD__) || defined (__OpenBSD__) || \
+-	defined (__DragonFly__) || defined (__APPLE__)
++	defined (__DragonFly__) || defined (__APPLE__) || defined(__TINYC__)
+ /*
+  * FreeBSD malloc(3) promises to page-align the return of malloc() calls
+  * if size is at least a page. This serves for a poor man's memalign() 
+--- libcommon/memalign.h
++++ libcommon/memalign.h
+@@ -26,7 +26,7 @@
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (_AIX) || \
+ 	defined (__NetBSD__) || defined (__OpenBSD__) || \
+-	defined (__DragonFly__) || defined (__APPLE__)
++	defined (__DragonFly__) || defined (__APPLE__) || defined(__TINYC__)
+ #include	<stdlib.h>
+ 
+ extern void	*memalign(size_t, size_t);
+--- libcommon/pathconf.c
++++ libcommon/pathconf.c
+@@ -21,7 +21,7 @@
+  */
+ /*	Sccsid @(#)pathconf.c	1.2 (gritter) 5/1/04	*/
+ 
+-#ifdef	__dietlibc__
++#if defined(__dietlibc__) || defined(__TINYC__)
+ #include <unistd.h>
+ #include "pathconf.h"
+ 
+--- libcommon/pathconf.h
++++ libcommon/pathconf.h
+@@ -21,7 +21,7 @@
+  */
+ /*	Sccsid @(#)pathconf.h	1.2 (gritter) 5/1/04	*/
+ 
+-#ifdef	__dietlibc__
++#if defined(__dietlibc__) || defined(__TINYC__)
+ #include <unistd.h>
+ 
+ extern long	fpathconf(int, int);
+--- libcommon/regexp.h
++++ libcommon/regexp.h
+@@ -47,7 +47,7 @@
+ static const char regexp_h_sccsid[] REGEXP_H_USED =
+ 	"@(#)regexp.sl	1.56 (gritter) 5/29/05";
+ 
+-#if !defined (REGEXP_H_USED_FROM_VI) && !defined (__dietlibc__)
++#if !defined (REGEXP_H_USED_FROM_VI) && !defined (__dietlibc__) && !defined (__TINYC__)
+ #define	REGEXP_H_WCHARS
+ #endif
+ 
+--- libcommon/sfile.c
++++ libcommon/sfile.c
+@@ -21,7 +21,7 @@
+  */
+ /*	Sccsid @(#)sfile.c	1.9 (gritter) 6/7/04	*/
+ 
+-#ifdef	__linux__
++#if defined(__linux__) && !defined(__TINYC__)
+ #undef	_FILE_OFFSET_BITS
+ 
+ #include	<sys/types.h>
+--- libcommon/sighold.c
++++ libcommon/sighold.c
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sighold.c	1.7 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ #include <signal.h>
+ #include "sigset.h"
+ 
+--- libcommon/sigignore.c
++++ libcommon/sigignore.c
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sigignore.c	1.6 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ #include <signal.h>
+ #include "sigset.h"
+ 
+--- libcommon/sigpause.c
++++ libcommon/sigpause.c
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sigpause.c	1.6 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ #include <signal.h>
+ #include "sigset.h"
+ 
+--- libcommon/sigrelse.c
++++ libcommon/sigrelse.c
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sigrelse.c	1.8 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ #include <signal.h>
+ #include "sigset.h"
+ 
+--- libcommon/sigset.c
++++ libcommon/sigset.c
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sigset.c	1.7 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ #include <signal.h>
+ #include "sigset.h"
+ 
+@@ -46,10 +46,7 @@ void (*sigset(int sig, void (*func)(int)))(int)
+ 	if (sigaction(sig, func==SIG_HOLD?(struct sigaction *)0:&nact, &oact)
+ 			== -1)
+ 		return SIG_ERR;
+-	if (sigismember(&oset, sig))
+-		return SIG_HOLD;
+-	else
+-		return (oact.sa_handler);
++	return (oact.sa_handler);
+ }
+ #endif	/* __FreeBSD__ || __dietlibc__ || __NetBSD__ || __OpenBSD__ ||
+ 	__DragonFly__ || __APPLE__ */
+--- libcommon/sigset.h
++++ libcommon/sigset.h
+@@ -22,7 +22,7 @@
+ /*	Sccsid @(#)sigset.h	1.9 (gritter) 1/22/06	*/
+ 
+ #if defined (__FreeBSD__) || defined (__dietlibc__) || defined (__NetBSD__) || \
+-	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__)
++	defined (__OpenBSD__) || defined (__DragonFly__) || defined (__APPLE__) || defined (__TINYC__)
+ 
+ #ifndef	SIG_HOLD
+ #define	SIG_HOLD	((void (*)(int))2)
+--- libcommon/strtol.c
++++ libcommon/strtol.c
+@@ -1,7 +1,7 @@
+ /*	Sccsid @(#)strtol.c	1.6 (gritter) 7/18/04	*/
+ 
+ #if defined (__hpux) || defined (_AIX) || \
+-	defined (__FreeBSD__) && (__FreeBSD__) < 5
++	(defined (__FreeBSD__) && (__FreeBSD__) < 5) || defined (__TINYC__)
+ 
+ #include	<stdlib.h>
+ #include	<ctype.h>
+@@ -97,6 +97,7 @@ out:	if (pp <= bptr) {
+ 	return v * sign;
+ }
+ 
++#ifndef __TINYC__
+ long long
+ strtoll(const char *nptr, char **endptr, int base)
+ {
+@@ -108,6 +109,7 @@ strtoull(const char *nptr, char **endptr, int base)
+ {
+ 	return (unsigned long long)internal(nptr, endptr, base, 3);
+ }
++#endif
+ 
+ long long
+ atoll(const char *nptr)
+--- nawk/awk.h
++++ nawk/awk.h
+@@ -156,7 +156,6 @@ extern Cell	*rlengthloc;	/* RLENGTH */
+ #endif
+ 
+ #ifndef	IN_MAKETAB
+-#include <wchar.h>
+ 
+ /*
+  * Get next character from string s and store it in wc; n is set to
+--- nawk/awk.lx.l
++++ nawk/awk.lx.l
+@@ -71,7 +71,6 @@
+ 
+ #include	"awk.h"
+ #include	"y.tab.h"
+-#include	<pfmt.h>
+ #include	<unistd.h>
+ 
+ static void	awk_unputstr(const char *s);
+--- nawk/run.c
++++ nawk/run.c
+@@ -1467,14 +1467,6 @@ Cell *bltin(Node **a, int n)
+ 	case FRAND:
+ 		u = (Awkfloat) (rand() % 32767) / 32767.0;
+ 		break;
+-	case FSRAND:
+-		u = saved_srand; /* return previous seed */
+-		if (x->tval & REC)	/* no argument provided */
+-			saved_srand = time(NULL);
+-		else
+-			saved_srand = getfval(x);
+-		srand((int) saved_srand);
+-		break;
+ 	case FTOUPPER:
+ 	case FTOLOWER:
+ 		p = getsval(x);
+--- pgrep/pgrep.c
++++ pgrep/pgrep.c
+@@ -214,7 +214,7 @@ chdir_to_proc(void)
+ 		fprintf(stderr, "%s: cannot open %s\n", progname, PROCDIR);
+ 		exit(3);
+ 	}
+-	if (fchdir(fd) < 0) {
++	if (chdir(PROCDIR) < 0) {
+ 		fprintf(stderr, "%s: cannot chdir to %s\n", progname, PROCDIR);
+ 		exit(3);
+ 	}
+--- rm/rm.c
++++ rm/rm.c
+@@ -242,7 +242,7 @@ rm(size_t pend, const char *base, const int olddir, int ssub, int level)
+ 				}
+ 				return;
+ 			}
+-			if (fchdir(df) < 0) {
++			if (chdir(base) < 0) {
+ 				if (rmfile(base, &st) < 0) {
+ 					fprintf(stderr,
+ 						"%s: cannot chdir to %s\n",
+@@ -270,7 +270,7 @@ rm(size_t pend, const char *base, const int olddir, int ssub, int level)
+ 					progname, path);
+ 				errcnt |= 4;
+ 			}
+-			if (olddir >= 0 && fchdir(olddir) < 0) {
++			if (olddir >= 0) {
+ 				fprintf(stderr, "%s: cannot change backwards\n",
+ 						progname);
+ 				exit(1);
+@@ -316,24 +316,6 @@ subproc(size_t pend, const char *base, int level)
+ 		int status;
+ 
+ 		while (waitpid(pid, &status, 0) != pid);
+-		if (status && WIFSIGNALED(status)) {
+-			/*
+-			 * If the signal was sent due to a tty keypress,
+-			 * we should be terminated automatically and
+-			 * never reach this point. Otherwise, we terminate
+-			 * with the same signal, but make sure that we do
+-			 * not overwrite a possibly generated core file.
+-			 * This results in nearly the usual behavior except
+-			 * that the shell never prints a 'core dumped'
+-			 * message.
+-			 */
+-			struct rlimit	rl;
+-
+-			rl.rlim_cur = rl.rlim_max = 0;
+-			setrlimit(RLIMIT_CORE, &rl);
+-			raise(WTERMSIG(status));
+-			pause();
+-		}
+ 		return status ? WEXITSTATUS(status) : 0;
+ 	}
+ 	case -1:
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/musl.h b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/musl.h
new file mode 100644
index 000000000000..b4a314056074
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/musl.h
@@ -0,0 +1,53 @@
+/*
+  Copyright © 2005-2019 Rich Felker, et al.
+
+  Permission is hereby granted, free of charge, to any person obtaining
+  a copy of this software and associated documentation files (the
+  "Software"), to deal in the Software without restriction, including
+  without limitation the rights to use, copy, modify, merge, publish,
+  distribute, sublicense, and/or sell copies of the Software, and to
+  permit persons to whom the Software is furnished to do so, subject to
+  the following conditions:
+
+  The above copyright notice and this permission notice shall be
+  included in all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+  CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+  TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+// Additional utilities from musl 1.1.24
+
+// include/stdlib.h
+#define WEXITSTATUS(s) (((s) & 0xff00) >> 8)
+#define WTERMSIG(s) ((s) & 0x7f)
+#define WIFEXITED(s) (!WTERMSIG(s))
+#define WIFSIGNALED(s) (((s)&0xffff)-1U < 0xffu)
+
+// include/sys/sysmacros.h
+#define major(x) \
+	((unsigned)( (((x)>>31>>1) & 0xfffff000) | (((x)>>8) & 0x00000fff) ))
+#define minor(x) \
+	((unsigned)( (((x)>>12) & 0xffffff00) | ((x) & 0x000000ff) ))
+#define makedev(x,y) ( \
+        (((x)&0xfffff000ULL) << 32) | \
+	(((x)&0x00000fffULL) << 8) | \
+        (((y)&0xffffff00ULL) << 12) | \
+	(((y)&0x000000ffULL)) )
+
+// src/misc/basename.c
+#include <string.h>
+char *basename(char *s)
+{
+	size_t i;
+	if (!s || !*s) return ".";
+	i = strlen(s)-1;
+	for (; i&&s[i]=='/'; i--) s[i] = 0;
+	for (; i&&s[i-1]!='/'; i--);
+	return s+i;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.c b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.c
new file mode 100644
index 000000000000..7a498a33f369
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.c
@@ -0,0 +1,205 @@
+#include <stdio.h>
+#include "awk.h"
+#include "y.tab.h"
+
+static unsigned char *printname[92] = {
+	(unsigned char *) "FIRSTTOKEN",	/* 258 */
+	(unsigned char *) "PROGRAM",	/* 259 */
+	(unsigned char *) "PASTAT",	/* 260 */
+	(unsigned char *) "PASTAT2",	/* 261 */
+	(unsigned char *) "XBEGIN",	/* 262 */
+	(unsigned char *) "XEND",	/* 263 */
+	(unsigned char *) "NL",	/* 264 */
+	(unsigned char *) "ARRAY",	/* 265 */
+	(unsigned char *) "MATCH",	/* 266 */
+	(unsigned char *) "NOTMATCH",	/* 267 */
+	(unsigned char *) "MATCHOP",	/* 268 */
+	(unsigned char *) "FINAL",	/* 269 */
+	(unsigned char *) "DOT",	/* 270 */
+	(unsigned char *) "ALL",	/* 271 */
+	(unsigned char *) "CCL",	/* 272 */
+	(unsigned char *) "NCCL",	/* 273 */
+	(unsigned char *) "CHAR",	/* 274 */
+	(unsigned char *) "MCHAR",	/* 275 */
+	(unsigned char *) "OR",	/* 276 */
+	(unsigned char *) "STAR",	/* 277 */
+	(unsigned char *) "QUEST",	/* 278 */
+	(unsigned char *) "PLUS",	/* 279 */
+	(unsigned char *) "AND",	/* 280 */
+	(unsigned char *) "BOR",	/* 281 */
+	(unsigned char *) "APPEND",	/* 282 */
+	(unsigned char *) "EQ",	/* 283 */
+	(unsigned char *) "GE",	/* 284 */
+	(unsigned char *) "GT",	/* 285 */
+	(unsigned char *) "LE",	/* 286 */
+	(unsigned char *) "LT",	/* 287 */
+	(unsigned char *) "NE",	/* 288 */
+	(unsigned char *) "IN",	/* 289 */
+	(unsigned char *) "ARG",	/* 290 */
+	(unsigned char *) "BLTIN",	/* 291 */
+	(unsigned char *) "BREAK",	/* 292 */
+	(unsigned char *) "CONTINUE",	/* 293 */
+	(unsigned char *) "DELETE",	/* 294 */
+	(unsigned char *) "DO",	/* 295 */
+	(unsigned char *) "EXIT",	/* 296 */
+	(unsigned char *) "FOR",	/* 297 */
+	(unsigned char *) "FUNC",	/* 298 */
+	(unsigned char *) "SUB",	/* 299 */
+	(unsigned char *) "GSUB",	/* 300 */
+	(unsigned char *) "IF",	/* 301 */
+	(unsigned char *) "INDEX",	/* 302 */
+	(unsigned char *) "LSUBSTR",	/* 303 */
+	(unsigned char *) "MATCHFCN",	/* 304 */
+	(unsigned char *) "NEXT",	/* 305 */
+	(unsigned char *) "ADD",	/* 306 */
+	(unsigned char *) "MINUS",	/* 307 */
+	(unsigned char *) "MULT",	/* 308 */
+	(unsigned char *) "DIVIDE",	/* 309 */
+	(unsigned char *) "MOD",	/* 310 */
+	(unsigned char *) "ASSIGN",	/* 311 */
+	(unsigned char *) "ASGNOP",	/* 312 */
+	(unsigned char *) "ADDEQ",	/* 313 */
+	(unsigned char *) "SUBEQ",	/* 314 */
+	(unsigned char *) "MULTEQ",	/* 315 */
+	(unsigned char *) "DIVEQ",	/* 316 */
+	(unsigned char *) "MODEQ",	/* 317 */
+	(unsigned char *) "POWEQ",	/* 318 */
+	(unsigned char *) "PRINT",	/* 319 */
+	(unsigned char *) "PRINTF",	/* 320 */
+	(unsigned char *) "SPRINTF",	/* 321 */
+	(unsigned char *) "ELSE",	/* 322 */
+	(unsigned char *) "INTEST",	/* 323 */
+	(unsigned char *) "CONDEXPR",	/* 324 */
+	(unsigned char *) "POSTINCR",	/* 325 */
+	(unsigned char *) "PREINCR",	/* 326 */
+	(unsigned char *) "POSTDECR",	/* 327 */
+	(unsigned char *) "PREDECR",	/* 328 */
+	(unsigned char *) "VAR",	/* 329 */
+	(unsigned char *) "IVAR",	/* 330 */
+	(unsigned char *) "VARNF",	/* 331 */
+	(unsigned char *) "CALL",	/* 332 */
+	(unsigned char *) "NUMBER",	/* 333 */
+	(unsigned char *) "STRING",	/* 334 */
+	(unsigned char *) "FIELD",	/* 335 */
+	(unsigned char *) "REGEXPR",	/* 336 */
+	(unsigned char *) "GETLINE",	/* 337 */
+	(unsigned char *) "RETURN",	/* 338 */
+	(unsigned char *) "SPLIT",	/* 339 */
+	(unsigned char *) "SUBSTR",	/* 340 */
+	(unsigned char *) "WHILE",	/* 341 */
+	(unsigned char *) "CAT",	/* 342 */
+	(unsigned char *) "NOT",	/* 343 */
+	(unsigned char *) "UMINUS",	/* 344 */
+	(unsigned char *) "POWER",	/* 345 */
+	(unsigned char *) "DECR",	/* 346 */
+	(unsigned char *) "INCR",	/* 347 */
+	(unsigned char *) "INDIRECT",	/* 348 */
+	(unsigned char *) "LASTTOKEN",	/* 349 */
+};
+
+
+Cell *(*proctab[92])(Node **, int) = {
+	nullproc,	/* FIRSTTOKEN */
+	program,	/* PROGRAM */
+	pastat,	/* PASTAT */
+	dopa2,	/* PASTAT2 */
+	nullproc,	/* XBEGIN */
+	nullproc,	/* XEND */
+	nullproc,	/* NL */
+	array,	/* ARRAY */
+	matchop,	/* MATCH */
+	matchop,	/* NOTMATCH */
+	nullproc,	/* MATCHOP */
+	nullproc,	/* FINAL */
+	nullproc,	/* DOT */
+	nullproc,	/* ALL */
+	nullproc,	/* CCL */
+	nullproc,	/* NCCL */
+	nullproc,	/* CHAR */
+	nullproc,	/* MCHAR */
+	nullproc,	/* OR */
+	nullproc,	/* STAR */
+	nullproc,	/* QUEST */
+	nullproc,	/* PLUS */
+	boolop,	/* AND */
+	boolop,	/* BOR */
+	nullproc,	/* APPEND */
+	relop,	/* EQ */
+	relop,	/* GE */
+	relop,	/* GT */
+	relop,	/* LE */
+	relop,	/* LT */
+	relop,	/* NE */
+	instat,	/* IN */
+	arg,	/* ARG */
+	bltin,	/* BLTIN */
+	jump,	/* BREAK */
+	jump,	/* CONTINUE */
+	delete,	/* DELETE */
+	dostat,	/* DO */
+	jump,	/* EXIT */
+	forstat,	/* FOR */
+	nullproc,	/* FUNC */
+	sub,	/* SUB */
+	gsub,	/* GSUB */
+	ifstat,	/* IF */
+	sindex,	/* INDEX */
+	nullproc,	/* LSUBSTR */
+	matchop,	/* MATCHFCN */
+	jump,	/* NEXT */
+	arith,	/* ADD */
+	arith,	/* MINUS */
+	arith,	/* MULT */
+	arith,	/* DIVIDE */
+	arith,	/* MOD */
+	assign,	/* ASSIGN */
+	nullproc,	/* ASGNOP */
+	assign,	/* ADDEQ */
+	assign,	/* SUBEQ */
+	assign,	/* MULTEQ */
+	assign,	/* DIVEQ */
+	assign,	/* MODEQ */
+	assign,	/* POWEQ */
+	print,	/* PRINT */
+	aprintf,	/* PRINTF */
+	awsprintf,	/* SPRINTF */
+	nullproc,	/* ELSE */
+	intest,	/* INTEST */
+	condexpr,	/* CONDEXPR */
+	incrdecr,	/* POSTINCR */
+	incrdecr,	/* PREINCR */
+	incrdecr,	/* POSTDECR */
+	incrdecr,	/* PREDECR */
+	nullproc,	/* VAR */
+	nullproc,	/* IVAR */
+	getnf,	/* VARNF */
+	call,	/* CALL */
+	nullproc,	/* NUMBER */
+	nullproc,	/* STRING */
+	nullproc,	/* FIELD */
+	nullproc,	/* REGEXPR */
+	getline,	/* GETLINE */
+	jump,	/* RETURN */
+	split,	/* SPLIT */
+	substr,	/* SUBSTR */
+	whilestat,	/* WHILE */
+	cat,	/* CAT */
+	boolop,	/* NOT */
+	arith,	/* UMINUS */
+	arith,	/* POWER */
+	nullproc,	/* DECR */
+	nullproc,	/* INCR */
+	indirect,	/* INDIRECT */
+	nullproc,	/* LASTTOKEN */
+};
+
+unsigned char *tokname(int n)
+{
+	static unsigned char buf[100];
+
+	if (n < FIRSTTOKEN || n > LASTTOKEN) {
+		snprintf((char *)buf, sizeof buf, "token %d", n);
+		return buf;
+	}
+	return printname[n-257];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.patch
new file mode 100644
index 000000000000..30913c9022b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/proctab.patch
@@ -0,0 +1,11 @@
+--- nawk/Makefile.mk
++++ nawk/Makefile.mk
+@@ -28,8 +28,6 @@ maketab: maketab.o
+ 	$(HOSTCC) maketab.o -o maketab
+ 	./maketab > proctab.c
+ 
+-proctab.c: maketab
+-
+ awk.g.o: awk.g.c
+ 	$(CC) $(CFLAGSS) $(CPPFLAGS) $(XO5FL) $(LARGEF) $(IWCHAR) $(ICOMMON) $(IUXRE) -c awk.g.c
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/strcoll.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/strcoll.patch
new file mode 100644
index 000000000000..20ed5c5c352e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/strcoll.patch
@@ -0,0 +1,73 @@
+--- comm/comm.c
++++ comm/comm.c
+@@ -242,7 +242,7 @@ compare(const char *a, const char *b)
+ 			return(2);
+ 		}
+ 	} else {
+-		n = strcoll(a, b);
++		n = strcmp(a, b);
+ 		return n ? n > 0 ? 2 : 1 : 0;
+ 	}
+ }
+--- expr/expr.y
++++ expr/expr.y
+@@ -234,7 +234,7 @@ _rel(int op, register char *r1, register char *r2)
+ 	if (numeric(r1) && numeric(r2))
+ 		i = atoll(r1) - atoll(r2);
+ 	else
+-		i = strcoll(r1, r2);
++		i = strcmp(r1, r2);
+ 	switch(op) {
+ 	case EQ: i = i==0; break;
+ 	case GT: i = i>0; break;
+--- join/join.c
++++ join/join.c
+@@ -65,7 +65,7 @@ enum {
+ 	JF = -1
+ };
+ #define	ppi(f, j)	((j) >= 0 && (j) < ppisize[f] ? ppibuf[f][j] : null)
+-#define comp() strcoll(ppi(F1, j1),ppi(F2, j2))
++#define comp() strcmp(ppi(F1, j1),ppi(F2, j2))
+ 
+ #define	next(wc, s, n)	(*(s) & 0200 ? ((n) = mbtowi(&(wc), (s), mb_cur_max), \
+ 		(n) = ((n) > 0 ? (n) : (n) < 0 ? (wc=WEOF, 1) : 1)) : \
+--- ls/ls.c
++++ ls/ls.c
+@@ -575,13 +575,13 @@ _mergesort(struct file **al)
+ static int
+ namecmp(struct file *f1, struct file *f2)
+ {
+-	return strcoll(f1->name, f2->name);
++	return strcmp(f1->name, f2->name);
+ }
+ 
+ static int
+ extcmp(struct file *f1, struct file *f2)
+ {
+-	return strcoll(extension(f1->name), extension(f2->name));
++	return strcmp(extension(f1->name), extension(f2->name));
+ }
+ 
+ static int
+--- nawk/run.c
++++ nawk/run.c
+@@ -608,7 +608,7 @@ Cell *relop(Node **a, int n)
+ 		j = x->fval - y->fval;
+ 		i = j<0? -1: (j>0? 1: 0);
+ 	} else {
+-		i = strcoll((char*)getsval(x), (char*)getsval(y));
++		i = strcmp((char*)getsval(x), (char*)getsval(y));
+ 	}
+ 	tempfree(x, "");
+ 	tempfree(y, "");
+--- sort/sort.c
++++ sort/sort.c
+@@ -1148,7 +1148,7 @@ cmpl(const char *pa, const char *pb)
+ 
+ 	ecpy(collba, pa, '\n');
+ 	ecpy(collbb, pb, '\n');
+-	n = strcoll(collba, collbb);
++	n = strcmp(collba, collbb);
+ 	return n ? n > 0 ? -fields[0].rflg : fields[0].rflg : 0;
+ }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/stubs.h b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/stubs.h
new file mode 100644
index 000000000000..5aef8168180b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/stubs.h
@@ -0,0 +1,64 @@
+#include <getopt.h>
+extern int optopt;
+
+int ftruncate(int fd, int offset) {
+  return -1;
+}
+
+int getsid (int pid) {
+  return -1;
+}
+
+static int isblank(int c)
+{
+	return c == ' ' || c == '\t';
+}
+
+#define lchown chown
+
+// meslibc implements lstat but is missing declaration
+#include <sys/stat.h>
+int lstat (char const *file_name, struct stat *statbuf);
+
+#include <fcntl.h>
+int mkstemp(char *t)
+{
+  mktemp(t);
+  int fd = open(t, O_CREAT|O_RDWR|O_TRUNC, 0600);
+  return fd;
+}
+
+int putenv(char *string)
+{
+  return 0;
+}
+
+char* realpath (char* path, char* resolved) {
+  return NULL;
+}
+
+#define strncasecmp(a,b,n) strncmp(strupr(a),strupr(b),n)
+
+
+#define nlink_t unsigned long
+
+#include <limits.h>
+#define USHRT_MAX UINT16_MAX
+#define SSIZE_MAX LONG_MAX
+#define MB_LEN_MAX 1 
+
+#define EPERM 1
+#define ESRCH 3
+#define EDOM 33
+#define S_IFSOCK 0140000
+#define S_ISVTX 01000
+#define S_IREAD S_IRUSR
+#define S_IWRITE S_IWUSR
+#define S_IEXEC S_IXUSR
+
+#define _PC_PATH_MAX PATH_MAX
+#define _PC_VDISABLE 8
+#define _POSIX_PATH_MAX PATH_MAX
+#define LINE_MAX 4096
+
+#define LC_TIME 0
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/sysconf.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/sysconf.patch
new file mode 100644
index 000000000000..3d1b3e152ee1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/sysconf.patch
@@ -0,0 +1,77 @@
+--- cmp/cmp.c
++++ cmp/cmp.c
+@@ -264,7 +264,7 @@ openfile(const char *fn)
+ 	struct file	*f;
+ 
+ 	if (pagesize == 0)
+-		if ((pagesize = sysconf(_SC_PAGESIZE)) < 0)
++		if ((pagesize = 4096) < 0)
+ 			pagesize = 4096;
+ 	if ((f = memalign(pagesize, sizeof *f)) == NULL) {
+ 		write(2, "no memory\n", 10);
+--- copy/copy.c
++++ copy/copy.c
+@@ -362,7 +362,7 @@ fdcopy(const char *src, const struct stat *sp, int sfd,
+ 			goto err;
+ 	}
+ #endif	/* __linux__ */
+-	if (pagesize == 0 && (pagesize = sysconf(_SC_PAGESIZE)) <= 0)
++	if (pagesize == 0 && (pagesize = 4096) <= 0)
+ 		pagesize = 4096;
+ 	if ((blksize = sp->st_blksize) <= 0)
+ 		blksize = 512;
+--- cp/cp.c
++++ cp/cp.c
+@@ -438,7 +438,7 @@ fdcopy(const char *src, const struct stat *ssp, const int sfd,
+ 	}
+ #endif	/* __linux__ */
+ 	if (pagesize == 0)
+-		if ((pagesize = sysconf(_SC_PAGESIZE)) < 0)
++		if ((pagesize = 4096) < 0)
+ 			pagesize = 4096;
+ 	if (bflag)
+ 		blksize = bflag;
+--- libcommon/ib_alloc.c
++++ libcommon/ib_alloc.c
+@@ -41,7 +41,7 @@ ib_alloc(int fd, unsigned blksize)
+ 	struct stat	st;
+ 
+ 	if (pagesize == 0)
+-		if ((pagesize = sysconf(_SC_PAGESIZE)) < 0)
++		if ((pagesize = 4096) < 0)
+ 			pagesize = 4096;
+ 	if (blksize == 0) {
+ 		if (fstat(fd, &st) < 0)
+--- libcommon/memalign.c
++++ libcommon/memalign.c
+@@ -40,7 +40,7 @@ memalign(size_t alignment, size_t size)
+ 	static long	pagesize;
+ 
+ 	if (pagesize == 0)
+-		pagesize = sysconf(_SC_PAGESIZE);
++		pagesize = 4096;
+ 	if (alignment != pagesize)
+ 		return NULL;
+ 	if (size < pagesize)
+--- libcommon/oblok.c
++++ libcommon/oblok.c
+@@ -100,7 +100,7 @@ ob_alloc(int fd, enum ob_mode bf)
+ 	struct oblok	*op;
+ 
+ 	if (pagesize == 0)
+-		if ((pagesize = sysconf(_SC_PAGESIZE)) < 0)
++		if ((pagesize = 4096) < 0)
+ 			pagesize = 4096;
+ 	if ((op = memalign(pagesize, sizeof *op)) == NULL)
+ 		return NULL;
+--- xargs/xargs.c
++++ xargs/xargs.c
+@@ -404,7 +404,7 @@ static void
+ endcmd(void)
+ {
+ 	a_agg = a_cnt;
+-	a_maxsize = sysconf(_SC_ARG_MAX) - envsz() - 2048 - a_asz;
++	a_maxsize = 65536 - envsz() - 2048 - a_asz;
+ 	if (nflag || sflag) {
+ 		long	newsize = sflag ? atol(sflag) :
+ #ifdef	WEIRD_LIMITS
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/tcc-empty-ar.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/tcc-empty-ar.patch
new file mode 100644
index 000000000000..7c57a54b93b3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/tcc-empty-ar.patch
@@ -0,0 +1,11 @@
+--- libwchar/Makefile.mk
++++ libwchar/Makefile.mk
+@@ -10,7 +10,7 @@ fake:
+ 	if test "x$(LWCHAR)" = x; \
+ 	then \
+ 		touch $(OBJ); \
+-		ar r libwchar.a $(OBJ); \
++		touch libwchar.a $(OBJ); \
+ 	fi
+ 
+ install:
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/termios.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/termios.patch
new file mode 100644
index 000000000000..ea40a8d7a040
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/termios.patch
@@ -0,0 +1,141 @@
+--- ed/ed.c
++++ ed/ed.c
+@@ -68,7 +68,6 @@ static const char sccsid[] USED = "@(#)ed.sl	1.99 (gritter) 7/27/06";
+ #include <stdlib.h>
+ #include <signal.h>
+ #include "sigset.h"
+-#include <termios.h>
+ #include <setjmp.h>
+ #include <libgen.h>
+ #include <inttypes.h>
+@@ -77,7 +76,6 @@ static const char sccsid[] USED = "@(#)ed.sl	1.99 (gritter) 7/27/06";
+ #include <ctype.h>
+ #include <wctype.h>
+ #include <limits.h>
+-#include <termios.h>
+ static int	FNSIZE;
+ static int	LBSIZE;
+ static int	RHSIZE;
+@@ -2273,22 +2271,10 @@ sclose(int fd)
+ static void
+ fspec(const char *lp)
+ {
+-	struct termios	ts;
+ 	const char	*cp;
+ 
+ 	freetabs();
+ 	maxlength = 0;
+-	if (tcgetattr(1, &ts) < 0
+-#ifdef	TAB3
+-			|| (ts.c_oflag&TAB3) == 0
+-#endif
+-			)
+-		return;
+-	while (lp[0]) {
+-		if (lp[0] == '<' && lp[1] == ':')
+-			break;
+-		lp++;
+-	}
+ 	if (lp[0]) {
+ 		lp += 2;
+ 		while ((cp = ftok(&lp)) != NULL) {
+--- ls/ls.c
++++ ls/ls.c
+@@ -102,7 +102,6 @@ static char ifmt_c[] = "-pc-d-b--nl-SD--";
+ #include <grp.h>
+ #include <errno.h>
+ #include <fcntl.h>
+-#include <termios.h>
+ #include <locale.h>
+ #include <limits.h>
+ #include <ctype.h>
+@@ -110,14 +109,6 @@ static char ifmt_c[] = "-pc-d-b--nl-SD--";
+ #include <wchar.h>
+ #include <wctype.h>
+ #include "config.h"
+-#ifndef	USE_TERMCAP
+-#ifndef	sun
+-#include <curses.h>
+-#include <term.h>
+-#endif
+-#else	/* USE_TERMCAP */
+-#include <termcap.h>
+-#endif	/* USE_TERMCAP */
+ 
+ #ifdef	_AIX
+ #include <sys/sysmacros.h>
+@@ -989,13 +980,6 @@ printname(const char *name, struct file *f, int doit)
+ 			bold++;
+ 		}
+ 		if (color) {
+-#ifndef	USE_TERMCAP
+-			if (bold)
+-				vidattr(A_BOLD);
+-#else	/* USE_TERMCAP */
+-			if (Bold)
+-				tputs(Bold, 1, putchar);
+-#endif	/* USE_TERMCAP */
+ 			printf(color);
+ 		}
+ 	}
+@@ -1056,13 +1040,6 @@ printname(const char *name, struct file *f, int doit)
+ 		}
+ 	}
+ 	if (doit && color) {
+-#if !defined (USE_TERMCAP)
+-		if (bold)
+-			vidattr(A_NORMAL);
+-#else	/* USE_TERMCAP */
+-		if (Normal)
+-			tputs(Normal, 1, putchar);
+-#endif	/* USE_TERMCAP */
+ 		printf(fc_get(FC_NORMAL));
+ 	}
+ 	if (f)
+@@ -1598,16 +1575,12 @@ main(int argc, char **argv)
+ {
+ 	struct file *flist = nil, **aflist = &flist;
+ 	enum depth depth;
+-	struct winsize ws;
+ 	int i;
+ 	char *cp;
+ 
+ #ifdef	__GLIBC__
+ 	putenv("POSIXLY_CORRECT=1");
+ #endif
+-	setlocale(LC_COLLATE, "");
+-	setlocale(LC_CTYPE, "");
+-	setlocale(LC_TIME, "");
+ #ifndef	UCB
+ 	if (getenv("SYSV3") != NULL)
+ 		sysv3 = 1;
+@@ -1624,16 +1597,6 @@ main(int argc, char **argv)
+ 	}
+ 	if (istty || isatty(1)) {
+ 		istty = 1;
+-#if !defined (USE_TERMCAP)
+-		setupterm(NULL, 1, &tinfostat);
+-#else	/* USE_TERMCAP */
+-		{
+-			char	buf[2048];
+-			if ((cp = getenv("TERM")) != NULL)
+-				if (tgetent(buf, cp) > 0)
+-					tinfostat = 1;
+-		}
+-#endif	/* USE_TERMCAP */
+ 		field |= FL_STATUS;
+ 	}
+ 	while ((i = getopt(argc, argv, personalities[personality].per_opt))
+@@ -1753,12 +1716,6 @@ main(int argc, char **argv)
+ 	if ((cp = getenv("COLUMNS")) != NULL) {
+ 		ncols = atoi(cp);
+ 	} else if ((present('C') || present('x') || present('m')) && istty) {
+-		if (ioctl(1, TIOCGWINSZ, &ws) == 0 && ws.ws_col > 0)
+-			ncols = ws.ws_col - 1;
+-#if !defined (USE_TERMCAP)
+-		else if (tinfostat == 1 && columns > 0)
+-			ncols = columns;
+-#endif	/* !USE_TERMCAP */
+ 	}
+ 	depth = SURFACE;
+ 	if (optind == argc) {
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/utime.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/utime.patch
new file mode 100644
index 000000000000..081ac9d2ee3c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/utime.patch
@@ -0,0 +1,90 @@
+--- copy/copy.c
++++ copy/copy.c
+@@ -46,7 +46,6 @@ static const char sccsid[] USED = "@(#)copy.sl	1.15 (gritter) 5/29/05";
+ #include <libgen.h>
+ #include <limits.h>
+ #include <dirent.h>
+-#include <utime.h>
+ #include <stdarg.h>
+ #include "sfile.h"
+ #include "memalign.h"
+@@ -441,12 +440,6 @@ attribs(const char *dst, const struct stat *sp)
+ 	if (oflag && ((sp->st_mode&S_IFMT) == S_IFLNK ?
+ 			lchown:chown)(dst, sp->st_uid, sp->st_gid) < 0)
+ 		complain("Unable to chown %s", dst);
+-	if (mflag && (sp->st_mode&S_IFMT) != S_IFLNK) {
+-		struct utimbuf	ut;
+-		ut.actime = sp->st_atime;
+-		ut.modtime = sp->st_mtime;
+-		utime(dst, &ut);
+-	}
+ }
+ 
+ static void
+--- cp/cp.c
++++ cp/cp.c
+@@ -56,7 +56,6 @@ static const char sccsid[] USED = "@(#)cp.sl	1.84 (gritter) 3/4/06";
+ #include	<libgen.h>
+ #include	<limits.h>
+ #include	<dirent.h>
+-#include	<utime.h>
+ #include	"sfile.h"
+ #include	"memalign.h"
+ #include	"alloca.h"
+@@ -354,18 +353,6 @@ permissions(const char *path, const struct stat *ssp)
+ 
+ 	mode = ssp->st_mode & 07777;
+ 	if (pflag) {
+-		struct utimbuf ut;
+-		ut.actime = ssp->st_atime;
+-		ut.modtime = ssp->st_mtime;
+-		if (utime(path, &ut) < 0) {
+-#if defined (SUS) || defined (S42)
+-			fprintf(stderr, "%s: cannot set times for %s\n%s: %s\n",
+-					progname, path,
+-					progname, strerror(errno));
+-#endif /* SUS || S42 */
+-			if (pers != PERS_MV)
+-				errcnt |= 010;
+-		}
+ 		if (myuid == 0) {
+ 			if (chown(path, ssp->st_uid, ssp->st_gid) < 0) {
+ #if defined (SUS) || defined (S42)
+--- touch/touch.c
++++ touch/touch.c
+@@ -47,7 +47,6 @@ static const char sccsid[] USED = "@(#)touch.sl	1.21 (gritter) 5/29/05";
+ #include	<stdlib.h>
+ #include	<errno.h>
+ #include	<libgen.h>
+-#include	<utime.h>
+ #include	<ctype.h>
+ #include	<time.h>
+ 
+@@ -80,7 +79,6 @@ static void
+ touch(const char *fn)
+ {
+ 	struct stat st;
+-	struct utimbuf ut;
+ 
+ 	if (stat(fn, &st) < 0) {
+ 		if (errno == ENOENT) {
+@@ -113,19 +111,6 @@ touch(const char *fn)
+ 			return;
+ 		}
+ 	}
+-	if (aflag)
+-		ut.actime = nacc;
+-	else
+-		ut.actime = st.st_atime;
+-	if (mflag)
+-		ut.modtime = nmod;
+-	else
+-		ut.modtime = st.st_mtime;
+-	if (utime(fn, nulltime ? NULL : &ut) < 0) {
+-		fprintf(stderr, "%s: cannot change times on %s\n",
+-				progname, fn);
+-		errcnt++;
+-	}
+ }
+ 
+ static void
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/vprintf.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/vprintf.patch
new file mode 100644
index 000000000000..6abce89b2f31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/heirloom/vprintf.patch
@@ -0,0 +1,128 @@
+--- cksum/cksum.c
++++ cksum/cksum.c
+@@ -147,7 +147,7 @@ cksum(const char *name)
+ 		s = (s << 8) ^ crctab[(s >> 24) ^ c];
+ 	}
+ 	s = ~s;
+-	printf("%u %llu", (unsigned)s, nbytes);
++	printf("%u %lu", (unsigned)s, nbytes);
+ 	if(name)
+ 		printf(" %s", name);
+ 	printf("\n");
+--- cmp/cmp.c
++++ cmp/cmp.c
+@@ -246,8 +246,8 @@ different:
+ 				errcnt = 1;
+ 			} else {
+ 				if (sflag == 0)
+-					printf("%s %s differ: char %lld,"
+-							" line %lld\n",
++					printf("%s %s differ: char %ld,"
++							" line %ld\n",
+ 						f1->f_nam, f2->f_nam,
+ 						(long long)offset(f1),
+ 						line);
+--- csplit/csplit.c
++++ csplit/csplit.c
+@@ -284,7 +284,7 @@ csplit(const char *fn)
+ 				op = nextfile();
+ 			if (op) {
+ 				if (!sflag)
+-					printf("%lld\n", bytes);
++					printf("%ld\n", bytes);
+ 				bytes = 0;
+ 				fclose(op);
+ 			}
+--- expr/expr.y
++++ expr/expr.y
+@@ -140,7 +140,7 @@ expression:	expr NOARG {
+ 			if (sus && numeric($1)) {
+ 				int64_t	n;
+ 				n = atoll($1);
+-				printf("%lld\n", n);
++				printf("%ld\n", n);
+ 				exit(n == 0);
+ 			} else
+ 				puts($1);
+@@ -447,10 +447,10 @@ numpr(int64_t val)
+ 	int	ret;
+ 
+ 	rv = smalloc(NUMSZ);
+-	ret = snprintf(rv, NUMSZ, "%lld", (long long)val);
++	ret = snprintf(rv, NUMSZ, "%ld", (long long)val);
+ 	if (ret < 0 || ret >= NUMSZ) {
+ 		rv = srealloc(rv, ret + 1);
+-		ret = snprintf(rv, ret, "%lld", (long long)val);
++		ret = snprintf(rv, ret, "%ld", (long long)val);
+ 		if (ret < 0)
+ 			yyerror("illegal number");
+ 	}
+--- grep/Makefile.mk
++++ grep/Makefile.mk
+@@ -92,7 +92,7 @@ config.h:
+ 	-echo 'long long foo;' >___build$$$$.c ; \
+ 	$(CC) $(CFLAGS2) $(CPPFLAGS) $(IWCHAR) $(ICOMMON) $(IUXRE) $(LARGEF) -c ___build$$$$.c >/dev/null 2>&1 ; \
+ 	if test $$? = 0 && test -f ___build$$$$.o ; \
+-	then	echo '#define	LONGLONG' >>config.h ; \
++	then	echo '' >>config.h ; \
+ 	fi ; \
+ 	rm -f ___build$$$$.o ___build$$$$.c
+ 
+--- ls/Makefile.mk
++++ ls/Makefile.mk
+@@ -76,7 +76,7 @@ config.h:
+ 	-echo 'long long foo;' >___build$$$$.c ; \
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(LARGEF) $(IWCHAR) -c ___build$$$$.c >/dev/null 2>&1 ; \
+ 	if test $$? = 0 && test -f ___build$$$$.o ; \
+-	then	echo '#define	LONGLONG' >>config.h ; \
++	then	echo '' >>config.h ; \
+ 	fi ; \
+ 	rm -f ___build$$$$.o ___build$$$$.c
+ 	-echo '#include <sys/types.h>' >___build$$$$.c ; \
+--- pr/pr.c
++++ pr/pr.c
+@@ -548,7 +548,7 @@ print(const char *fp, const char **argp)
+ 			putcs("  ");
+ 			putcs(header);
+ 			snprintf(linebuf, sizeof linebuf,
+-					" Page %lld\n\n\n", page);
++					" Page %ld\n\n\n", page);
+ 			putcs(linebuf);
+ 		}
+ 		c = putpage();
+--- sed/sed1.c
++++ sed/sed1.c
+@@ -489,7 +489,7 @@ command(struct reptr *ipc)
+ 			break;
+ 
+ 		case EQCOM:
+-			fprintf(stdout, "%lld\n", lnum);
++			fprintf(stdout, "%ld\n", lnum);
+ 			break;
+ 
+ 		case GCOM:
+--- sum/sum.c
++++ sum/sum.c
+@@ -116,7 +116,7 @@ sum(const char *name)
+ 	else {
+ 		s = (s & 0xFFFF) + (s >> 16);
+ 		s = (s & 0xFFFF) + (s >> 16);
+-		printf("%u %llu", (unsigned)s,
++		printf("%u %lu", (unsigned)s,
+ 				(unsigned long long)(nbytes+UNIT-1)/UNIT);
+ 	}
+ 	if(name)
+--- wc/wc.c
++++ wc/wc.c
+@@ -89,9 +89,9 @@ report(unsigned long long count)
+ #if defined (S42)
+ 	if (putspace++)
+ 		printf(" ");
+-	printf("%llu", count);
++	printf("%lu", count);
+ #else	/* !S42 */
+-	printf("%7llu ", count);
++	printf("%7lu ", count);
+ #endif	/* !S42 */
+ }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/linux-headers/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/linux-headers/default.nix
new file mode 100644
index 000000000000..6addd11554d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/linux-headers/default.nix
@@ -0,0 +1,49 @@
+{ lib
+, fetchurl
+, bash
+, gnutar
+, xz
+}:
+let
+  # WARNING: You probably don't want to use this package outside minimal-bootstrap
+  #
+  # We need some set of Linux kernel headers to build our bootstrap packages
+  # (gcc/binutils/glibc etc.) against. As long as it compiles it is "good enough".
+  # Therefore the requirement for correctness, completeness, platform-specific
+  # features, and being up-to-date, are very loose.
+  #
+  # Rebuilding the Linux headers from source correctly is something we can defer
+  # till we have access to gcc/binutils/perl. For now we can use Guix's assembled
+  # kernel header distribution and assume it's good enough.
+  pname = "linux-headers";
+  version = "4.14.67";
+
+  src = fetchurl {
+    url = "mirror://gnu/gnu/guix/bootstrap/i686-linux/20190815/linux-libre-headers-stripped-4.14.67-i686-linux.tar.xz";
+    sha256 = "0sm2z9x4wk45bh6qfs94p0w1d6hsy6dqx9sw38qsqbvxwa1qzk8s";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    gnutar
+    xz
+  ];
+
+  meta = with lib; {
+    description = "Header files and scripts for Linux kernel";
+    license = licenses.gpl2;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.linux;
+  };
+} ''
+  # Unpack
+  cp ${src} linux-headers.tar.xz
+  unxz linux-headers.tar.xz
+  tar xf linux-headers.tar
+
+  # Install
+  mkdir $out
+  cp -r include $out
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/default.nix
new file mode 100644
index 000000000000..c24504ec00a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/default.nix
@@ -0,0 +1,28 @@
+{ lib
+, kaem
+, mes
+}:
+let
+  pname = "ln-boot";
+  version = "unstable-2023-05-22";
+
+  src = ./ln.c;
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  meta = with lib; {
+    description = "Basic tool for creating symbolic links";
+    license = licenses.mit;
+    maintainers = teams.minimal-bootstrap.members;
+    mainProgram = "ln";
+    platforms = platforms.unix;
+  };
+} ''
+  mkdir -p ''${out}/bin
+  ${mes.compiler}/bin/mes --no-auto-compile -e main ${mes.srcPost.bin}/bin/mescc.scm -- \
+    -L ${mes.libs}/lib \
+    -lc+tcc \
+    -o ''${out}/bin/ln \
+    ${src}
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/ln.c b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/ln.c
new file mode 100644
index 000000000000..b7a681f8270c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/ln-boot/ln.c
@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char** argv)
+{
+  if (argc != 4 || strcmp(argv[1], "-s")) {
+    fputs("Usage: ", stdout);
+    fputs(argv[0], stdout);
+    fputs(" -s TARGET LINK_NAME\n", stdout);
+    exit(EXIT_FAILURE);
+  }
+
+  symlink(argv[2], argv[3]);
+  exit(EXIT_SUCCESS);
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/default.nix
new file mode 100644
index 000000000000..0cf66c5bc230
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/default.nix
@@ -0,0 +1,237 @@
+{ lib
+, fetchurl
+, callPackage
+, kaem
+, m2libc
+, mescc-tools
+}:
+
+# Maintenance note:
+# Build steps have been adapted from build-aux/bootstrap.sh.in
+# as well as the live-bootstrap project
+# https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/mes-0.24.2/mes-0.24.2.kaem
+
+let
+  pname = "mes";
+  version = "0.24.2";
+
+  src = fetchurl {
+    url = "mirror://gnu/mes/mes-${version}.tar.gz";
+    sha256 = "0vp8v88zszh1imm3dvdfi3m8cywshdj7xcrsq4cgmss69s2y1nkx";
+  };
+
+  nyacc = callPackage ./nyacc.nix { inherit nyacc; };
+
+  config_h = builtins.toFile "config.h" ''
+    #undef SYSTEM_LIBC
+    #define MES_VERSION "${version}"
+  '';
+
+  sources = (import ./sources.nix).x86.linux.mescc;
+  inherit (sources) libc_mini_SOURCES libmescc_SOURCES libc_SOURCES mes_SOURCES;
+
+  # add symlink() to libc+tcc so we can use it in ln-boot
+  libc_tcc_SOURCES = sources.libc_tcc_SOURCES ++ [ "lib/linux/symlink.c" ];
+
+  meta = with lib; {
+    description = "Scheme interpreter and C compiler for bootstrapping";
+    homepage = "https://www.gnu.org/software/mes";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = [ "i686-linux" ];
+  };
+
+  srcPost = kaem.runCommand "${pname}-src-${version}" {
+    outputs = [ "out" "bin" ];
+    inherit meta;
+  } ''
+    # Unpack source
+    ungz --file ${src} --output mes.tar
+    mkdir ''${out}
+    cd ''${out}
+    untar --non-strict --file ''${NIX_BUILD_TOP}/mes.tar # ignore symlinks
+
+    MES_PREFIX=''${out}/mes-${version}
+
+    cd ''${MES_PREFIX}
+
+    cp ${config_h} include/mes/config.h
+
+    mkdir include/arch
+    cp include/linux/x86/syscall.h include/arch/syscall.h
+    cp include/linux/x86/kernel-stat.h include/arch/kernel-stat.h
+
+    # Remove pregenerated files
+    rm mes/module/mes/psyntax.pp mes/module/mes/psyntax.pp.header
+
+    # These files are symlinked in the repo
+    cp mes/module/srfi/srfi-9-struct.mes mes/module/srfi/srfi-9.mes
+    cp mes/module/srfi/srfi-9/gnu-struct.mes mes/module/srfi/srfi-9/gnu.mes
+
+    # Fixes to support newer M2-Planet
+    catm x86_defs.M1 ${m2libc}/x86/x86_defs.M1 lib/m2/x86/x86_defs.M1
+    cp x86_defs.M1 lib/m2/x86/x86_defs.M1
+    rm x86_defs.M1
+
+    # Remove environment impurities
+    __GUILE_LOAD_PATH="\"''${MES_PREFIX}/mes/module:''${MES_PREFIX}/module:${nyacc.guilePath}\""
+    boot0_scm=mes/module/mes/boot-0.scm
+    guile_mes=mes/module/mes/guile.mes
+    replace --file ''${boot0_scm} --output ''${boot0_scm} --match-on "(getenv \"GUILE_LOAD_PATH\")" --replace-with ''${__GUILE_LOAD_PATH}
+    replace --file ''${guile_mes} --output ''${guile_mes} --match-on "(getenv \"GUILE_LOAD_PATH\")" --replace-with ''${__GUILE_LOAD_PATH}
+
+    module_mescc_scm=module/mescc/mescc.scm
+    replace --file ''${module_mescc_scm} --output ''${module_mescc_scm} --match-on "(getenv \"M1\")" --replace-with "\"${mescc-tools}/bin/M1\""
+    replace --file ''${module_mescc_scm} --output ''${module_mescc_scm} --match-on "(getenv \"HEX2\")" --replace-with "\"${mescc-tools}/bin/hex2\""
+    replace --file ''${module_mescc_scm} --output ''${module_mescc_scm} --match-on "(getenv \"BLOOD_ELF\")" --replace-with "\"${mescc-tools}/bin/blood-elf\""
+    replace --file ''${module_mescc_scm} --output ''${module_mescc_scm} --match-on "(getenv \"srcdest\")" --replace-with "\"''${MES_PREFIX}\""
+
+    mes_c=src/mes.c
+    replace --file ''${mes_c} --output ''${mes_c} --match-on "getenv (\"MES_PREFIX\")" --replace-with "\"''${MES_PREFIX}\""
+    replace --file ''${mes_c} --output ''${mes_c} --match-on "getenv (\"srcdest\")" --replace-with "\"''${MES_PREFIX}\""
+
+    # Increase runtime resource limits
+    gc_c=src/gc.c
+    replace --file ''${gc_c} --output ''${gc_c} --match-on "getenv (\"MES_ARENA\")" --replace-with "\"100000000\""
+    replace --file ''${gc_c} --output ''${gc_c} --match-on "getenv (\"MES_MAX_ARENA\")" --replace-with "\"100000000\""
+    replace --file ''${gc_c} --output ''${gc_c} --match-on "getenv (\"MES_STACK\")" --replace-with "\"6000000\""
+
+    # Create mescc.scm
+    mescc_in=scripts/mescc.scm.in
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on "(getenv \"MES_PREFIX\")" --replace-with "\"''${MES_PREFIX}\""
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on "(getenv \"includedir\")" --replace-with "\"''${MES_PREFIX}/include\""
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on "(getenv \"libdir\")" --replace-with "\"''${MES_PREFIX}/lib\""
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on @prefix@ --replace-with ''${MES_PREFIX}
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on @VERSION@ --replace-with ${version}
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on @mes_cpu@ --replace-with x86
+    replace --file ''${mescc_in} --output ''${mescc_in} --match-on @mes_kernel@ --replace-with linux
+    mkdir -p ''${bin}/bin
+    cp ''${mescc_in} ''${bin}/bin/mescc.scm
+
+    # Build mes-m2
+    mes_cpu=x86
+    stage0_cpu=x86
+    kaem --verbose --strict --file kaem.run
+    cp bin/mes-m2 ''${bin}/bin/mes-m2
+    chmod 555 ''${bin}/bin/mes-m2
+  '';
+
+  srcPrefix = "${srcPost.out}/mes-${version}";
+
+  cc = "${srcPost.bin}/bin/mes-m2";
+  ccArgs = [
+    "-e" "main"
+    "${srcPost.bin}/bin/mescc.scm"
+    "--"
+    "-D" "HAVE_CONFIG_H=1"
+    "-I" "${srcPrefix}/include"
+    "-I" "${srcPrefix}/include/linux/x86"
+  ];
+
+  CC = toString ([ cc ] ++ ccArgs);
+
+  stripExt = source:
+    lib.replaceStrings
+      [ ".c" ]
+      [ "" ]
+      (builtins.baseNameOf source);
+
+  compile = source: kaem.runCommand (stripExt source) {} ''
+    mkdir ''${out}
+    cd ''${out}
+    ${CC} -c ${srcPrefix}/${source}
+  '';
+
+  crt1 = compile "/lib/linux/x86-mes-mescc/crt1.c";
+
+  getRes = suffix: res: "${res}/${res.name}${suffix}";
+
+  archive = out: sources:
+    "catm ${out} ${lib.concatMapStringsSep " " (getRes ".o") sources}";
+  sourceArchive = out: sources:
+    "catm ${out} ${lib.concatMapStringsSep " " (getRes ".s") sources}";
+
+  mkLib = libname: sources: let
+    os = map compile sources;
+  in kaem.runCommand "${pname}-${libname}-${version}" {
+    inherit meta;
+  } ''
+    LIBDIR=''${out}/lib
+    mkdir -p ''${LIBDIR}
+    cd ''${LIBDIR}
+
+    ${archive "${libname}.a" os}
+    ${sourceArchive "${libname}.s" os}
+  '';
+
+  libc-mini = mkLib "libc-mini" libc_mini_SOURCES;
+  libmescc = mkLib "libmescc" libmescc_SOURCES;
+  libc = mkLib "libc" libc_SOURCES;
+  libc_tcc = mkLib "libc+tcc" libc_tcc_SOURCES;
+
+  # Recompile Mes and Mes C library using mes-m2 bootstrapped Mes
+  libs = kaem.runCommand "${pname}-m2-libs-${version}" {
+    inherit pname version;
+
+    passthru.tests.get-version = result: kaem.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/mes --version
+      mkdir ''${out}
+    '';
+
+    inherit meta;
+  }
+  ''
+    LIBDIR=''${out}/lib
+    mkdir -p ''${out} ''${LIBDIR}
+
+    mkdir -p ''${LIBDIR}/x86-mes
+
+    # crt1.o
+    cp ${crt1}/crt1.o ''${LIBDIR}/x86-mes
+    cp ${crt1}/crt1.s ''${LIBDIR}/x86-mes
+
+    # libc-mini.a
+    cp ${libc-mini}/lib/libc-mini.a ''${LIBDIR}/x86-mes
+    cp ${libc-mini}/lib/libc-mini.s ''${LIBDIR}/x86-mes
+
+    # libmescc.a
+    cp ${libmescc}/lib/libmescc.a ''${LIBDIR}/x86-mes
+    cp ${libmescc}/lib/libmescc.s ''${LIBDIR}/x86-mes
+
+    # libc.a
+    cp ${libc}/lib/libc.a ''${LIBDIR}/x86-mes
+    cp ${libc}/lib/libc.s ''${LIBDIR}/x86-mes
+
+    # libc+tcc.a
+    cp ${libc_tcc}/lib/libc+tcc.a ''${LIBDIR}/x86-mes
+    cp ${libc_tcc}/lib/libc+tcc.s ''${LIBDIR}/x86-mes
+  '';
+
+  # Build mes itself
+  compiler = kaem.runCommand "${pname}-${version}" {
+    inherit pname version;
+
+    passthru.tests.get-version = result: kaem.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/mes --version
+      mkdir ''${out}
+    '';
+
+    inherit meta;
+  }
+  ''
+    mkdir -p ''${out}/bin
+
+    ${srcPost.bin}/bin/mes-m2 -e main ${srcPost.bin}/bin/mescc.scm -- \
+      -L ''${srcPrefix}/lib \
+      -L ${libs}/lib \
+      -lc \
+      -lmescc \
+      -nostdlib \
+      -o ''${out}/bin/mes \
+      ${libs}/lib/x86-mes/crt1.o \
+      ${lib.concatMapStringsSep " " (getRes ".o") (map compile mes_SOURCES)}
+  '';
+in {
+  inherit srcPost srcPrefix nyacc;
+  inherit compiler libs;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/gen-sources.sh b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/gen-sources.sh
new file mode 100755
index 000000000000..3a734129c1f7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/gen-sources.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash coreutils gnutar
+
+# Generate a sources.nix for a version of GNU mes. Creates lists of source files
+# from build-aux/configure-lib.sh.
+#
+# You may point this tool at a manually downloaded tarball, but more ideal is
+# using the source tarball from Nixpkgs. For example:
+#
+# MES_TARBALL="$(nix-build --no-link -A minimal-bootstrap.mes.src ../../../../..)"
+# ./gen-sources.sh "$MES_TARBALL" > ./new-sources.nix
+
+set -eu
+
+# Supported platforms
+ARCHS="x86"
+KERNELS="linux"
+COMPILERS="mescc gcc"
+
+
+format() {
+  echo -n "[ "
+  # Terrible hack to convert a newline-delimited string to space-delimited
+  echo $* | xargs printf '"%s" '
+  echo -n "]"
+}
+
+gen_sources() {
+  # Configuration variables used by configure-lib.sh
+  export mes_libc=mes
+  export mes_cpu=$1
+  export mes_kernel=$2
+  export compiler=$3
+
+  # Populate source file lists
+  source $CONFIGURE_LIB_SH
+
+  cat <<EOF
+  $mes_cpu.$mes_kernel.$compiler = {
+    libc_mini_SOURCES = $(format $libc_mini_SOURCES);
+    libmescc_SOURCES  = $(format $libmescc_SOURCES);
+    libtcc1_SOURCES   = $(format $libtcc1_SOURCES);
+    libc_SOURCES      = $(format $libc_SOURCES);
+    libc_tcc_SOURCES  = $(format $libc_tcc_SOURCES);
+    libc_gnu_SOURCES  = $(format $libc_gnu_SOURCES);
+    mes_SOURCES       = $(format $mes_SOURCES);
+  };
+EOF
+}
+
+
+MES_TARBALL=$1
+if [ ! -f $MES_TARBALL ]; then
+    echo "Provide path to mes-x.x.x.tar.gz as first argument" >&2
+    exit 1
+fi
+echo "Generating sources.nix from $MES_TARBALL" >&2
+
+TMP=$(mktemp -d)
+cd $TMP
+echo "Workdir: $TMP" >&2
+
+echo "Extracting $MES_TARBALL" >&2
+tar --strip-components 1 -xf $MES_TARBALL
+
+CONFIGURE_LIB_SH="$TMP/build-aux/configure-lib.sh"
+if [ ! -f $CONFIGURE_LIB_SH ]; then
+    echo "Could not find mes's configure-lib.sh script at $CONFIGURE_LIB_SH" >&2
+    exit 1
+fi
+
+# Create dummy config expected by configure-lib.sh
+touch config.sh
+chmod +x config.sh
+
+
+echo "Configuring with $CONFIGURE_LIB_SH" >&2
+
+cat <<EOF
+# This file is generated by ./gen-sources.sh.
+# Do not edit!
+{
+EOF
+
+for arch in $ARCHS; do
+  for kernel in $KERNELS; do
+    for compiler in $COMPILERS; do
+      gen_sources $arch $kernel $compiler
+    done
+  done
+done
+
+cat <<EOF
+}
+EOF
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/libc.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/libc.nix
new file mode 100644
index 000000000000..807d043fa9e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/libc.nix
@@ -0,0 +1,60 @@
+{ lib
+, kaem
+, ln-boot
+, mes
+, mes-libc
+}:
+let
+  pname = "mes-libc";
+  inherit (mes.compiler) version;
+
+  sources = (import ./sources.nix).x86.linux.gcc;
+  inherit (sources) libtcc1_SOURCES libc_gnu_SOURCES;
+
+  # Concatenate all source files into a convenient bundle
+  # "gcc" variants of source files (eg. "lib/linux/x86-mes-gcc") can also be
+  # compiled by tinycc
+  #
+  # Passing this many arguments is too much for kaem so we need to split
+  # the operation in two
+  firstLibc = lib.take 100 libc_gnu_SOURCES;
+  lastLibc = lib.drop 100 libc_gnu_SOURCES;
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [ ln-boot ];
+
+  passthru.CFLAGS = "-DHAVE_CONFIG_H=1 -I${mes-libc}/include -I${mes-libc}/include/linux/x86";
+
+  meta = with lib; {
+    description = "The Mes C Library";
+    homepage = "https://www.gnu.org/software/mes";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = [ "i686-linux" ];
+  };
+} ''
+  cd ${mes.srcPrefix}
+
+  # mescc compiled libc.a
+  mkdir -p ''${out}/lib/x86-mes
+
+  # libc.c
+  catm ''${TMPDIR}/first.c ${lib.concatStringsSep " " firstLibc}
+  catm ''${out}/lib/libc.c ''${TMPDIR}/first.c ${lib.concatStringsSep " " lastLibc}
+
+  # crt{1,n,i}.c
+  cp lib/linux/x86-mes-gcc/crt1.c ''${out}/lib
+  cp lib/linux/x86-mes-gcc/crtn.c ''${out}/lib
+  cp lib/linux/x86-mes-gcc/crti.c ''${out}/lib
+
+  # libtcc1.c
+  catm ''${out}/lib/libtcc1.c ${lib.concatStringsSep " " libtcc1_SOURCES}
+
+  # getopt.c
+  cp lib/posix/getopt.c ''${out}/lib/libgetopt.c
+
+  # Install headers
+  ln -s ${mes.srcPrefix}/include ''${out}/include
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/nyacc.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/nyacc.nix
new file mode 100644
index 000000000000..ed402cbaacf3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/nyacc.nix
@@ -0,0 +1,39 @@
+{ lib
+, fetchurl
+, kaem
+, nyacc
+}:
+let
+  pname = "nyacc";
+  # NYACC is a tightly coupled dependency of mes. This version is known to work
+  # with mes 0.24.2.
+  # https://git.savannah.gnu.org/cgit/mes.git/tree/INSTALL?h=v0.24.2&id=7562330ec746f09b4060d3081e3377fb7083897d#n31
+  version = "1.00.2";
+
+  src = fetchurl {
+    url = "mirror://savannah/nyacc/nyacc-${version}.tar.gz";
+    sha256 = "065ksalfllbdrzl12dz9d9dcxrv97wqxblslngsc6kajvnvlyvpk";
+  };
+in
+kaem.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  passthru.guilePath = "${nyacc}/share/${pname}-${version}/module";
+
+  meta = with lib; {
+    description = "Modules for generating parsers and lexical analyzers";
+    longDescription = ''
+      Not Yet Another Compiler Compiler is a set of guile modules for
+      generating computer language parsers and lexical analyzers.
+    '';
+    homepage = "https://savannah.nongnu.org/projects/nyacc";
+    license = licenses.lgpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.all;
+  };
+} ''
+  ungz --file ${src} --output nyacc.tar
+  mkdir -p ''${out}/share
+  cd ''${out}/share
+  untar --file ''${NIX_BUILD_TOP}/nyacc.tar
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/sources.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/sources.nix
new file mode 100644
index 000000000000..ac534284346d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/mes/sources.nix
@@ -0,0 +1,22 @@
+# This file is generated by ./gen-sources.sh.
+# Do not edit!
+{
+  x86.linux.mescc = {
+    libc_mini_SOURCES = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-mescc/_exit.c" "lib/linux/x86-mes-mescc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/mes/mini-write.c" ];
+    libmescc_SOURCES  = [ "lib/mes/globals.c" "lib/linux/x86-mes-mescc/syscall-internal.c" ];
+    libtcc1_SOURCES   = [ "lib/libtcc1.c" ];
+    libc_SOURCES      = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-mescc/_exit.c" "lib/linux/x86-mes-mescc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-mescc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" ];
+    libc_tcc_SOURCES  = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-mescc/_exit.c" "lib/linux/x86-mes-mescc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-mescc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" "lib/ctype/islower.c" "lib/ctype/isupper.c" "lib/ctype/tolower.c" "lib/ctype/toupper.c" "lib/mes/abtod.c" "lib/mes/dtoab.c" "lib/mes/search-path.c" "lib/posix/execvp.c" "lib/stdio/fclose.c" "lib/stdio/fdopen.c" "lib/stdio/ferror.c" "lib/stdio/fflush.c" "lib/stdio/fopen.c" "lib/stdio/fprintf.c" "lib/stdio/fread.c" "lib/stdio/fseek.c" "lib/stdio/ftell.c" "lib/stdio/fwrite.c" "lib/stdio/printf.c" "lib/stdio/remove.c" "lib/stdio/snprintf.c" "lib/stdio/sprintf.c" "lib/stdio/sscanf.c" "lib/stdio/vfprintf.c" "lib/stdio/vprintf.c" "lib/stdio/vsnprintf.c" "lib/stdio/vsprintf.c" "lib/stdio/vsscanf.c" "lib/stdlib/calloc.c" "lib/stdlib/qsort.c" "lib/stdlib/strtod.c" "lib/stdlib/strtof.c" "lib/stdlib/strtol.c" "lib/stdlib/strtold.c" "lib/stdlib/strtoll.c" "lib/stdlib/strtoul.c" "lib/stdlib/strtoull.c" "lib/string/memmem.c" "lib/string/strcat.c" "lib/string/strchr.c" "lib/string/strlwr.c" "lib/string/strncpy.c" "lib/string/strrchr.c" "lib/string/strstr.c" "lib/string/strupr.c" "lib/stub/sigaction.c" "lib/stub/ldexp.c" "lib/stub/mprotect.c" "lib/stub/localtime.c" "lib/stub/sigemptyset.c" "lib/x86-mes-mescc/setjmp.c" "lib/linux/close.c" "lib/linux/rmdir.c" "lib/linux/stat.c" ];
+    libc_gnu_SOURCES  = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-mescc/_exit.c" "lib/linux/x86-mes-mescc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-mescc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" "lib/ctype/islower.c" "lib/ctype/isupper.c" "lib/ctype/tolower.c" "lib/ctype/toupper.c" "lib/mes/abtod.c" "lib/mes/dtoab.c" "lib/mes/search-path.c" "lib/posix/execvp.c" "lib/stdio/fclose.c" "lib/stdio/fdopen.c" "lib/stdio/ferror.c" "lib/stdio/fflush.c" "lib/stdio/fopen.c" "lib/stdio/fprintf.c" "lib/stdio/fread.c" "lib/stdio/fseek.c" "lib/stdio/ftell.c" "lib/stdio/fwrite.c" "lib/stdio/printf.c" "lib/stdio/remove.c" "lib/stdio/snprintf.c" "lib/stdio/sprintf.c" "lib/stdio/sscanf.c" "lib/stdio/vfprintf.c" "lib/stdio/vprintf.c" "lib/stdio/vsnprintf.c" "lib/stdio/vsprintf.c" "lib/stdio/vsscanf.c" "lib/stdlib/calloc.c" "lib/stdlib/qsort.c" "lib/stdlib/strtod.c" "lib/stdlib/strtof.c" "lib/stdlib/strtol.c" "lib/stdlib/strtold.c" "lib/stdlib/strtoll.c" "lib/stdlib/strtoul.c" "lib/stdlib/strtoull.c" "lib/string/memmem.c" "lib/string/strcat.c" "lib/string/strchr.c" "lib/string/strlwr.c" "lib/string/strncpy.c" "lib/string/strrchr.c" "lib/string/strstr.c" "lib/string/strupr.c" "lib/stub/sigaction.c" "lib/stub/ldexp.c" "lib/stub/mprotect.c" "lib/stub/localtime.c" "lib/stub/sigemptyset.c" "lib/x86-mes-mescc/setjmp.c" "lib/linux/close.c" "lib/linux/rmdir.c" "lib/linux/stat.c" "lib/ctype/isalnum.c" "lib/ctype/isalpha.c" "lib/ctype/isascii.c" "lib/ctype/iscntrl.c" "lib/ctype/isgraph.c" "lib/ctype/isprint.c" "lib/ctype/ispunct.c" "lib/dirent/__getdirentries.c" "lib/dirent/closedir.c" "lib/dirent/opendir.c" "lib/dirent/readdir.c" "lib/math/ceil.c" "lib/math/fabs.c" "lib/math/floor.c" "lib/mes/fdgets.c" "lib/posix/alarm.c" "lib/posix/execl.c" "lib/posix/execlp.c" "lib/posix/mktemp.c" "lib/posix/sbrk.c" "lib/posix/sleep.c" "lib/posix/unsetenv.c" "lib/stdio/clearerr.c" "lib/stdio/feof.c" "lib/stdio/fgets.c" "lib/stdio/fileno.c" "lib/stdio/freopen.c" "lib/stdio/fscanf.c" "lib/stdio/perror.c" "lib/stdio/vfscanf.c" "lib/stdlib/__exit.c" "lib/stdlib/abort.c" "lib/stdlib/abs.c" "lib/stdlib/alloca.c" "lib/stdlib/atexit.c" "lib/stdlib/atof.c" "lib/stdlib/atol.c" "lib/stdlib/mbstowcs.c" "lib/string/bcmp.c" "lib/string/bcopy.c" "lib/string/bzero.c" "lib/string/index.c" "lib/string/rindex.c" "lib/string/strcspn.c" "lib/string/strdup.c" "lib/string/strerror.c" "lib/string/strncat.c" "lib/string/strpbrk.c" "lib/string/strspn.c" "lib/stub/__cleanup.c" "lib/stub/atan2.c" "lib/stub/bsearch.c" "lib/stub/chown.c" "lib/stub/cos.c" "lib/stub/ctime.c" "lib/stub/exp.c" "lib/stub/fpurge.c" "lib/stub/freadahead.c" "lib/stub/frexp.c" "lib/stub/getgrgid.c" "lib/stub/getgrnam.c" "lib/stub/getlogin.c" "lib/stub/getpgid.c" "lib/stub/getpgrp.c" "lib/stub/getpwnam.c" "lib/stub/getpwuid.c" "lib/stub/gmtime.c" "lib/stub/log.c" "lib/stub/mktime.c" "lib/stub/modf.c" "lib/stub/pclose.c" "lib/stub/popen.c" "lib/stub/pow.c" "lib/stub/rand.c" "lib/stub/rewind.c" "lib/stub/setbuf.c" "lib/stub/setgrent.c" "lib/stub/setlocale.c" "lib/stub/setvbuf.c" "lib/stub/sigaddset.c" "lib/stub/sigblock.c" "lib/stub/sigdelset.c" "lib/stub/sigsetmask.c" "lib/stub/sin.c" "lib/stub/sqrt.c" "lib/stub/strftime.c" "lib/stub/sys_siglist.c" "lib/stub/system.c" "lib/stub/times.c" "lib/stub/ttyname.c" "lib/stub/umask.c" "lib/stub/utime.c" "lib/linux/chdir.c" "lib/linux/fcntl.c" "lib/linux/fstat.c" "lib/linux/getdents.c" "lib/linux/getegid.c" "lib/linux/geteuid.c" "lib/linux/getgid.c" "lib/linux/getppid.c" "lib/linux/getrusage.c" "lib/linux/getuid.c" "lib/linux/ioctl.c" "lib/linux/link.c" "lib/linux/lstat.c" "lib/linux/mkdir.c" "lib/linux/mknod.c" "lib/linux/nanosleep.c" "lib/linux/pipe.c" "lib/linux/readlink.c" "lib/linux/rename.c" "lib/linux/setgid.c" "lib/linux/settimer.c" "lib/linux/setuid.c" "lib/linux/signal.c" "lib/linux/sigprogmask.c" "lib/linux/symlink.c" ];
+    mes_SOURCES       = [ "src/builtins.c" "src/cc.c" "src/core.c" "src/display.c" "src/eval-apply.c" "src/gc.c" "src/globals.c" "src/hash.c" "src/lib.c" "src/math.c" "src/mes.c" "src/module.c" "src/posix.c" "src/reader.c" "src/stack.c" "src/string.c" "src/struct.c" "src/symbol.c" "src/vector.c" ];
+  };
+  x86.linux.gcc = {
+    libc_mini_SOURCES = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-gcc/_exit.c" "lib/linux/x86-mes-gcc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/mes/mini-write.c" ];
+    libmescc_SOURCES  = [ "lib/mes/globals.c" "lib/linux/x86-mes-gcc/syscall-internal.c" ];
+    libtcc1_SOURCES   = [ "lib/libtcc1.c" ];
+    libc_SOURCES      = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-gcc/_exit.c" "lib/linux/x86-mes-gcc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-gcc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" ];
+    libc_tcc_SOURCES  = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-gcc/_exit.c" "lib/linux/x86-mes-gcc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-gcc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" "lib/ctype/islower.c" "lib/ctype/isupper.c" "lib/ctype/tolower.c" "lib/ctype/toupper.c" "lib/mes/abtod.c" "lib/mes/dtoab.c" "lib/mes/search-path.c" "lib/posix/execvp.c" "lib/stdio/fclose.c" "lib/stdio/fdopen.c" "lib/stdio/ferror.c" "lib/stdio/fflush.c" "lib/stdio/fopen.c" "lib/stdio/fprintf.c" "lib/stdio/fread.c" "lib/stdio/fseek.c" "lib/stdio/ftell.c" "lib/stdio/fwrite.c" "lib/stdio/printf.c" "lib/stdio/remove.c" "lib/stdio/snprintf.c" "lib/stdio/sprintf.c" "lib/stdio/sscanf.c" "lib/stdio/vfprintf.c" "lib/stdio/vprintf.c" "lib/stdio/vsnprintf.c" "lib/stdio/vsprintf.c" "lib/stdio/vsscanf.c" "lib/stdlib/calloc.c" "lib/stdlib/qsort.c" "lib/stdlib/strtod.c" "lib/stdlib/strtof.c" "lib/stdlib/strtol.c" "lib/stdlib/strtold.c" "lib/stdlib/strtoll.c" "lib/stdlib/strtoul.c" "lib/stdlib/strtoull.c" "lib/string/memmem.c" "lib/string/strcat.c" "lib/string/strchr.c" "lib/string/strlwr.c" "lib/string/strncpy.c" "lib/string/strrchr.c" "lib/string/strstr.c" "lib/string/strupr.c" "lib/stub/sigaction.c" "lib/stub/ldexp.c" "lib/stub/mprotect.c" "lib/stub/localtime.c" "lib/stub/sigemptyset.c" "lib/x86-mes-gcc/setjmp.c" "lib/linux/close.c" "lib/linux/rmdir.c" "lib/linux/stat.c" ];
+    libc_gnu_SOURCES  = [ "lib/mes/eputs.c" "lib/mes/oputs.c" "lib/mes/globals.c" "lib/stdlib/exit.c" "lib/linux/x86-mes-gcc/_exit.c" "lib/linux/x86-mes-gcc/_write.c" "lib/stdlib/puts.c" "lib/string/strlen.c" "lib/ctype/isnumber.c" "lib/mes/abtol.c" "lib/mes/cast.c" "lib/mes/eputc.c" "lib/mes/fdgetc.c" "lib/mes/fdputc.c" "lib/mes/fdputs.c" "lib/mes/fdungetc.c" "lib/mes/itoa.c" "lib/mes/ltoa.c" "lib/mes/ltoab.c" "lib/mes/mes_open.c" "lib/mes/ntoab.c" "lib/mes/oputc.c" "lib/mes/ultoa.c" "lib/mes/utoa.c" "lib/stub/__raise.c" "lib/ctype/isdigit.c" "lib/ctype/isspace.c" "lib/ctype/isxdigit.c" "lib/mes/assert_msg.c" "lib/posix/write.c" "lib/stdlib/atoi.c" "lib/linux/lseek.c" "lib/mes/__assert_fail.c" "lib/mes/__buffered_read.c" "lib/mes/__mes_debug.c" "lib/posix/execv.c" "lib/posix/getcwd.c" "lib/posix/getenv.c" "lib/posix/isatty.c" "lib/posix/open.c" "lib/posix/buffered-read.c" "lib/posix/setenv.c" "lib/posix/wait.c" "lib/stdio/fgetc.c" "lib/stdio/fputc.c" "lib/stdio/fputs.c" "lib/stdio/getc.c" "lib/stdio/getchar.c" "lib/stdio/putc.c" "lib/stdio/putchar.c" "lib/stdio/ungetc.c" "lib/stdlib/free.c" "lib/stdlib/realloc.c" "lib/string/memchr.c" "lib/string/memcmp.c" "lib/string/memcpy.c" "lib/string/memmove.c" "lib/string/memset.c" "lib/string/strcmp.c" "lib/string/strcpy.c" "lib/string/strncmp.c" "lib/posix/raise.c" "lib/linux/access.c" "lib/linux/brk.c" "lib/linux/chmod.c" "lib/linux/clock_gettime.c" "lib/linux/dup.c" "lib/linux/dup2.c" "lib/linux/execve.c" "lib/linux/fork.c" "lib/linux/fsync.c" "lib/linux/_getcwd.c" "lib/linux/gettimeofday.c" "lib/linux/ioctl3.c" "lib/linux/_open3.c" "lib/linux/malloc.c" "lib/linux/_read.c" "lib/linux/time.c" "lib/linux/unlink.c" "lib/linux/waitpid.c" "lib/linux/x86-mes-gcc/syscall.c" "lib/linux/getpid.c" "lib/linux/kill.c" "lib/ctype/islower.c" "lib/ctype/isupper.c" "lib/ctype/tolower.c" "lib/ctype/toupper.c" "lib/mes/abtod.c" "lib/mes/dtoab.c" "lib/mes/search-path.c" "lib/posix/execvp.c" "lib/stdio/fclose.c" "lib/stdio/fdopen.c" "lib/stdio/ferror.c" "lib/stdio/fflush.c" "lib/stdio/fopen.c" "lib/stdio/fprintf.c" "lib/stdio/fread.c" "lib/stdio/fseek.c" "lib/stdio/ftell.c" "lib/stdio/fwrite.c" "lib/stdio/printf.c" "lib/stdio/remove.c" "lib/stdio/snprintf.c" "lib/stdio/sprintf.c" "lib/stdio/sscanf.c" "lib/stdio/vfprintf.c" "lib/stdio/vprintf.c" "lib/stdio/vsnprintf.c" "lib/stdio/vsprintf.c" "lib/stdio/vsscanf.c" "lib/stdlib/calloc.c" "lib/stdlib/qsort.c" "lib/stdlib/strtod.c" "lib/stdlib/strtof.c" "lib/stdlib/strtol.c" "lib/stdlib/strtold.c" "lib/stdlib/strtoll.c" "lib/stdlib/strtoul.c" "lib/stdlib/strtoull.c" "lib/string/memmem.c" "lib/string/strcat.c" "lib/string/strchr.c" "lib/string/strlwr.c" "lib/string/strncpy.c" "lib/string/strrchr.c" "lib/string/strstr.c" "lib/string/strupr.c" "lib/stub/sigaction.c" "lib/stub/ldexp.c" "lib/stub/mprotect.c" "lib/stub/localtime.c" "lib/stub/sigemptyset.c" "lib/x86-mes-gcc/setjmp.c" "lib/linux/close.c" "lib/linux/rmdir.c" "lib/linux/stat.c" "lib/ctype/isalnum.c" "lib/ctype/isalpha.c" "lib/ctype/isascii.c" "lib/ctype/iscntrl.c" "lib/ctype/isgraph.c" "lib/ctype/isprint.c" "lib/ctype/ispunct.c" "lib/dirent/__getdirentries.c" "lib/dirent/closedir.c" "lib/dirent/opendir.c" "lib/dirent/readdir.c" "lib/math/ceil.c" "lib/math/fabs.c" "lib/math/floor.c" "lib/mes/fdgets.c" "lib/posix/alarm.c" "lib/posix/execl.c" "lib/posix/execlp.c" "lib/posix/mktemp.c" "lib/posix/sbrk.c" "lib/posix/sleep.c" "lib/posix/unsetenv.c" "lib/stdio/clearerr.c" "lib/stdio/feof.c" "lib/stdio/fgets.c" "lib/stdio/fileno.c" "lib/stdio/freopen.c" "lib/stdio/fscanf.c" "lib/stdio/perror.c" "lib/stdio/vfscanf.c" "lib/stdlib/__exit.c" "lib/stdlib/abort.c" "lib/stdlib/abs.c" "lib/stdlib/alloca.c" "lib/stdlib/atexit.c" "lib/stdlib/atof.c" "lib/stdlib/atol.c" "lib/stdlib/mbstowcs.c" "lib/string/bcmp.c" "lib/string/bcopy.c" "lib/string/bzero.c" "lib/string/index.c" "lib/string/rindex.c" "lib/string/strcspn.c" "lib/string/strdup.c" "lib/string/strerror.c" "lib/string/strncat.c" "lib/string/strpbrk.c" "lib/string/strspn.c" "lib/stub/__cleanup.c" "lib/stub/atan2.c" "lib/stub/bsearch.c" "lib/stub/chown.c" "lib/stub/cos.c" "lib/stub/ctime.c" "lib/stub/exp.c" "lib/stub/fpurge.c" "lib/stub/freadahead.c" "lib/stub/frexp.c" "lib/stub/getgrgid.c" "lib/stub/getgrnam.c" "lib/stub/getlogin.c" "lib/stub/getpgid.c" "lib/stub/getpgrp.c" "lib/stub/getpwnam.c" "lib/stub/getpwuid.c" "lib/stub/gmtime.c" "lib/stub/log.c" "lib/stub/mktime.c" "lib/stub/modf.c" "lib/stub/pclose.c" "lib/stub/popen.c" "lib/stub/pow.c" "lib/stub/rand.c" "lib/stub/rewind.c" "lib/stub/setbuf.c" "lib/stub/setgrent.c" "lib/stub/setlocale.c" "lib/stub/setvbuf.c" "lib/stub/sigaddset.c" "lib/stub/sigblock.c" "lib/stub/sigdelset.c" "lib/stub/sigsetmask.c" "lib/stub/sin.c" "lib/stub/sqrt.c" "lib/stub/strftime.c" "lib/stub/sys_siglist.c" "lib/stub/system.c" "lib/stub/times.c" "lib/stub/ttyname.c" "lib/stub/umask.c" "lib/stub/utime.c" "lib/linux/chdir.c" "lib/linux/fcntl.c" "lib/linux/fstat.c" "lib/linux/getdents.c" "lib/linux/getegid.c" "lib/linux/geteuid.c" "lib/linux/getgid.c" "lib/linux/getppid.c" "lib/linux/getrusage.c" "lib/linux/getuid.c" "lib/linux/ioctl.c" "lib/linux/link.c" "lib/linux/lstat.c" "lib/linux/mkdir.c" "lib/linux/mknod.c" "lib/linux/nanosleep.c" "lib/linux/pipe.c" "lib/linux/readlink.c" "lib/linux/rename.c" "lib/linux/setgid.c" "lib/linux/settimer.c" "lib/linux/setuid.c" "lib/linux/signal.c" "lib/linux/sigprogmask.c" "lib/linux/symlink.c" ];
+    mes_SOURCES       = [ "src/builtins.c" "src/cc.c" "src/core.c" "src/display.c" "src/eval-apply.c" "src/gc.c" "src/globals.c" "src/hash.c" "src/lib.c" "src/math.c" "src/mes.c" "src/module.c" "src/posix.c" "src/reader.c" "src/stack.c" "src/string.c" "src/struct.c" "src/symbol.c" "src/vector.c" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/1.1.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/1.1.nix
new file mode 100644
index 000000000000..704ee42edeb1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/1.1.nix
@@ -0,0 +1,116 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnupatch
+, gnused
+, gnugrep
+, gnutar
+, gzip
+}:
+
+let
+  inherit (import ./common.nix { inherit lib; }) pname meta;
+  version = "1.1.24";
+
+  src = fetchurl {
+    url = "https://musl.libc.org/releases/musl-${version}.tar.gz";
+    hash = "sha256-E3DJqBKyzyp9koAlEMygBYzDfmanvt1wBR8KNAFQIqM=";
+  };
+
+  # Thanks to the live-bootstrap project!
+  # See https://github.com/fosslinux/live-bootstrap/blob/d98f97e21413efc32c770d0356f1feda66025686/sysa/musl-1.1.24/musl-1.1.24.sh
+  liveBootstrap = "https://github.com/fosslinux/live-bootstrap/raw/d98f97e21413efc32c770d0356f1feda66025686/sysa/musl-1.1.24";
+  patches = [
+    (fetchurl {
+      url = "${liveBootstrap}/patches/avoid_set_thread_area.patch";
+      hash = "sha256-TsbBZXk4/KMZG9EKi7cF+sullVXrxlizLNH0UHGXsPs=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/avoid_sys_clone.patch";
+      hash = "sha256-/ZmH64J57MmbxdfQ4RNjamAiBdkImMTlHsHdgV4gMj4=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/fenv.patch";
+      hash = "sha256-vMVGjoN4deAJW5gsSqA207SJqAbvhrnOsGK49DdEiTI=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/makefile.patch";
+      hash = "sha256-03iYBAUnsrEdLIIhhhq5mM6BGnPn2EfUmIHu51opxbw=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/musl_weak_symbols.patch";
+      hash = "sha256-/d9a2eUkpe9uyi1ye6T4CiYc9MR3FZ9na0Gb90+g4v0=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/set_thread_area.patch";
+      hash = "sha256-RIZYqbbRSx4X/0iFUhriwwBRmoXVR295GNBUjf2UrM0=";
+    })
+    (fetchurl {
+      url = "${liveBootstrap}/patches/sigsetjmp.patch";
+      hash = "sha256-wd2Aev1zPJXy3q933aiup5p1IMKzVJBquAyl3gbK4PU=";
+    })
+    # FIXME: this patch causes the build to fail
+    # (fetchurl {
+    #   url = "${liveBootstrap}/patches/stdio_flush_on_exit.patch";
+    #   hash = "sha256-/z5ze3h3QTysay8nRvyvwPv3pmTcKptdkBIaMCoeLDg=";
+    # })
+    # HACK: always flush stdio immediately
+    ./always-flush.patch
+    (fetchurl {
+      url = "${liveBootstrap}/patches/va_list.patch";
+      hash = "sha256-UmcMIl+YCi3wIeVvjbsCyqFlkyYsM4ECNwTfXP+s7vg=";
+    })
+  ];
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnupatch
+    gnused
+    gnugrep
+    gnutar
+    gzip
+  ];
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd musl-${version}
+
+  # Patch
+  ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+  # tcc does not support complex types
+  rm -rf src/complex
+  # Configure fails without this
+  mkdir -p /dev
+  # https://github.com/ZilchOS/bootstrap-from-tcc/blob/2e0c68c36b3437386f786d619bc9a16177f2e149/using-nix/2a3-intermediate-musl.nix
+  sed -i 's|/bin/sh|${bash}/bin/bash|' \
+    tools/*.sh
+  chmod 755 tools/*.sh
+  # patch popen/system to search in PATH instead of hardcoding /bin/sh
+  sed -i 's|posix_spawn(&pid, "/bin/sh",|posix_spawnp(\&pid, "sh",|' \
+    src/stdio/popen.c src/process/system.c
+  sed -i 's|execl("/bin/sh", "sh", "-c",|execlp("sh", "-c",|'\
+    src/misc/wordexp.c
+
+  # Configure
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-shared \
+    CC=tcc
+
+  # Build
+  make AR="tcc -ar" RANLIB=true CFLAGS="-DSYSCALL_NO_TLS"
+
+  # Install
+  make install
+  cp ${tinycc.libs}/lib/libtcc1.a $out/lib
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/always-flush.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/always-flush.patch
new file mode 100644
index 000000000000..cdeddf962d9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/always-flush.patch
@@ -0,0 +1,12 @@
+diff --git src/env/__libc_start_main.c src/env/__libc_start_main.c
+index 8fbe526..9476c22 100644
+--- src/env/__libc_start_main.c
++++ src/env/__libc_start_main.c
+@@ -91,6 +91,7 @@ static int libc_start_main_stage2(int (*main)(int,char **,char **), int argc, ch
+ 	__libc_start_init();
+ 
+ 	/* Pass control to the application */
++	setbuf(stdout, NULL);
+ 	exit(main(argc, argv, envp));
+ 	return 0;
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/common.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/common.nix
new file mode 100644
index 000000000000..52db5f947425
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/common.nix
@@ -0,0 +1,13 @@
+{ lib }:
+
+{
+  pname = "musl";
+
+  meta = with lib; {
+    description = "An efficient, small, quality libc implementation";
+    homepage = "https://musl.libc.org";
+    license = licenses.mit;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/default.nix
new file mode 100644
index 000000000000..437ef342f6ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/musl/default.nix
@@ -0,0 +1,81 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, gcc
+, binutils
+, gnumake
+, gnugrep
+, gnused
+, gnutar
+, gzip
+}:
+let
+  inherit (import ./common.nix { inherit lib; }) pname meta;
+  version = "1.2.4";
+
+  src = fetchurl {
+    url = "https://musl.libc.org/releases/musl-${version}.tar.gz";
+    hash = "sha256-ejXq4z1TcqfA2hGI3nmHJvaIJVE7euPr6XqqpSEU8Dk=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version meta;
+
+  nativeBuildInputs = [
+    gcc
+    binutils
+    gnumake
+    gnused
+    gnugrep
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.hello-world = result:
+    bash.runCommand "${pname}-simple-program-${version}" {
+        nativeBuildInputs = [ gcc binutils result ];
+      } ''
+        cat <<EOF >> test.c
+        #include <stdio.h>
+        int main() {
+          printf("Hello World!\n");
+          return 0;
+        }
+        EOF
+        musl-gcc -o test test.c
+        ./test
+        mkdir $out
+      '';
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd musl-${version}
+
+  # Patch
+  # https://github.com/ZilchOS/bootstrap-from-tcc/blob/2e0c68c36b3437386f786d619bc9a16177f2e149/using-nix/2a3-intermediate-musl.nix
+  sed -i 's|/bin/sh|${bash}/bin/bash|' \
+    tools/*.sh
+  # patch popen/system to search in PATH instead of hardcoding /bin/sh
+  sed -i 's|posix_spawn(&pid, "/bin/sh",|posix_spawnp(\&pid, "sh",|' \
+    src/stdio/popen.c src/process/system.c
+  sed -i 's|execl("/bin/sh", "sh", "-c",|execlp("sh", "-c",|'\
+    src/misc/wordexp.c
+
+  # Configure
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --syslibdir=$out/lib \
+    --enable-wrapper
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+  sed -i 's|/bin/sh|${bash}/bin/bash|' $out/bin/*
+  ln -s ../lib/libc.so $out/bin/ldd
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/bootstrap-sources.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/bootstrap-sources.nix
new file mode 100644
index 000000000000..7f2e8ab81a39
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/bootstrap-sources.nix
@@ -0,0 +1,96 @@
+{ hostPlatform
+}:
+
+rec {
+  name = "stage0-posix-${version}-source";
+  version = "1.6.0";
+  rev = "Release_${version}";
+  outputHashAlgo = "sha256";
+  outputHash = "sha256-epUaShjKiAd749ICvc6rS6WhUkS8R4heKuPdwUjEtsQ=";
+
+  /*
+  Since `make-minimal-bootstrap-sources` requires nixpkgs and nix it
+  will create a circular dependency if it is used in place of the
+  binary bootstrap-files.  To break the circular dependency,
+  `minimal-bootstrap-sources` extends `make-minimal-bootstrap-sources`
+  by adding Fixed Output Derivation (FOD) attributes.  These cause
+  the builder to be skipped if the expected output is found (by
+  its hash) in the store or on a substituter.
+
+  # How do I update the hash?
+
+  Run the following command:
+  ```
+  nix hash path $(nix build --print-out-paths -f '<nixpkgs>' make-minimal-bootstrap-sources)
+  ```
+
+  # Why do we need this `.nar` archive?
+
+  This archive exists only because of a quirk/limitation of Nix: in
+  restricted mode the builtin fetchers can download only single
+  files; they have no way to unpack multi-file archives except for
+  NAR archives:
+
+  https://github.com/NixOS/nixpkgs/pull/232576#issuecomment-1592415619
+
+  # Why don't we have to upload this to tarballs.nixos.org like the binary bootstrap-files did?
+
+  Unlike this archive, the binary bootstrap-files contained binaries,
+  which meant that we had to:
+
+  1. Make sure they came from a trusted builder (Hydra)
+  2. Keep careful track of exactly what toolchain (i.e. nixpkgs
+     commit) that builder used to create them.
+  3. Keep copies of the built binaries, in case the toolchains that
+     produced them failed to be perfectly deterministic.
+
+  The curated archives at tarballs.nixos.org exist in order to
+  satisfy these requirements.
+
+  The second point created a significant burden: since the nixpkgs
+  toolchain used to build a given copy of the binary bootstrap-files
+  itself used a *previous* copy of the bootstrap-files, this meant
+  we had to track the provenance of all bootstrap-files tarballs
+  ever used, for all eternity.  There was no explanation of where
+  the "original" bootstrap-files came from: turtles all the way
+  down.  In spite of all this effort we still can't be sure of our
+  ability to reproduce the binary bootstrap-files, since the
+  compilers that built them don't always produce exactly bit-for-bit
+  deterministic results.
+
+  Since this archive contains no binaries and uses a format (NAR)
+  specifically designed for bit-exact reproducibility, none of the
+  requirements above apply to `minimal-bootstrap-sources`.
+  */
+  minimal-bootstrap-sources = derivation {
+    inherit name;
+    system = hostPlatform.system;
+    outputHashMode = "recursive";
+    inherit outputHashAlgo outputHash;
+
+    # This builder always fails, but fortunately Nix will print the
+    # "builder", which is really the error message that we want the
+    # user to see.
+    builder = ''
+      #
+      #
+      # Neither your store nor your substituters seems to have:
+      #
+      #  ${builtins.placeholder "out"}
+      #
+      # You can create this path from an already-bootstrapped nixpkgs
+      # using the following command:
+      #
+      #   nix-build '<nixpkgs>' -A make-minimal-bootstrap-sources
+      #
+      # Or, if you prefer, you can create this file using only `git`,
+      # `nix`, and `xz`.  For the commands needed in order to do this,
+      # see `make-bootstrap-sources.nix`.  Once you have the manual
+      # result, do:
+      #
+      #   nix-store --add-fixed --recursive ${outputHashAlgo} ./${name}
+      #
+      # to add it to your store.
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/default.nix
new file mode 100644
index 000000000000..9f3d61b92bc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/default.nix
@@ -0,0 +1,27 @@
+{ lib
+, newScope
+}:
+
+lib.makeScope newScope (self: with self; {
+  inherit (callPackage ./platforms.nix { }) platforms stage0Arch m2libcArch m2libcOS baseAddress;
+
+  inherit (self.callPackage ./bootstrap-sources.nix {}) version minimal-bootstrap-sources;
+
+  src = minimal-bootstrap-sources;
+
+  m2libc = src + "/M2libc";
+
+  hex0 = callPackage ./hex0.nix { };
+  inherit (self.hex0) hex0-seed;
+
+  kaem = callPackage ./kaem { };
+  kaem-minimal = callPackage ./kaem/minimal.nix { };
+
+  mescc-tools-boot = callPackage ./mescc-tools-boot.nix { };
+
+  inherit (self.mescc-tools-boot) blood-elf-0 hex2 kaem-unwrapped M1 M2;
+
+  mescc-tools = callPackage ./mescc-tools { };
+
+  mescc-tools-extra = callPackage ./mescc-tools-extra { };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/hex0.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/hex0.nix
new file mode 100644
index 000000000000..9808e25711c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/hex0.nix
@@ -0,0 +1,49 @@
+{ lib
+, derivationWithMeta
+, hostPlatform
+, src
+, version
+, platforms
+, stage0Arch
+}:
+
+let
+  hash = {
+    "AArch64" = "sha256-XTPsoKeI6wTZAF0UwEJPzuHelWOJe//wXg4HYO0dEJo=";
+    "AMD64"   = "sha256-RCgK9oZRDQUiWLVkcIBSR2HeoB+Bh0czthrpjFEkCaY=";
+    "x86"     = "sha256-QU3RPGy51W7M2xnfFY1IqruKzusrSLU+L190ztN6JW8=";
+  }.${stage0Arch} or (throw "Unsupported system: ${hostPlatform.system}");
+
+  # Pinned from https://github.com/oriansj/stage0-posix/commit/3189b5f325b7ef8b88e3edec7c1cde4fce73c76c
+  # This 256 byte seed is the only pre-compiled binary in the bootstrap chain.
+  hex0-seed = import <nix/fetchurl.nix> {
+    name = "hex0-seed";
+    url = "https://github.com/oriansj/bootstrap-seeds/raw/b1263ff14a17835f4d12539226208c426ced4fba/POSIX/${stage0Arch}/hex0-seed";
+    executable = true;
+    inherit hash;
+  };
+in
+derivationWithMeta {
+  inherit version;
+  pname = "hex0";
+  builder = hex0-seed;
+  args = [
+    "${src}/${stage0Arch}/hex0_${stage0Arch}.hex0"
+    (placeholder "out")
+  ];
+
+  meta = with lib; {
+    description = "Minimal assembler for bootstrapping";
+    homepage = "https://github.com/oriansj/stage0-posix";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    inherit platforms;
+  };
+
+  passthru = { inherit hex0-seed; };
+
+  # Ensure the untrusted hex0-seed binary produces a known-good hex0
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = hash;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/default.nix
new file mode 100644
index 000000000000..547790835c5d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/default.nix
@@ -0,0 +1,52 @@
+{ lib
+, derivationWithMeta
+, writeText
+, kaem
+, kaem-unwrapped
+, mescc-tools
+, mescc-tools-extra
+, version
+, platforms
+}:
+
+# Once mescc-tools-extra is available we can install kaem at /bin/kaem
+# to make it findable in environments
+derivationWithMeta {
+  inherit version kaem-unwrapped;
+  pname = "kaem";
+  builder = kaem-unwrapped;
+  args = [
+    "--verbose"
+    "--strict"
+    "--file"
+    (builtins.toFile "kaem-wrapper.kaem" ''
+      mkdir -p ''${out}/bin
+      cp ''${kaem-unwrapped} ''${out}/bin/kaem
+      chmod 555 ''${out}/bin/kaem
+    '')
+  ];
+  PATH = lib.makeBinPath [ mescc-tools-extra ];
+
+  passthru.runCommand = name: env: buildCommand:
+    derivationWithMeta ({
+      inherit name;
+
+      builder = "${kaem}/bin/kaem";
+      args = [
+        "--verbose"
+        "--strict"
+        "--file"
+        (writeText "${name}-builder" buildCommand)
+      ];
+
+      PATH = lib.makeBinPath ((env.nativeBuildInputs or []) ++ [ kaem mescc-tools mescc-tools-extra ]);
+    } // (builtins.removeAttrs env [ "nativeBuildInputs" ]));
+
+  meta = with lib; {
+    description = "Minimal build tool for running scripts on systems that lack any shell";
+    homepage = "https://github.com/oriansj/mescc-tools";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    inherit platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/minimal.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/minimal.nix
new file mode 100644
index 000000000000..ae31302894aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/kaem/minimal.nix
@@ -0,0 +1,26 @@
+{ lib
+, derivationWithMeta
+, src
+, hex0
+, version
+, platforms
+, stage0Arch
+}:
+derivationWithMeta {
+  inherit version;
+  pname = "kaem-minimal";
+  builder = hex0;
+  args = [
+    "${src}/${stage0Arch}/kaem-minimal.hex0"
+    (placeholder "out")
+  ];
+
+  meta = with lib; {
+    description = "First stage minimal scriptable build tool for bootstrapping";
+    homepage = "https://github.com/oriansj/stage0-posix";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    inherit platforms;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/make-bootstrap-sources.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/make-bootstrap-sources.nix
new file mode 100644
index 000000000000..6cc7cddb82af
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/make-bootstrap-sources.nix
@@ -0,0 +1,58 @@
+# Packaged source files for the first bootstrapping stage.
+#
+# We don't have access to utilities such as fetchgit and fetchzip since this
+# is this is part of the bootstrap process and would introduce a circular
+# dependency. The only tool we have to fetch source trees is `import <nix/fetchurl.nix>`
+# with the unpack option, taking a NAR file as input. This requires source
+# tarballs to be repackaged.
+#
+# To build:
+#
+#   nix-build '<nixpkgs>' -A make-minimal-bootstrap-sources
+#
+
+{ lib
+, hostPlatform
+, fetchFromGitHub
+, fetchpatch
+}:
+
+let
+  expected = import ./bootstrap-sources.nix { inherit hostPlatform; };
+in
+
+fetchFromGitHub {
+  inherit (expected) name rev;
+  owner = "oriansj";
+  repo = "stage0-posix";
+  sha256 = expected.outputHash;
+  fetchSubmodules = true;
+  postFetch = ''
+    # Seed binaries will be fetched separately
+    echo "Removing seed binaries"
+    rm -rf $out/bootstrap-seeds/*
+
+    # Remove vendored/duplicate M2libc's
+    echo "Removing duplicate M2libc"
+    rm -rf \
+      $out/M2-Mesoplanet/M2libc \
+      $out/M2-Planet/M2libc \
+      $out/mescc-tools/M2libc \
+      $out/mescc-tools-extra/M2libc
+
+    # aarch64: syscall: mkdir -> mkdirat
+    # https://github.com/oriansj/M2libc/pull/17
+    patch -Np1 -d $out/M2libc -i ${(fetchpatch {
+      url = "https://github.com/oriansj/M2libc/commit/ff7c3023b3ab6cfcffc5364620b25f8d0279e96b.patch";
+      hash = "sha256-QAKddv4TixIQHpFa9SVu9fAkeKbzhQaxjaWzW2yJy7A=";
+    })}
+  '';
+
+  meta = with lib; {
+    description = "Packaged sources for the first bootstrapping stage";
+    homepage = "https://github.com/oriansj/stage0-posix";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.all;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-boot.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-boot.nix
new file mode 100644
index 000000000000..2114ffc707b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-boot.nix
@@ -0,0 +1,358 @@
+# Mes --- Maxwell Equations of Software
+# Copyright © 2017,2019 Jan Nieuwenhuizen <janneke@gnu.org>
+# Copyright © 2017,2019 Jeremiah Orians
+#
+# This file is part of Mes.
+#
+# Mes is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# Mes is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Mes.  If not, see <http://www.gnu.org/licenses/>.
+
+# This is a translation of stage0-posix/stage0-posix/x86/mescc-tools-mini-kaem.kaem to nix
+# https://github.com/oriansj/stage0-posix-x86/blob/56e6b8df3e95f4bc04f8b420a4cd8c82c70b9efa/mescc-tools-mini-kaem.kaem
+#
+# We have access to mini-kaem at this point but it doesn't support substituting
+# environment variables. Without variables there's no way of passing in store inputs,
+# or the $out path, other than as command line arguments directly
+
+# Warning all binaries prior to the use of blood-elf will not be readable by
+# Objdump, you may need to use ndism or gdb to view the assembly in the binary.
+
+{ lib
+, derivationWithMeta
+, hostPlatform
+, hex0
+, m2libc
+, src
+, version
+, platforms
+, stage0Arch
+, m2libcArch
+, baseAddress
+}:
+rec {
+  out = placeholder "out";
+
+  endianFlag = if hostPlatform.isLittleEndian then "--little-endian" else "--big-endian";
+
+  bloodFlags = lib.optional hostPlatform.is64bit "--64";
+
+  run = pname: builder: args:
+    derivationWithMeta {
+      inherit pname version builder args;
+
+      meta = with lib; {
+        description = "Collection of tools written for use in bootstrapping";
+        homepage = "https://github.com/oriansj/stage0-posix";
+        license = licenses.gpl3Plus;
+        maintainers = teams.minimal-bootstrap.members;
+        inherit platforms;
+      };
+    };
+
+  ################################
+  # Phase-1 Build hex1 from hex0 #
+  ################################
+
+  hex1 = run "hex1" hex0 ["${src}/${stage0Arch}/hex1_${stage0Arch}.hex0" out];
+
+  # hex1 adds support for single character labels and is available in various forms
+  # in mescc-tools/x86_bootstrap to allow you various ways to verify correctness
+
+  ################################
+  # Phase-2 Build hex2 from hex1 #
+  ################################
+
+  hex2-0 = run "hex2" hex1 ["${src}/${stage0Arch}/hex2_${stage0Arch}.hex1" out];
+
+  # hex2 adds support for long labels and absolute addresses thus allowing it
+  # to function as an effective linker for later stages of the bootstrap
+  # This is a minimal version which will be used to bootstrap a much more advanced
+  # version in a later stage.
+
+  #################################
+  # Phase-2b Build catm from hex2 #
+  #################################
+
+  catm =
+    if hostPlatform.isAarch64 then
+      run "catm" hex1 ["${src}/${stage0Arch}/catm_${stage0Arch}.hex1" out]
+    else
+      run "catm" hex2-0 ["${src}/${stage0Arch}/catm_${stage0Arch}.hex2" out];
+
+  # catm removes the need for cat or shell support for redirection by providing
+  # equivalent functionality via catm output_file input1 input2 ... inputN
+
+  ##############################
+  # Phase-3 Build M0 from hex2 #
+  ##############################
+
+  M0_hex2 = run "M0.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}.hex2" "${src}/${stage0Arch}/M0_${stage0Arch}.hex2"];
+  M0 = run "M0" hex2-0 [M0_hex2 out];
+
+  # M0 is the architecture specific version of M1 and is by design single
+  # architecture only and will be replaced by the C code version of M1
+
+  ################################
+  # Phase-4 Build cc_arch from M0 #
+  ################################
+
+  cc_arch-0_hex2 = run "cc_arch-0.hex2" M0 ["${src}/${stage0Arch}/cc_${m2libcArch}.M1" out];
+  cc_arch-1_hex2 = run "cc_arch-1.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}.hex2" cc_arch-0_hex2];
+  cc_arch = run "cc_arch" hex2-0 [cc_arch-1_hex2 out];
+
+  ########################################
+  # Phase-5 Build M2-Planet from cc_arch #
+  ########################################
+
+  M2-0_c = run "M2-0.c" catm [
+    out
+    "${m2libc}/${m2libcArch}/linux/bootstrap.c"
+    "${src}/M2-Planet/cc.h"
+    "${m2libc}/bootstrappable.c"
+    "${src}/M2-Planet/cc_globals.c"
+    "${src}/M2-Planet/cc_reader.c"
+    "${src}/M2-Planet/cc_strings.c"
+    "${src}/M2-Planet/cc_types.c"
+    "${src}/M2-Planet/cc_core.c"
+    "${src}/M2-Planet/cc_macro.c"
+    "${src}/M2-Planet/cc.c"
+  ];
+  M2-0_M1 = run "M2-0.M1" cc_arch [M2-0_c out];
+  M2-0-0_M1 = run "M2-0-0.M1" catm [out "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1" "${m2libc}/${m2libcArch}/libc-core.M1" M2-0_M1];
+  M2-0_hex2 = run "M2-0.hex2" M0 [M2-0-0_M1 out];
+  M2-0-0_hex2 = run "M2-0-0.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}.hex2" M2-0_hex2];
+  M2 = run "M2" hex2-0 [M2-0-0_hex2 out];
+
+  ############################################
+  # Phase-6 Build blood-elf-0 from C sources #
+  ############################################
+
+  blood-elf-0_M1 = run "blood-elf-0.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/${m2libcArch}/linux/bootstrap.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/stringify.c"
+    "-f" "${src}/mescc-tools/blood-elf.c"
+    "--bootstrap-mode"
+    "-o" out
+  ];
+
+  blood-elf-0-0_M1 = run "blood-elf-0-0.M1" catm [out "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1" "${m2libc}/${m2libcArch}/libc-core.M1" blood-elf-0_M1];
+  blood-elf-0_hex2 = run "blood-elf-0.hex2" M0 [blood-elf-0-0_M1 out];
+  blood-elf-0-0_hex2 = run "blood-elf-0-0.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}.hex2" blood-elf-0_hex2];
+  blood-elf-0 = run "blood-elf-0" hex2-0 [blood-elf-0-0_hex2 out];
+
+  # This is the last stage where the binaries will not have debug info
+  # and the last piece built that isn't part of the output binaries
+
+  #####################################
+  # Phase-7 Build M1-0 from C sources #
+  #####################################
+
+  M1-macro-0_M1 = run "M1-macro-0.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/${m2libcArch}/linux/bootstrap.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/stringify.c"
+    "-f" "${src}/mescc-tools/M1-macro.c"
+    "--bootstrap-mode"
+    "--debug"
+    "-o" out
+  ];
+
+  M1-macro-0-footer_M1 = run "M1-macro-0-footer.M1" blood-elf-0 (bloodFlags ++ ["-f" M1-macro-0_M1 endianFlag "-o" out]);
+  M1-macro-0-0_M1 = run "M1-macro-0-0.M1" catm [out "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1" "${m2libc}/${m2libcArch}/libc-core.M1" M1-macro-0_M1 M1-macro-0-footer_M1];
+  M1-macro-0_hex2 = run "M1-macro-0.hex2" M0 [M1-macro-0-0_M1 out];
+  M1-macro-0-0_hex2 = run "M1-macro-0-0.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2" M1-macro-0_hex2];
+  M1-0 = run "M1-0" hex2-0 [M1-macro-0-0_hex2 out];
+
+  # This is the last stage where catm will need to be used and the last stage where
+  # M0 is used, as we will being using it's much more powerful and cross-platform
+  # version with a bunch of extra goodies.
+
+  #######################################
+  # Phase-8 Build hex2-1 from C sources #
+  #######################################
+
+  hex2_linker-0_M1 = run "hex2_linker-0.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/sys/types.h"
+    "-f" "${m2libc}/stddef.h"
+    "-f" "${m2libc}/${m2libcArch}/linux/unistd.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/fcntl.c"
+    "-f" "${m2libc}/fcntl.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/sys/stat.c"
+    "-f" "${m2libc}/stdlib.c"
+    "-f" "${m2libc}/stdio.h"
+    "-f" "${m2libc}/stdio.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/hex2.h"
+    "-f" "${src}/mescc-tools/hex2_linker.c"
+    "-f" "${src}/mescc-tools/hex2_word.c"
+    "-f" "${src}/mescc-tools/hex2.c"
+    "--debug"
+    "-o" out
+  ];
+
+  hex2_linker-0-footer_M1 = run "hex2_linker-0-footer.M1" blood-elf-0 (bloodFlags ++ ["-f" hex2_linker-0_M1 endianFlag "-o" out]);
+
+  hex2_linker-0_hex2 = run "hex2_linker-0.hex2" M1-0 [
+    "--architecture" m2libcArch
+    endianFlag
+    "-f" "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1"
+    "-f" "${m2libc}/${m2libcArch}/libc-full.M1"
+    "-f" hex2_linker-0_M1
+    "-f" hex2_linker-0-footer_M1
+    "-o" out
+  ];
+
+  hex2_linker-0-0_hex2 = run "hex2_linker-0-0.hex2" catm [out "${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2" hex2_linker-0_hex2];
+
+  hex2-1 = run "hex2-1" hex2-0 [hex2_linker-0-0_hex2 out];
+
+  # This is the last stage where we will be using the handwritten hex2 and instead
+  # be using the far more powerful, cross-platform version with a bunch more goodies
+
+  ###################################
+  # Phase-9 Build M1 from C sources #
+  ###################################
+
+  M1-macro-1_M1 = run "M1-macro-1.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/sys/types.h"
+    "-f" "${m2libc}/stddef.h"
+    "-f" "${m2libc}/${m2libcArch}/linux/fcntl.c"
+    "-f" "${m2libc}/fcntl.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/unistd.c"
+    "-f" "${m2libc}/string.c"
+    "-f" "${m2libc}/stdlib.c"
+    "-f" "${m2libc}/stdio.h"
+    "-f" "${m2libc}/stdio.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/stringify.c"
+    "-f" "${src}/mescc-tools/M1-macro.c"
+    "--debug"
+    "-o" out
+  ];
+
+  M1-macro-1-footer_M1 = run "M1-macro-1-footer.M1" blood-elf-0 (bloodFlags ++ ["-f" M1-macro-1_M1 endianFlag "-o" out]);
+
+  M1-macro-1_hex2 = run "M1-macro-1.hex2" M1-0 [
+    "--architecture" m2libcArch
+    endianFlag
+    "-f" "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1"
+    "-f" "${m2libc}/${m2libcArch}/libc-full.M1"
+    "-f" M1-macro-1_M1
+    "-f" M1-macro-1-footer_M1
+    "-o" out
+  ];
+
+  M1 = run "M1" hex2-1 [
+    "--architecture" m2libcArch
+    endianFlag
+    "--base-address" baseAddress
+    "-f" "${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2"
+    "-f" M1-macro-1_hex2
+    "-o" out
+  ];
+
+  ######################################
+  # Phase-10 Build hex2 from C sources #
+  ######################################
+
+  hex2_linker-2_M1 = run "hex2_linker-2.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/sys/types.h"
+    "-f" "${m2libc}/stddef.h"
+    "-f" "${m2libc}/${m2libcArch}/linux/unistd.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/fcntl.c"
+    "-f" "${m2libc}/fcntl.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/sys/stat.c"
+    "-f" "${m2libc}/stdlib.c"
+    "-f" "${m2libc}/stdio.h"
+    "-f" "${m2libc}/stdio.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/hex2.h"
+    "-f" "${src}/mescc-tools/hex2_linker.c"
+    "-f" "${src}/mescc-tools/hex2_word.c"
+    "-f" "${src}/mescc-tools/hex2.c"
+    "--debug"
+    "-o" out
+  ];
+
+  hex2_linker-2-footer_M1 = run "hex2_linker-2-footer.M1" blood-elf-0 (bloodFlags ++ ["-f" hex2_linker-2_M1 endianFlag "-o" out]);
+
+  hex2_linker-2_hex2 = run "hex2_linker-2.hex2" M1 [
+    "--architecture" m2libcArch
+    endianFlag
+    "-f" "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1"
+    "-f" "${m2libc}/${m2libcArch}/libc-full.M1"
+    "-f" hex2_linker-2_M1
+    "-f" hex2_linker-2-footer_M1
+    "-o" out
+  ];
+
+  hex2 = run "hex2" hex2-1 [
+    "--architecture" m2libcArch
+    endianFlag
+    "--base-address" baseAddress
+    "-f" "${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2"
+    "-f" hex2_linker-2_hex2
+    "-o" out
+  ];
+
+  ######################################
+  # Phase-11 Build kaem from C sources #
+  ######################################
+
+  kaem_M1 = run "kaem.M1" M2 [
+    "--architecture" m2libcArch
+    "-f" "${m2libc}/sys/types.h"
+    "-f" "${m2libc}/stddef.h"
+    "-f" "${m2libc}/string.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/unistd.c"
+    "-f" "${m2libc}/${m2libcArch}/linux/fcntl.c"
+    "-f" "${m2libc}/fcntl.c"
+    "-f" "${m2libc}/stdlib.c"
+    "-f" "${m2libc}/stdio.h"
+    "-f" "${m2libc}/stdio.c"
+    "-f" "${m2libc}/bootstrappable.c"
+    "-f" "${src}/mescc-tools/Kaem/kaem.h"
+    "-f" "${src}/mescc-tools/Kaem/variable.c"
+    "-f" "${src}/mescc-tools/Kaem/kaem_globals.c"
+    "-f" "${src}/mescc-tools/Kaem/kaem.c"
+    "--debug"
+    "-o" out
+  ];
+
+  kaem-footer_M1 = run "kaem-footer.M1" blood-elf-0 (bloodFlags ++ ["-f" kaem_M1 endianFlag "-o" out]);
+
+  kaem_hex2 = run "kaem.hex2" M1 [
+    "--architecture" m2libcArch
+    endianFlag
+    "-f" "${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1"
+    "-f" "${m2libc}/${m2libcArch}/libc-full.M1"
+    "-f" kaem_M1
+    "-f" kaem-footer_M1
+    "-o" out
+  ];
+
+  kaem-unwrapped = run "kaem-unwrapped" hex2 [
+    "--architecture" m2libcArch
+    endianFlag
+    "-f" "${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2"
+    "-f" kaem_hex2
+    "--base-address" baseAddress
+    "-o" out
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/build.kaem b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/build.kaem
new file mode 100644
index 000000000000..fb27eccab830
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/build.kaem
@@ -0,0 +1,39 @@
+# This is a modified version of mescc-tools-extra/mescc-tools-extra.kaem
+# https://github.com/oriansj/mescc-tools-extra/blob/ec53af69d6d2119b47b369cd0ec37ac806e7ad60/mescc-tools-extra.kaem
+# - Paths to build inputs have been changed for nix
+# - Added additional step to create $out directory
+
+## Copyright (C) 2017 Jeremiah Orians
+## This file is part of mescc-tools.
+##
+## mescc-tools is free software: you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation, either version 3 of the License, or
+## (at your option) any later version.
+##
+## mescc-tools is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with mescc-tools.  If not, see <http://www.gnu.org/licenses/>.
+
+alias CC="${mescc-tools}/bin/M2-Mesoplanet --operating-system ${m2libcOS} --architecture ${m2libcArch} -f"
+cd ${src}/mescc-tools-extra
+
+# Create output folder
+CC mkdir.c -o ${TMP}/mkdir
+${TMP}/mkdir -p ${out}/bin
+
+CC sha256sum.c -o ${out}/bin/sha256sum
+CC match.c -o ${out}/bin/match
+CC mkdir.c -o ${out}/bin/mkdir
+CC untar.c -o ${out}/bin/untar
+CC ungz.c -o ${out}/bin/ungz
+CC unbz2.c -o ${out}/bin/unbz2
+CC catm.c -o ${out}/bin/catm
+CC cp.c -o ${out}/bin/cp
+CC chmod.c -o ${out}/bin/chmod
+CC rm.c -o ${out}/bin/rm
+CC replace.c -o ${out}/bin/replace
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/default.nix
new file mode 100644
index 000000000000..eee00491c446
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools-extra/default.nix
@@ -0,0 +1,29 @@
+{ lib
+, derivationWithMeta
+, kaem-unwrapped
+, mescc-tools
+, src
+, version
+, platforms
+, m2libcArch
+, m2libcOS
+}:
+derivationWithMeta {
+  inherit version src mescc-tools m2libcArch m2libcOS;
+  pname = "mescc-tools-extra";
+  builder = kaem-unwrapped;
+  args = [
+    "--verbose"
+    "--strict"
+    "--file"
+    ./build.kaem
+  ];
+
+  meta = with lib; {
+    description = "Collection of tools written for use in bootstrapping";
+    homepage = "https://github.com/oriansj/mescc-tools-extra";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    inherit platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/build.kaem b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/build.kaem
new file mode 100644
index 000000000000..128ff360fd2c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/build.kaem
@@ -0,0 +1,204 @@
+# This is a modified version of stage0-posix/x86/mescc-tools-full-kaem.kaem
+# https://github.com/oriansj/stage0-posix-x86/blob/56e6b8df3e95f4bc04f8b420a4cd8c82c70b9efa/mescc-tools-full-kaem.kaem
+# - Paths to build inputs have been changed for nix
+
+# Mes --- Maxwell Equations of Software
+# Copyright © 2017,2019 Jan Nieuwenhuizen <janneke@gnu.org>
+# Copyright © 2017,2019 Jeremiah Orians
+#
+# This file is part of Mes.
+#
+# Mes is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# Mes is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Mes.  If not, see <http://www.gnu.org/licenses/>.
+
+${mkdir} -p ${out}/bin
+${cp} ${M2} ${out}/bin/M2
+${chmod} 0555 ${out}/bin/M2
+${cp} ${M1} ${out}/bin/M1
+${chmod} 0555 ${out}/bin/M1
+${cp} ${hex2} ${out}/bin/hex2
+${chmod} 0555 ${out}/bin/hex2
+
+# M2-Mesoplanet searches for runtime dependencies in environment variables
+# We can hardcode them with the "replace" utility from mescc-tools-extra
+${replace} \
+	--file ${src}/M2-Mesoplanet/cc.c \
+	--output ./cc_patched.c \
+	--match-on "env_lookup(\"M2LIBC_PATH\")" \
+	--replace-with "\"${m2libc}\""
+${replace} \
+	--file ${src}/M2-Mesoplanet/cc_spawn.c \
+	--output ./cc_spawn_patched.c \
+	--match-on "env_lookup(\"PATH\")" \
+	--replace-with "\"${out}/bin:\""
+
+###############################################
+# Phase-12 Build M2-Mesoplanet from M2-Planet #
+###############################################
+
+${M2} --architecture ${m2libcArch} \
+  -f ${m2libc}/sys/types.h \
+  -f ${m2libc}/stddef.h \
+  -f ${m2libc}/${m2libcArch}/linux/fcntl.c \
+  -f ${m2libc}/fcntl.c \
+  -f ${m2libc}/${m2libcArch}/linux/unistd.c \
+  -f ${m2libc}/${m2libcArch}/linux/sys/stat.c \
+  -f ${m2libc}/stdlib.c \
+  -f ${m2libc}/stdio.h \
+  -f ${m2libc}/stdio.c \
+  -f ${m2libc}/string.c \
+  -f ${m2libc}/bootstrappable.c \
+  -f ${src}/M2-Mesoplanet/cc.h \
+  -f ${src}/M2-Mesoplanet/cc_globals.c \
+  -f ${src}/M2-Mesoplanet/cc_env.c \
+  -f ${src}/M2-Mesoplanet/cc_reader.c \
+  -f ./cc_spawn_patched.c \
+  -f ${src}/M2-Mesoplanet/cc_core.c \
+  -f ${src}/M2-Mesoplanet/cc_macro.c \
+  -f ./cc_patched.c \
+  --debug \
+  -o ./M2-Mesoplanet-1.M1
+
+${blood-elf-0} ${endianFlag} ${bloodFlag} -f ./M2-Mesoplanet-1.M1 -o ./M2-Mesoplanet-1-footer.M1
+
+${M1} --architecture ${m2libcArch} \
+  ${endianFlag} \
+  -f ${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1 \
+  -f ${m2libc}/${m2libcArch}/libc-full.M1 \
+  -f ./M2-Mesoplanet-1.M1 \
+  -f ./M2-Mesoplanet-1-footer.M1 \
+  -o ./M2-Mesoplanet-1.hex2
+
+${hex2} --architecture ${m2libcArch} \
+  ${endianFlag} \
+  --base-address ${baseAddress} \
+  -f ${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2 \
+  -f ./M2-Mesoplanet-1.hex2 \
+  -o ${out}/bin/M2-Mesoplanet
+
+#################################################
+# Phase-13 Build final blood-elf from C sources #
+#################################################
+
+${M2} --architecture ${m2libcArch} \
+	-f ${m2libc}/sys/types.h \
+	-f ${m2libc}/stddef.h \
+	-f ${m2libc}/${m2libcArch}/linux/fcntl.c \
+	-f ${m2libc}/fcntl.c \
+	-f ${m2libc}/${m2libcArch}/linux/unistd.c \
+	-f ${m2libc}/stdlib.c \
+	-f ${m2libc}/stdio.h \
+	-f ${m2libc}/stdio.c \
+	-f ${m2libc}/bootstrappable.c \
+	-f ${src}/mescc-tools/stringify.c \
+	-f ${src}/mescc-tools/blood-elf.c \
+	--debug \
+	-o ./blood-elf-1.M1
+
+${blood-elf-0} ${endianFlag} ${bloodFlag} -f ./blood-elf-1.M1 -o ./blood-elf-1-footer.M1
+
+${M1} --architecture ${m2libcArch} \
+	${endianFlag} \
+	-f ${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1 \
+	-f ${m2libc}/${m2libcArch}/libc-full.M1 \
+	-f ./blood-elf-1.M1 \
+	-f ./blood-elf-1-footer.M1 \
+	-o ./blood-elf-1.hex2
+
+${hex2} --architecture ${m2libcArch} \
+	${endianFlag} \
+	--base-address ${baseAddress} \
+	-f ${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2 \
+	-f ./blood-elf-1.hex2 \
+	-o ${out}/bin/blood-elf
+
+# Now we have our shipping debuggable blood-elf, the rest will be down hill from
+# here as we have ALL of the core pieces of compiling and assembling debuggable
+# programs in a debuggable form with corresponding C source code.
+
+#############################################
+# Phase-14 Build get_machine from C sources #
+#############################################
+
+${M2} --architecture ${m2libcArch} \
+	-f ${m2libc}/sys/types.h \
+	-f ${m2libc}/stddef.h \
+	-f ${m2libc}/${m2libcArch}/linux/unistd.c \
+	-f ${m2libc}/${m2libcArch}/linux/fcntl.c \
+	-f ${m2libc}/fcntl.c \
+	-f ${m2libc}/stdlib.c \
+	-f ${m2libc}/stdio.h \
+	-f ${m2libc}/stdio.c \
+	-f ${m2libc}/bootstrappable.c \
+	-f ${src}/mescc-tools/get_machine.c \
+	--debug \
+	-o get_machine.M1
+
+${out}/bin/blood-elf ${endianFlag} ${bloodFlag} -f ./get_machine.M1 -o ./get_machine-footer.M1
+
+${M1} --architecture ${m2libcArch} \
+	${endianFlag} \
+	-f ${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1 \
+	-f ${m2libc}/${m2libcArch}/libc-full.M1 \
+	-f ./get_machine.M1 \
+	-f ./get_machine-footer.M1 \
+	-o ./get_machine.hex2
+
+${hex2} --architecture ${m2libcArch} \
+	${endianFlag} \
+	--base-address ${baseAddress} \
+	-f ${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2 \
+	-f ./get_machine.hex2 \
+	-o ${out}/bin/get_machine
+
+############################################
+# Phase-15 Build M2-Planet from M2-Planet  #
+############################################
+
+${M2} --architecture ${m2libcArch} \
+	-f ${m2libc}/sys/types.h \
+	-f ${m2libc}/stddef.h \
+	-f ${m2libc}/${m2libcArch}/linux/unistd.c \
+	-f ${m2libc}/${m2libcArch}/linux/fcntl.c \
+	-f ${m2libc}/fcntl.c \
+	-f ${m2libc}/stdlib.c \
+	-f ${m2libc}/stdio.h \
+	-f ${m2libc}/stdio.c \
+	-f ${m2libc}/bootstrappable.c \
+	-f ${src}/M2-Planet/cc.h \
+	-f ${src}/M2-Planet/cc_globals.c \
+	-f ${src}/M2-Planet/cc_reader.c \
+	-f ${src}/M2-Planet/cc_strings.c \
+	-f ${src}/M2-Planet/cc_types.c \
+	-f ${src}/M2-Planet/cc_core.c \
+	-f ${src}/M2-Planet/cc_macro.c \
+	-f ${src}/M2-Planet/cc.c \
+	--debug \
+	-o ./M2-1.M1
+
+${out}/bin/blood-elf ${endianFlag} ${bloodFlag} -f ./M2-1.M1 -o ./M2-1-footer.M1
+
+${M1} --architecture ${m2libcArch} \
+	${endianFlag} \
+	-f ${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1 \
+	-f ${m2libc}/${m2libcArch}/libc-full.M1 \
+	-f ./M2-1.M1 \
+	-f ./M2-1-footer.M1 \
+	-o ./M2-1.hex2
+
+${hex2} --architecture ${m2libcArch} \
+	${endianFlag} \
+	--base-address ${baseAddress} \
+	-f ${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2 \
+	-f ./M2-1.hex2 \
+	-o ${out}/bin/M2-Planet
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/default.nix
new file mode 100644
index 000000000000..4a9c734981e2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/mescc-tools/default.nix
@@ -0,0 +1,90 @@
+{ lib
+, derivationWithMeta
+, hostPlatform
+, kaem-unwrapped
+, M1
+, M2
+, blood-elf-0
+, hex2
+, m2libc
+, src
+, version
+, platforms
+, m2libcArch
+, baseAddress
+}:
+
+let
+  endianFlag = if hostPlatform.isLittleEndian then "--little-endian" else "--big-endian";
+  bloodFlag = if hostPlatform.is64bit then "--64" else " ";
+
+  # We need a few tools from mescc-tools-extra to assemble the output folder
+  buildMesccToolsExtraUtil = name:
+    derivationWithMeta {
+      pname = "mescc-tools-extra-${name}";
+      builder = kaem-unwrapped;
+      args = [
+        "--verbose"
+        "--strict"
+        "--file"
+        (builtins.toFile "build-${name}.kaem" ''
+          ''${M2} --architecture ${m2libcArch} \
+            -f ''${m2libc}/sys/types.h \
+            -f ''${m2libc}/stddef.h \
+            -f ''${m2libc}/${m2libcArch}/linux/fcntl.c \
+            -f ''${m2libc}/fcntl.c \
+            -f ''${m2libc}/${m2libcArch}/linux/unistd.c \
+            -f ''${m2libc}/${m2libcArch}/linux/sys/stat.c \
+            -f ''${m2libc}/stdlib.c \
+            -f ''${m2libc}/stdio.h \
+            -f ''${m2libc}/stdio.c \
+            -f ''${m2libc}/string.c \
+            -f ''${m2libc}/bootstrappable.c \
+            -f ''${src}/mescc-tools-extra/${name}.c \
+            --debug \
+            -o ${name}.M1
+
+          ''${blood-elf-0} ${endianFlag} ${bloodFlag} -f ${name}.M1 -o ${name}-footer.M1
+
+          ''${M1} --architecture ${m2libcArch} \
+            ${endianFlag} \
+            -f ''${m2libc}/${m2libcArch}/${m2libcArch}_defs.M1 \
+            -f ''${m2libc}/${m2libcArch}/libc-full.M1 \
+            -f ${name}.M1 \
+            -f ${name}-footer.M1 \
+            -o ${name}.hex2
+
+          ''${hex2} --architecture ${m2libcArch} \
+            ${endianFlag} \
+            -f ''${m2libc}/${m2libcArch}/ELF-${m2libcArch}-debug.hex2 \
+            -f ${name}.hex2 \
+            --base-address ${baseAddress} \
+            -o ''${out}
+        '')
+      ];
+      inherit version M1 M2 blood-elf-0 hex2 m2libc src;
+    };
+  mkdir = buildMesccToolsExtraUtil "mkdir";
+  cp = buildMesccToolsExtraUtil "cp";
+  chmod = buildMesccToolsExtraUtil "chmod";
+  replace = buildMesccToolsExtraUtil "replace";
+in
+derivationWithMeta {
+  pname = "mescc-tools";
+  builder = kaem-unwrapped;
+  args = [
+    "--verbose"
+    "--strict"
+    "--file"
+    ./build.kaem
+  ];
+  inherit version M1 M2 blood-elf-0 hex2 mkdir cp chmod replace m2libc src m2libcArch baseAddress bloodFlag endianFlag;
+
+  meta = with lib; {
+    description = "Collection of tools written for use in bootstrapping";
+    homepage = "https://github.com/oriansj/mescc-tools";
+    license = licenses.gpl3Plus;
+    maintainers = teams.minimal-bootstrap.members;
+    inherit platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/platforms.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/platforms.nix
new file mode 100644
index 000000000000..53147df33444
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/stage0-posix/platforms.nix
@@ -0,0 +1,32 @@
+# Platform specific constants
+{ lib
+, hostPlatform
+}:
+
+rec {
+  # meta.platforms
+  platforms = [
+    "aarch64-linux"
+    "i686-linux"
+    "x86_64-linux"
+  ];
+
+  # system arch as used within the stage0 project
+  stage0Arch = {
+    "aarch64-linux" = "AArch64";
+    "i686-linux"    = "x86";
+    "x86_64-linux"  = "AMD64";
+  }.${hostPlatform.system} or (throw "Unsupported system: ${hostPlatform.system}");
+
+  # lower-case form is widely used by m2libc
+  m2libcArch = lib.toLower stage0Arch;
+
+  # Passed to M2-Mesoplanet as --operating-system
+  m2libcOS = if hostPlatform.isLinux then "linux" else throw "Unsupported system: ${hostPlatform.system}";
+
+  baseAddress = {
+    "aarch64-linux" = "0x00600000";
+    "i686-linux"    = "0x08048000";
+    "x86_64-linux"  = "0x00600000";
+  }.${hostPlatform.system} or (throw "Unsupported system: ${hostPlatform.system}");
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/bootstrappable.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/bootstrappable.nix
new file mode 100644
index 000000000000..83d89012b0fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/bootstrappable.nix
@@ -0,0 +1,172 @@
+# Bootstrappable TCC is a fork from mainline TCC development
+# that can be compiled by MesCC
+
+# Build steps adapted from https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/tcc-0.9.26/tcc-0.9.26.kaem
+#
+# SPDX-FileCopyrightText: 2021-22 fosslinux <fosslinux@aussies.space>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+{ lib
+, callPackage
+, fetchurl
+, kaem
+, mes
+, mes-libc
+}:
+let
+  inherit (callPackage ./common.nix { }) buildTinyccMes recompileLibc;
+
+  version = "unstable-2023-04-20";
+  rev = "80114c4da6b17fbaabb399cc29f427e368309bc8";
+
+  tarball = fetchurl {
+    url = "https://gitlab.com/janneke/tinycc/-/archive/${rev}/tinycc-${rev}.tar.gz";
+    sha256 = "1a0cw9a62qc76qqn5sjmp3xrbbvsz2dxrw21lrnx9q0s74mwaxbq";
+  };
+  src = (kaem.runCommand "tinycc-bootstrappable-${version}-source" {} ''
+    ungz --file ${tarball} --output tinycc.tar
+    mkdir -p ''${out}
+    cd ''${out}
+    untar --file ''${NIX_BUILD_TOP}/tinycc.tar
+
+    # Patch
+    cd tinycc-${rev}
+    # Static link by default
+    replace --file libtcc.c --output libtcc.c --match-on "s->ms_extensions = 1;" --replace-with "s->ms_extensions = 1; s->static_link = 1;"
+  '') + "/tinycc-${rev}";
+
+  meta = with lib; {
+    description = "Tiny C Compiler's bootstrappable fork";
+    homepage = "https://gitlab.com/janneke/tinycc";
+    license = licenses.lgpl21Only;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = [ "i686-linux" ];
+  };
+
+  pname = "tinycc-boot-mes";
+
+  tinycc-boot-mes = rec {
+    compiler = kaem.runCommand "${pname}-${version}" {
+      passthru.tests.get-version = result: kaem.runCommand "${pname}-get-version-${version}" {} ''
+        ${result}/bin/tcc -version
+        mkdir ''${out}
+      '';
+    } ''
+      catm config.h
+      ${mes.compiler}/bin/mes --no-auto-compile -e main ${mes.srcPost.bin}/bin/mescc.scm -- \
+        -S \
+        -o tcc.s \
+        -I . \
+        -D BOOTSTRAP=1 \
+        -I ${src} \
+        -D TCC_TARGET_I386=1 \
+        -D inline= \
+        -D CONFIG_TCCDIR=\"\" \
+        -D CONFIG_SYSROOT=\"\" \
+        -D CONFIG_TCC_CRTPREFIX=\"{B}\" \
+        -D CONFIG_TCC_ELFINTERP=\"/mes/loader\" \
+        -D CONFIG_TCC_LIBPATHS=\"{B}\" \
+        -D CONFIG_TCC_SYSINCLUDEPATHS=\"${mes-libc}/include\" \
+        -D TCC_LIBGCC=\"${mes-libc}/lib/x86-mes/libc.a\" \
+        -D CONFIG_TCC_LIBTCC1_MES=0 \
+        -D CONFIG_TCCBOOT=1 \
+        -D CONFIG_TCC_STATIC=1 \
+        -D CONFIG_USE_LIBGCC=1 \
+        -D TCC_MES_LIBC=1 \
+        -D TCC_VERSION=\"${version}\" \
+        -D ONE_SOURCE=1 \
+        ${src}/tcc.c
+      mkdir -p ''${out}/bin
+      ${mes.compiler}/bin/mes --no-auto-compile -e main ${mes.srcPost.bin}/bin/mescc.scm -- \
+        -L ${mes.libs}/lib \
+        -l c+tcc \
+        -o ''${out}/bin/tcc \
+        tcc.s
+    '';
+
+    libs = recompileLibc {
+      inherit pname version;
+      tcc = compiler;
+      src = mes-libc;
+      libtccOptions = mes-libc.CFLAGS;
+    };
+  };
+
+  # Bootstrap stage build flags obtained from
+  # https://gitlab.com/janneke/tinycc/-/blob/80114c4da6b17fbaabb399cc29f427e368309bc8/boot.sh
+
+  tinycc-boot0 = buildTinyccMes {
+    pname = "tinycc-boot0";
+    inherit src version meta;
+    prev = tinycc-boot-mes;
+    buildOptions = [
+      "-D HAVE_LONG_LONG_STUB=1"
+      "-D HAVE_SETJMP=1"
+    ];
+    libtccBuildOptions = [
+      "-D HAVE_LONG_LONG_STUB=1"
+    ];
+  };
+
+  tinycc-boot1 = buildTinyccMes {
+    pname = "tinycc-boot1";
+    inherit src version meta;
+    prev = tinycc-boot0;
+    buildOptions = [
+      "-D HAVE_BITFIELD=1"
+      "-D HAVE_LONG_LONG=1"
+      "-D HAVE_SETJMP=1"
+    ];
+    libtccBuildOptions = [
+      "-D HAVE_LONG_LONG=1"
+    ];
+  };
+
+  tinycc-boot2 = buildTinyccMes {
+    pname = "tinycc-boot2";
+    inherit src version meta;
+    prev = tinycc-boot1;
+    buildOptions = [
+      "-D HAVE_BITFIELD=1"
+      "-D HAVE_FLOAT_STUB=1"
+      "-D HAVE_LONG_LONG=1"
+      "-D HAVE_SETJMP=1"
+    ];
+    libtccBuildOptions = [
+      "-D HAVE_FLOAT_STUB=1"
+      "-D HAVE_LONG_LONG=1"
+    ];
+  };
+
+  tinycc-boot3 = buildTinyccMes {
+    pname = "tinycc-boot3";
+    inherit src version meta;
+    prev = tinycc-boot2;
+    buildOptions = [
+      "-D HAVE_BITFIELD=1"
+      "-D HAVE_FLOAT=1"
+      "-D HAVE_LONG_LONG=1"
+      "-D HAVE_SETJMP=1"
+    ];
+    libtccBuildOptions = [
+      "-D HAVE_FLOAT=1"
+      "-D HAVE_LONG_LONG=1"
+    ];
+  };
+in
+buildTinyccMes {
+  pname = "tinycc-bootstrappable";
+  inherit src version meta;
+  prev = tinycc-boot3;
+  buildOptions = [
+    "-D HAVE_BITFIELD=1"
+    "-D HAVE_FLOAT=1"
+    "-D HAVE_LONG_LONG=1"
+    "-D HAVE_SETJMP=1"
+  ];
+  libtccBuildOptions = [
+    "-D HAVE_FLOAT=1"
+    "-D HAVE_LONG_LONG=1"
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/common.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/common.nix
new file mode 100644
index 000000000000..28dde3298767
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/common.nix
@@ -0,0 +1,104 @@
+{ lib
+, kaem
+, mes-libc
+}:
+
+rec {
+
+  # Recompile libc: crt{1,n,i}, libtcc.a, libc.a, libgetopt.a
+  recompileLibc =
+    { tcc
+    , pname
+    , version
+    , src
+    , libtccOptions
+    }:
+    let
+
+    crt = kaem.runCommand "crt" {} ''
+      mkdir -p ''${out}/lib
+      ${tcc}/bin/tcc ${mes-libc.CFLAGS} -c -o ''${out}/lib/crt1.o ${mes-libc}/lib/crt1.c
+      ${tcc}/bin/tcc ${mes-libc.CFLAGS} -c -o ''${out}/lib/crtn.o ${mes-libc}/lib/crtn.c
+      ${tcc}/bin/tcc ${mes-libc.CFLAGS} -c -o ''${out}/lib/crti.o ${mes-libc}/lib/crti.c
+    '';
+
+    library = lib: options: source: kaem.runCommand "${lib}.a" {} ''
+      ${tcc}/bin/tcc ${options} -c -o ${lib}.o ${source}
+      ${tcc}/bin/tcc -ar cr ''${out} ${lib}.o
+    '';
+
+    libtcc1 = library "libtcc1" libtccOptions "${src}/lib/libtcc1.c";
+    libc = library "libc" mes-libc.CFLAGS "${mes-libc}/lib/libc.c";
+    libgetopt = library "libgetopt" mes-libc.CFLAGS "${mes-libc}/lib/libgetopt.c";
+  in
+  kaem.runCommand "${pname}-libs-${version}" {} ''
+    mkdir -p ''${out}/lib
+    cp ${crt}/lib/crt1.o ''${out}/lib
+    cp ${crt}/lib/crtn.o ''${out}/lib
+    cp ${crt}/lib/crti.o ''${out}/lib
+    cp ${libtcc1} ''${out}/lib/libtcc1.a
+    cp ${libc} ''${out}/lib/libc.a
+    cp ${libgetopt} ''${out}/lib/libgetopt.a
+  '';
+
+  buildTinyccMes =
+    { pname
+    , version
+    , src
+    , prev
+    , buildOptions
+    , libtccBuildOptions
+    , meta
+    }:
+    let
+      options = lib.strings.concatStringsSep " " buildOptions;
+      libtccOptions = lib.strings.concatStringsSep " "
+        (["-c" "-D" "TCC_TARGET_I386=1" ] ++ libtccBuildOptions);
+      compiler =  kaem.runCommand "${pname}-${version}" {
+        inherit pname version meta;
+        passthru.tests = rec {
+          get-version = result: kaem.runCommand "${pname}-get-version-${version}" {} ''
+            ${result}/bin/tcc -version
+            mkdir ''${out}
+          '';
+          chain = result: kaem.runCommand "${pname}-chain-${version}" {} ''
+            echo ${prev.compiler.tests.chain or prev.compiler.tests.get-version};
+            ${result}/bin/tcc -version
+            mkdir ''${out}
+          '';
+        };
+      } ''
+        catm config.h
+        mkdir -p ''${out}/bin
+        ${prev.compiler}/bin/tcc \
+          -B ${prev.libs}/lib \
+          -g \
+          -v \
+          -o ''${out}/bin/tcc \
+          -D BOOTSTRAP=1 \
+          ${options} \
+          -I . \
+          -I ${src} \
+          -D TCC_TARGET_I386=1 \
+          -D CONFIG_TCCDIR=\"\" \
+          -D CONFIG_SYSROOT=\"\" \
+          -D CONFIG_TCC_CRTPREFIX=\"{B}\" \
+          -D CONFIG_TCC_ELFINTERP=\"\" \
+          -D CONFIG_TCC_LIBPATHS=\"{B}\" \
+          -D CONFIG_TCC_SYSINCLUDEPATHS=\"${mes-libc}/include\" \
+          -D TCC_LIBGCC=\"libc.a\" \
+          -D TCC_LIBTCC1=\"libtcc1.a\" \
+          -D CONFIG_TCCBOOT=1 \
+          -D CONFIG_TCC_STATIC=1 \
+          -D CONFIG_USE_LIBGCC=1 \
+          -D TCC_MES_LIBC=1 \
+          -D TCC_VERSION=\"${version}\" \
+          -D ONE_SOURCE=1 \
+          ${src}/tcc.c
+      '';
+    libs = recompileLibc {
+      inherit pname version src libtccOptions;
+      tcc = compiler;
+    };
+  in { inherit prev compiler libs; };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-duplicate-symbols.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-duplicate-symbols.patch
new file mode 100644
index 000000000000..0aec8b465bf2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-duplicate-symbols.patch
@@ -0,0 +1,13 @@
+--- tccelf.c
++++ tccelf.c
+@@ -710,8 +710,9 @@ ST_FUNC int set_elf_sym(Section *s, addr_t value, unsigned long size,
+ #if 0
+                 printf("new_bind=%x new_shndx=%x new_vis=%x old_bind=%x old_shndx=%x old_vis=%x\n",
+                        sym_bind, shndx, new_vis, esym_bind, esym->st_shndx, esym_vis);
+-#endif
+                 tcc_error_noabort("'%s' defined twice", name);
++#endif
++                goto do_patch;
+             }
+         } else {
+             esym->st_other = other;
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-static-inside-array.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-static-inside-array.patch
new file mode 100644
index 000000000000..8dc2fe3fcfb4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/ignore-static-inside-array.patch
@@ -0,0 +1,21 @@
+--- tccgen.c
++++ tccgen.c
+@@ -4941,7 +4941,7 @@ static int post_type(CType *type, AttributeDef *ad, int storage, int td)
+         next();
+         n = -1;
+         t1 = 0;
+-        if (td & TYPE_PARAM) while (1) {
++        while (1) {
+ 	    /* XXX The optional type-quals and static should only be accepted
+ 	       in parameter decls.  The '*' as well, and then even only
+ 	       in prototypes (not function defs).  */
+@@ -4972,7 +4972,8 @@ static int post_type(CType *type, AttributeDef *ad, int storage, int td)
+             }
+             break;
+ 
+-	} else if (tok != ']') {
++	}
++    if (tok != ']') {
+             if (!local_stack || (storage & VT_STATIC))
+                 vpushi(expr_const());
+             else {
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/mes.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/mes.nix
new file mode 100644
index 000000000000..55f6321412db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/mes.nix
@@ -0,0 +1,96 @@
+# Build steps adapted from https://github.com/fosslinux/live-bootstrap/blob/1bc4296091c51f53a5598050c8956d16e945b0f5/sysa/tcc-0.9.27/tcc-0.9.27.kaem
+#
+# SPDX-FileCopyrightText: 2021-22 fosslinux <fosslinux@aussies.space>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+{ lib
+, fetchurl
+, callPackage
+, kaem
+, tinycc-bootstrappable
+}:
+let
+  inherit (callPackage ./common.nix { }) buildTinyccMes;
+
+  version = "unstable-2023-04-20";
+  rev = "86f3d8e33105435946383aee52487b5ddf918140";
+
+  tarball = fetchurl {
+    url = "https://repo.or.cz/tinycc.git/snapshot/${rev}.tar.gz";
+    sha256 = "11idrvbwfgj1d03crv994mpbbbyg63j1k64lw1gjy7mkiifw2xap";
+  };
+  src = (kaem.runCommand "tinycc-${version}-source" {} ''
+    ungz --file ${tarball} --output tinycc.tar
+    mkdir -p ''${out}
+    cd ''${out}
+    untar --file ''${NIX_BUILD_TOP}/tinycc.tar
+
+    # Patch
+    cd tinycc-${builtins.substring 0 7 rev}
+    # Static link by default
+    replace --file libtcc.c --output libtcc.c --match-on "s->ms_extensions = 1;" --replace-with "s->ms_extensions = 1; s->static_link = 1;"
+  '') + "/tinycc-${builtins.substring 0 7 rev}";
+
+  meta = with lib; {
+    description = "Small, fast, and embeddable C compiler and interpreter";
+    homepage = "https://repo.or.cz/w/tinycc.git";
+    license = licenses.lgpl21Only;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = [ "i686-linux" ];
+  };
+
+  tccdefs = kaem.runCommand "tccdefs-${version}" {} ''
+    mkdir ''${out}
+    ${tinycc-bootstrappable.compiler}/bin/tcc \
+      -B ${tinycc-bootstrappable.libs}/lib \
+      -DC2STR \
+      -o c2str \
+      ${src}/conftest.c
+    ./c2str ${src}/include/tccdefs.h ''${out}/tccdefs_.h
+  '';
+
+  tinycc-mes-boot = buildTinyccMes {
+    pname = "tinycc-mes-boot";
+    inherit src version meta;
+    prev = tinycc-bootstrappable;
+    buildOptions = [
+      "-D HAVE_BITFIELD=1"
+      "-D HAVE_FLOAT=1"
+      "-D HAVE_LONG_LONG=1"
+      "-D HAVE_SETJMP=1"
+      "-D CONFIG_TCC_PREDEFS=1"
+      "-I ${tccdefs}"
+      "-D CONFIG_TCC_SEMLOCK=0"
+    ];
+    libtccBuildOptions = [
+      "-D HAVE_FLOAT=1"
+      "-D HAVE_LONG_LONG=1"
+      "-D CONFIG_TCC_PREDEFS=1"
+      "-I ${tccdefs}"
+      "-D CONFIG_TCC_SEMLOCK=0"
+    ];
+  };
+in
+buildTinyccMes {
+  pname = "tinycc-mes";
+  inherit src version meta;
+  prev = tinycc-mes-boot;
+  buildOptions = [
+    "-std=c99"
+    "-D HAVE_BITFIELD=1"
+    "-D HAVE_FLOAT=1"
+    "-D HAVE_LONG_LONG=1"
+    "-D HAVE_SETJMP=1"
+    "-D CONFIG_TCC_PREDEFS=1"
+    "-I ${tccdefs}"
+    "-D CONFIG_TCC_SEMLOCK=0"
+  ];
+  libtccBuildOptions = [
+    "-D HAVE_FLOAT=1"
+    "-D HAVE_LONG_LONG=1"
+    "-D CONFIG_TCC_PREDEFS=1"
+    "-I ${tccdefs}"
+    "-D CONFIG_TCC_SEMLOCK=0"
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/musl.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/musl.nix
new file mode 100644
index 000000000000..4d26faac20b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/musl.nix
@@ -0,0 +1,155 @@
+{ lib
+, fetchurl
+, callPackage
+, bash
+, tinycc-bootstrappable
+, musl
+, gnupatch
+, gnutar
+, gzip
+}:
+let
+  pname = "tinycc-musl";
+  # next commit introduces use of realpath (unsupported in mes-libc)
+  version = "unstable-2023-07-10";
+  rev = "fd6d2180c5c801bb0b4c5dde27d61503059fc97d";
+
+  src = fetchurl {
+    url = "https://repo.or.cz/tinycc.git/snapshot/${rev}.tar.gz";
+    hash = "sha256-R81SNbEmh4s9FNQxCWZwUiMCYRkkwOHAdRf0aMnnRiA=";
+  };
+
+  patches = [
+    ./ignore-duplicate-symbols.patch
+    ./ignore-static-inside-array.patch
+    ./static-link.patch
+  ];
+
+  meta = with lib; {
+    description = "Small, fast, and embeddable C compiler and interpreter";
+    homepage = "https://repo.or.cz/w/tinycc.git";
+    license = licenses.lgpl21Only;
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = [ "i686-linux" ];
+  };
+
+  tinycc-musl = bash.runCommand "${pname}-${version}" {
+    inherit pname version meta;
+
+    nativeBuildInputs = [
+      tinycc-bootstrappable.compiler
+      gnupatch
+      gnutar
+      gzip
+    ];
+  } ''
+    # Unpack
+    tar xzf ${src}
+    cd tinycc-${builtins.substring 0 7 rev}
+
+    # Patch
+    ${lib.concatMapStringsSep "\n" (f: "patch -Np0 -i ${f}") patches}
+
+    # Configure
+    touch config.h
+
+    # Build
+    # We first have to recompile using tcc-0.9.26 as tcc-0.9.27 is not self-hosting,
+    # but when linked with musl it is.
+    ln -s ${musl}/lib/libtcc1.a ./libtcc1.a
+
+    tcc \
+      -B ${tinycc-bootstrappable.libs}/lib \
+      -DC2STR \
+      -o c2str \
+      conftest.c
+    ./c2str include/tccdefs.h tccdefs_.h
+
+    tcc -v \
+      -static \
+      -o tcc-musl \
+      -D TCC_TARGET_I386=1 \
+      -D CONFIG_TCCDIR=\"\" \
+      -D CONFIG_TCC_CRTPREFIX=\"{B}\" \
+      -D CONFIG_TCC_ELFINTERP=\"/musl/loader\" \
+      -D CONFIG_TCC_LIBPATHS=\"{B}\" \
+      -D CONFIG_TCC_SYSINCLUDEPATHS=\"${musl}/include\" \
+      -D TCC_LIBGCC=\"libc.a\" \
+      -D TCC_LIBTCC1=\"libtcc1.a\" \
+      -D CONFIG_TCC_STATIC=1 \
+      -D CONFIG_USE_LIBGCC=1 \
+      -D TCC_VERSION=\"0.9.27\" \
+      -D ONE_SOURCE=1 \
+      -D TCC_MUSL=1 \
+      -D CONFIG_TCC_PREDEFS=1 \
+      -D CONFIG_TCC_SEMLOCK=0 \
+      -B . \
+      -B ${tinycc-bootstrappable.libs}/lib \
+      tcc.c
+    # libtcc1.a
+    rm -f libtcc1.a
+    tcc -c -D HAVE_CONFIG_H=1 lib/libtcc1.c
+    tcc -ar cr libtcc1.a libtcc1.o
+
+    # Rebuild tcc-musl with itself
+    ./tcc-musl \
+      -v \
+      -static \
+      -o tcc-musl \
+      -D TCC_TARGET_I386=1 \
+      -D CONFIG_TCCDIR=\"\" \
+      -D CONFIG_TCC_CRTPREFIX=\"{B}\" \
+      -D CONFIG_TCC_ELFINTERP=\"/musl/loader\" \
+      -D CONFIG_TCC_LIBPATHS=\"{B}\" \
+      -D CONFIG_TCC_SYSINCLUDEPATHS=\"${musl}/include\" \
+      -D TCC_LIBGCC=\"libc.a\" \
+      -D TCC_LIBTCC1=\"libtcc1.a\" \
+      -D CONFIG_TCC_STATIC=1 \
+      -D CONFIG_USE_LIBGCC=1 \
+      -D TCC_VERSION=\"0.9.27\" \
+      -D ONE_SOURCE=1 \
+      -D TCC_MUSL=1 \
+      -D CONFIG_TCC_PREDEFS=1 \
+      -D CONFIG_TCC_SEMLOCK=0 \
+      -B . \
+      -B ${musl}/lib \
+      tcc.c
+    # libtcc1.a
+    rm -f libtcc1.a
+    ./tcc-musl -c -D HAVE_CONFIG_H=1 lib/libtcc1.c
+    ./tcc-musl -c -D HAVE_CONFIG_H=1 lib/alloca.S
+    ./tcc-musl -ar cr libtcc1.a libtcc1.o alloca.o
+
+    # Install
+    install -D tcc-musl $out/bin/tcc
+    install -Dm444 libtcc1.a $out/lib/libtcc1.a
+  '';
+in
+{
+  compiler = bash.runCommand "${pname}-${version}-compiler" {
+    inherit pname version meta;
+    passthru.tests.hello-world = result:
+      bash.runCommand "${pname}-simple-program-${version}" {} ''
+        cat <<EOF >> test.c
+        #include <stdio.h>
+        int main() {
+          printf("Hello World!\n");
+          return 0;
+        }
+        EOF
+        ${result}/bin/tcc -v -static -B${musl}/lib -o test test.c
+        ./test
+        mkdir $out
+      '';
+    passthru.tinycc-musl = tinycc-musl;
+  } "install -D ${tinycc-musl}/bin/tcc $out/bin/tcc";
+
+  libs = bash.runCommand "${pname}-${version}-libs" {
+    inherit pname version meta;
+  } ''
+    mkdir $out
+    cp -r ${musl}/* $out
+    chmod +w $out/lib/libtcc1.a
+    cp ${tinycc-musl}/lib/libtcc1.a $out/lib/libtcc1.a
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/static-link.patch b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/static-link.patch
new file mode 100644
index 000000000000..671a3b37f98d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/tinycc/static-link.patch
@@ -0,0 +1,10 @@
+--- libtcc.c
++++ libtcc.c
+@@ -793,6 +793,7 @@ LIBTCCAPI TCCState *tcc_new(void)
+ 
+     s->gnu_ext = 1;
+     s->tcc_ext = 1;
++    s->static_link = 1;
+     s->nocommon = 1;
+     s->dollars_in_identifiers = 1; /*on by default like in gcc/clang*/
+     s->cversion = 199901; /* default unless -std=c11 is supplied */
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/utils.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/utils.nix
new file mode 100644
index 000000000000..cc8c04619169
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/utils.nix
@@ -0,0 +1,60 @@
+{ lib
+, buildPlatform
+, callPackage
+, kaem
+, mescc-tools-extra
+, checkMeta
+}:
+rec {
+  derivationWithMeta = attrs:
+    let
+      passthru = attrs.passthru or {};
+      validity = checkMeta.assertValidity { inherit meta attrs; };
+      meta = checkMeta.commonMeta { inherit validity attrs; };
+      baseDrv = derivation ({
+        inherit (buildPlatform) system;
+        inherit (meta) name;
+      } // (builtins.removeAttrs attrs [ "meta" "passthru" ]));
+      passthru' = passthru // lib.optionalAttrs (passthru ? tests) {
+        tests = lib.mapAttrs (_: f: f baseDrv) passthru.tests;
+      };
+    in
+    lib.extendDerivation
+      validity.handled
+      ({ inherit meta; passthru = passthru'; } // passthru')
+      baseDrv;
+
+  writeTextFile =
+    { name # the name of the derivation
+    , text
+    , executable ? false # run chmod +x ?
+    , destination ? ""   # relative path appended to $out eg "/bin/foo"
+    }:
+    derivationWithMeta {
+      inherit name text;
+      passAsFile = [ "text" ];
+
+      builder = "${kaem}/bin/kaem";
+      args = [
+        "--verbose"
+        "--strict"
+        "--file"
+        (builtins.toFile "write-text-file.kaem" (''
+          target=''${out}''${destination}
+        '' + lib.optionalString (builtins.dirOf destination == ".") ''
+          mkdir -p ''${out}''${destinationDir}
+        '' + ''
+          cp ''${textPath} ''${target}
+        '' + lib.optionalString executable ''
+          chmod 555 ''${target}
+        ''))
+      ];
+
+      PATH = lib.makeBinPath [ mescc-tools-extra ];
+      destinationDir = builtins.dirOf destination;
+      inherit destination;
+    };
+
+  writeText = name: text: writeTextFile {inherit name text;};
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/xz/default.nix b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/xz/default.nix
new file mode 100644
index 000000000000..8dcccbacaca8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/minimal-bootstrap/xz/default.nix
@@ -0,0 +1,70 @@
+{ lib
+, buildPlatform
+, hostPlatform
+, fetchurl
+, bash
+, tinycc
+, gnumake
+, gnused
+, gnugrep
+, gawk
+, gnutar
+, gzip
+}:
+let
+  pname = "xz";
+  version = "5.4.3";
+
+  src = fetchurl {
+    url = "https://tukaani.org/xz/xz-${version}.tar.gz";
+    hash = "sha256-HDguC8Lk4K9YOYqQPdYv/35RAXHS3keh6+BtFSjpt+k=";
+  };
+in
+bash.runCommand "${pname}-${version}" {
+  inherit pname version;
+
+  nativeBuildInputs = [
+    tinycc.compiler
+    gnumake
+    gnused
+    gnugrep
+    gawk
+    gnutar
+    gzip
+  ];
+
+  passthru.tests.get-version = result:
+    bash.runCommand "${pname}-get-version-${version}" {} ''
+      ${result}/bin/xz --version
+      mkdir $out
+    '';
+
+  meta = with lib; {
+    description = "A general-purpose data compression software, successor of LZMA";
+    homepage = "https://tukaani.org/xz";
+    license = with licenses; [ gpl2Plus lgpl21Plus ];
+    maintainers = teams.minimal-bootstrap.members;
+    platforms = platforms.unix;
+  };
+} ''
+  # Unpack
+  tar xzf ${src}
+  cd xz-${version}
+
+  # Configure
+  export CC="tcc -B ${tinycc.libs}/lib"
+  export AR="tcc -ar"
+  export LD=tcc
+  bash ./configure \
+    --prefix=$out \
+    --build=${buildPlatform.config} \
+    --host=${hostPlatform.config} \
+    --disable-shared \
+    --disable-assembler
+
+  # Build
+  make -j $NIX_BUILD_CORES
+
+  # Install
+  make -j $NIX_BUILD_CORES install
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix b/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix
new file mode 100644
index 000000000000..7b502fa4adee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
+, glib, readline, pcre, systemd, udev }:
+
+stdenv.mkDerivation {
+  pname = "miraclecast";
+  version = "1.0-20190403";
+
+  src = fetchFromGitHub {
+    owner  = "albfan";
+    repo   = "miraclecast";
+    rev    = "960a785e10523cc525885380dd03aa2c5ba11bc7";
+    sha256 = "05afqi33rv7k6pbkkw4mynj6p97vkzhhh13y5nh0yxkyhcgf45pm";
+  };
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+
+  buildInputs = [ glib pcre readline systemd udev ];
+
+  mesonFlags = [
+    "-Drely-udev=true"
+    "-Dbuild-tests=true"
+  ];
+
+  meta = with lib; {
+    description = "Connect external monitors via Wi-Fi";
+    homepage    = "https://github.com/albfan/miraclecast";
+    license     = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
new file mode 100644
index 000000000000..da2ba4b9ff2d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mkinitcpio-nfs-utils";
+  version = "0.3";
+
+  src = fetchurl {
+    url = "https://sources.archlinux.org/other/mkinitcpio/mkinitcpio-nfs-utils-${version}.tar.xz";
+    sha256 = "0fc93sfk41ycpa33083kyd7i4y00ykpbhj5qlw611bjghj4x946j";
+    # ugh, upstream...
+    name = "mkinitcpio-nfs-utils-${version}.tar.gz";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)" "bindir=/bin" ];
+
+  postInstall = ''
+    rm -rf $out/usr
+  '';
+
+  meta = with lib; {
+    homepage = "https://archlinux.org/";
+    description = "ipconfig and nfsmount tools for root on NFS, ported from klibc";
+    license = licenses.gpl2;
+    platforms  = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix
new file mode 100644
index 000000000000..0fea46da56d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchzip, unstableGitUpdater }:
+
+stdenv.mkDerivation {
+  pname = "mmc-utils";
+  version = "unstable-2023-10-10";
+
+  src = fetchzip rec {
+    url = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/snapshot/mmc-utils-${passthru.rev}.tar.gz";
+    passthru.rev = "b5ca140312d279ad2f22068fd72a6230eea13436";
+    sha256 = "QU4r8eajrrhT6u6WHEf1xtB1iyecBeHxu4vS+QcwAgM=";
+  };
+
+  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ];
+
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
+  postInstall = ''
+    mkdir -p $out/share/man/man1
+    cp man/mmc.1 $out/share/man/man1/
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = unstableGitUpdater {
+    url = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git";
+  };
+
+  meta = with lib; {
+    description = "Configure MMC storage devices from userspace";
+    homepage = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix b/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix
new file mode 100644
index 000000000000..1100751f451e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl, dpkg, busybox, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "molly-guard";
+  version = "0.7.2";
+
+  src = fetchurl {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+files/molly-guard_${version}_all.deb";
+    sha256 = "1k6b1hn8lc4rj9n036imsl7s9lqj6ny3acdhnbnamsdkkndmxrw7";
+  };
+
+  buildInputs = [ dpkg ];
+
+  unpackCmd = ''
+    dpkg-deb -x "$src" source
+  '';
+
+  installPhase = ''
+    sed -i "s|/lib/molly-guard|${systemd}/sbin|g" lib/molly-guard/molly-guard
+    sed -i "s|run-parts|${busybox}/bin/run-parts|g" lib/molly-guard/molly-guard
+    sed -i "s|/etc/molly-guard/|$out/etc/molly-guard/|g" lib/molly-guard/molly-guard
+    cp -r ./ $out/
+  '';
+
+  postFixup = ''
+    for modus in init halt poweroff reboot runlevel shutdown telinit; do
+       ln -sf $out/lib/molly-guard/molly-guard $out/bin/$modus;
+    done;
+  '';
+
+  meta = with lib; {
+    description = "Attempts to prevent you from accidentally shutting down or rebooting machines";
+    homepage    = "https://salsa.debian.org/debian/molly-guard";
+    license     = licenses.artistic2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ DerTim1 ];
+    priority    = -10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix
new file mode 100644
index 000000000000..1e6a55a4d656
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchurl, unzip }:
+
+stdenv.mkDerivation rec {
+  pname = "msr-tools";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://01.org/sites/default/files/downloads/msr-tools/${pname}-${version}.zip";
+    sha256 = "07hxmddg0l31kjfmaq84ni142lbbvgq6391r8bd79wpm819pnigr";
+  };
+
+  nativeBuildInputs = [ unzip ];
+
+  preInstall = ''
+    mkdir -p $out/bin
+    substituteInPlace Makefile \
+      --replace /usr/sbin $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Tool to read/write from/to MSR CPU registers on Linux";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ peterhoeg ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch b/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch
new file mode 100644
index 000000000000..5fa96cd14699
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch
@@ -0,0 +1,11 @@
+diff -Naur msr-old/msr.c msr-20060208/msr.c
+--- msr-old/msr.c	1969-12-31 21:00:01.000000000 -0300
++++ msr-20060208/msr.c	2021-11-02 21:19:34.576722617 -0300
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <sys/sysmacros.h>
+ #include <fcntl.h>
+ #include <errno.h>
+ #include <unistd.h>
diff --git a/nixpkgs/pkgs/os-specific/linux/msr/default.nix b/nixpkgs/pkgs/os-specific/linux/msr/default.nix
new file mode 100644
index 000000000000..0ffc46012096
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr/default.nix
@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, fetchzip
+, installShellFiles
+}:
+
+stdenv.mkDerivation rec {
+  pname = "msr";
+  version = "20060208";
+
+  src = fetchzip {
+    name = "${pname}-${version}";
+    url = "http://www.etallen.com/msr/${pname}-${version}.src.tar.gz";
+    hash = "sha256-e01qYWbOALkXp5NpexuVodMxA3EBySejJ6ZBpZjyT+E=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  patches = [
+    ./000-include-sysmacros.patch
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin/
+    cp msr $out/bin/
+    installManPage msr.man
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.etallen.com/msr.html";
+    description = "Linux tool to display or modify x86 model-specific registers (MSRs)";
+    license = licenses.bsd0;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mstflint_access/default.nix b/nixpkgs/pkgs/os-specific/linux/mstflint_access/default.nix
new file mode 100644
index 000000000000..6e29e27ccbf2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mstflint_access/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchurl, kernel, kmod, mstflint }:
+
+stdenv.mkDerivation rec {
+  pname = "mstflint_access";
+  inherit (mstflint) version;
+
+  src = fetchurl {
+    url = "https://github.com/Mellanox/mstflint/releases/download/v${version}/kernel-mstflint-${version}.tar.gz";
+    hash = "sha256-rfZts0m8x6clVazpbAa2xK+dYgRU9Us5rbcWa0uHJ1M=";
+  };
+
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KVER=${kernel.modDirVersion}"
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  enableParallelBuilding = true;
+
+  preConfigure = lib.optionals (lib.versionAtLeast kernel.version "6.4") ''
+    sed -i "s/class_create(THIS_MODULE, dev->name)/class_create(dev->name)/g" mst_main.c
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D ${pname}.ko $out/lib/modules/${kernel.modDirVersion}/extra/${pname}.ko
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A kernel module for Nvidia NIC firmware update";
+    homepage = "https://github.com/Mellanox/mstflint";
+    license = [ licenses.gpl2Only ];
+    maintainers = with maintainers; [ thillux ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix b/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix
new file mode 100644
index 000000000000..389acdf91e6e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "mstpd";
+  version = "0.0.8";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "1xkfydxljdnj49p5r3mirk4k146428b6imfc9bkfps9yjn64mkgb";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "fix-strncpy-gcc9.patch";
+      url = "https://github.com/mstpd/mstpd/commit/d27d7e93485d881d8ff3a7f85309b545edbe1fc6.patch";
+      sha256 = "19456daih8l3y6m9kphjr7pj7slrqzbj6yacnlgznpxyd8y4d86y";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  configureFlags = [
+    "--prefix=$(out)"
+    "--sysconfdir=$(out)/etc"
+    "--sbindir=$(out)/sbin"
+    "--libexecdir=$(out)/lib"
+  ];
+
+  meta = with lib; {
+    description = "Multiple Spanning Tree Protocol daemon";
+    homepage = "https://github.com/mstpd/mstpd";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix
new file mode 100644
index 000000000000..5ec8197451cf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -0,0 +1,91 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, coreutils
+
+, perl
+, pkg-config
+
+, json_c
+, libaio
+, liburcu
+, linuxHeaders
+, lvm2
+, readline
+, systemd
+, util-linuxMinimal
+
+, cmocka
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "multipath-tools";
+  version = "0.9.6";
+
+  src = fetchFromGitHub {
+    owner = "opensvc";
+    repo = "multipath-tools";
+    rev = "refs/tags/${version}";
+    sha256 = "sha256-X4sAMGn4oBMY3cQkVj1dMcrDF7FgMl8SbZeUnCCOY6Q=";
+  };
+
+  postPatch = ''
+    substituteInPlace create-config.mk \
+      --replace /bin/echo ${coreutils}/bin/echo
+
+    substituteInPlace multipathd/multipathd.service \
+      --replace /sbin/multipathd "$out/bin/multipathd"
+
+    sed -i -re '
+      s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",
+    ' libmultipath/defaults.h
+    sed -i -e 's,\$(DESTDIR)/\(usr/\)\?,$(prefix)/,g' \
+      kpartx/Makefile libmpathpersist/Makefile
+    sed -i -e "s,GZIP,GZ," \
+      $(find * -name Makefile\*)
+
+    sed '1i#include <assert.h>' -i tests/{util,vpd}.c
+  '';
+
+  nativeBuildInputs = [
+    perl
+    pkg-config
+  ];
+  buildInputs = [
+    json_c
+    libaio
+    liburcu
+    linuxHeaders
+    lvm2
+    readline
+    systemd
+    util-linuxMinimal # for libmount
+  ];
+
+  makeFlags = [
+    "LIB=lib"
+    "prefix=$(out)"
+    "systemd_prefix=$(out)"
+    "kernel_incdir=${linuxHeaders}/include/"
+    "man8dir=$(out)/share/man/man8"
+    "man5dir=$(out)/share/man/man5"
+    "man3dir=$(out)/share/man/man3"
+  ];
+
+  doCheck = true;
+  preCheck = ''
+    # skip test attempting to access /sys/dev/block
+    substituteInPlace tests/Makefile --replace ' devt ' ' '
+  '';
+  nativeCheckInputs = [ cmocka ];
+
+  passthru.tests = { inherit (nixosTests) iscsi-multipath-root; };
+
+  meta = with lib; {
+    description = "Tools for the Linux multipathing storage driver";
+    homepage = "http://christophe.varoqui.free.fr/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix b/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix
new file mode 100644
index 000000000000..cdb1cca47c6a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-fts";
+  version = "1.2.7";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-fts";
+    rev = "v${version}";
+    sha256 = "Azw5qrz6OKDcpYydE6jXzVxSM5A8oYWAztrHr+O/DOE=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-fts";
+    description = "An implementation of fts(3) for musl-libc";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix b/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix
new file mode 100644
index 000000000000..ec183da7048c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-obstack";
+  version = "1.2.3";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-obstack";
+    rev = "v${version}";
+    sha256 = "sha256-oydS7FubUniMHAUWfg84OH9+CZ0JCrTXy7jzwOyJzC8=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-obstack";
+    description =
+      "An extraction of the obstack functions and macros from GNU libiberty for use with musl-libc";
+    platforms = platforms.linux;
+    license = licenses.lgpl21Plus;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/musl/default.nix b/nixpkgs/pkgs/os-specific/linux/musl/default.nix
new file mode 100644
index 000000000000..9f7867065ea8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl/default.nix
@@ -0,0 +1,161 @@
+{ stdenv, lib, fetchurl
+, linuxHeaders ? null
+, useBSDCompatHeaders ? true
+}:
+let
+  cdefs_h = fetchurl {
+    name = "sys-cdefs.h";
+    url = "https://git.alpinelinux.org/aports/plain/main/libc-dev/sys-cdefs.h?id=7ca0ed62d4c0d713d9c7dd5b9a077fba78bce578";
+    sha256 = "16l3dqnfq0f20rzbkhc38v74nqcsh9n3f343bpczqq8b1rz6vfrh";
+  };
+  queue_h = fetchurl {
+    name = "sys-queue.h";
+    url = "http://git.alpinelinux.org/aports/plain/main/libc-dev/sys-queue.h?id=7ca0ed62d4c0d713d9c7dd5b9a077fba78bce578";
+    sha256 = "12qm82id7zys92a1qh2l1qf2wqgq6jr4qlbjmqyfffz3s3nhfd61";
+  };
+  tree_h = fetchurl {
+    name = "sys-tree.h";
+    url = "http://git.alpinelinux.org/aports/plain/main/libc-dev/sys-tree.h?id=7ca0ed62d4c0d713d9c7dd5b9a077fba78bce578";
+    sha256 = "14igk6k00bnpfw660qhswagyhvr0gfqg4q55dxvaaq7ikfkrir71";
+  };
+
+  stack_chk_fail_local_c = fetchurl {
+    name = "__stack_chk_fail_local.c";
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/__stack_chk_fail_local.c?id=9afbe3cbbf4c30ff23c733218c3c03d7e8c6461d";
+    sha256 = "1nhkzzy9pklgjcq2yg89d3l18jif331srd3z3vhy5qwxl1spv6i9";
+  };
+
+  # iconv tool, implemented by musl author.
+  # Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f
+  # We use copy from Alpine which fixes error messages, see:
+  # https://git.alpinelinux.org/aports/commit/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f
+  iconv_c = fetchurl {
+    name = "iconv.c";
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f";
+    sha256 = "1mzxnc2ncq8lw9x6n7p00fvfklc9p3wfv28m68j0dfz5l8q2k6pp";
+  };
+
+  arch = if stdenv.hostPlatform.isx86_64
+    then "x86_64"
+    else if stdenv.hostPlatform.isx86_32
+      then "i386"
+      else null;
+
+in
+stdenv.mkDerivation rec {
+  pname = "musl";
+  version = "1.2.3";
+
+  src = fetchurl {
+    url    = "https://musl.libc.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-fVsLYGJSHkYn4JnkydyCSNMqMChelZt+7Kp4DPjP1KQ=";
+  };
+
+  enableParallelBuilding = true;
+
+  # Disable auto-adding stack protector flags,
+  # so musl can selectively disable as needed
+  hardeningDisable = [ "stackprotector" ];
+
+  # Leave these, be friendlier to debuggers/perf tools
+  # Don't force them on, but don't force off either
+  postPatch = ''
+    substituteInPlace configure \
+      --replace -fno-unwind-tables "" \
+      --replace -fno-asynchronous-unwind-tables ""
+  '';
+
+  patches = [
+    # Minor touchup to build system making dynamic linker symlink relative
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/openwrt/openwrt/87606e25afac6776d1bbc67ed284434ec5a832b4/toolchain/musl/patches/300-relative.patch";
+      sha256 = "0hfadrycb60sm6hb6by4ycgaqc9sgrhh42k39v8xpmcvdzxrsq2n";
+    })
+
+    # fix parsing lines with optional fields in fstab etc. NOTE: Remove for the next release since it has been merged upstream
+    (fetchurl {
+      url = "https://git.musl-libc.org/cgit/musl/patch/?id=751bee0ee727e8d8b003c87cff77ac76f1dbecd6";
+      sha256 = "sha256-qCw132TCSaZrkISmtDb8Q8ufyt8sAJdwACkvfwuoi/0=";
+    })
+  ];
+  CFLAGS = [ "-fstack-protector-strong" ]
+    ++ lib.optional stdenv.hostPlatform.isPower "-mlong-double-64";
+
+  configureFlags = [
+    "--enable-shared"
+    "--enable-static"
+    "--enable-debug"
+    "--enable-wrapper=all"
+    "--syslibdir=${placeholder "out"}/lib"
+  ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  dontDisableStatic = true;
+  dontAddStaticConfigureFlags = true;
+  separateDebugInfo = true;
+
+  NIX_DONT_SET_RPATH = true;
+
+  preBuild = ''
+    ${lib.optionalString (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32)
+    "# the -x c flag is required since the file extension confuses gcc
+    # that detect the file as a linker script.
+    $CC -x c -c ${stack_chk_fail_local_c} -o __stack_chk_fail_local.o
+    $AR r libssp_nonshared.a __stack_chk_fail_local.o"
+    }
+  '';
+
+  postInstall = ''
+    # Not sure why, but link in all but scsi directory as that's what uclibc/glibc do.
+    # Apparently glibc provides scsi itself?
+    (cd $dev/include && ln -s $(ls -d ${linuxHeaders}/include/* | grep -v "scsi$") .)
+
+    ${lib.optionalString (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32)
+      "install -D libssp_nonshared.a $out/lib/libssp_nonshared.a"
+    }
+
+    # Create 'ldd' symlink, builtin
+    ln -s $out/lib/libc.so $bin/bin/ldd
+
+    # (impure) cc wrapper around musl for interactive usuage
+    for i in musl-gcc musl-clang ld.musl-clang; do
+      moveToOutput bin/$i $dev
+    done
+    moveToOutput lib/musl-gcc.specs $dev
+    substituteInPlace $dev/bin/musl-gcc \
+      --replace $out/lib/musl-gcc.specs $dev/lib/musl-gcc.specs
+
+    # provide 'iconv' utility, using just-built headers, libc/ldso
+    $CC ${iconv_c} -o $bin/bin/iconv \
+      -I$dev/include \
+      -L$out/lib -Wl,-rpath=$out/lib \
+      -lc \
+      -B $out/lib \
+      -Wl,-dynamic-linker=$(ls $out/lib/ld-*)
+  '' + lib.optionalString (arch != null) ''
+    # Create 'libc.musl-$arch' symlink
+    ln -rs $out/lib/libc.so $out/lib/libc.musl-${arch}.so.1
+  '' + lib.optionalString useBSDCompatHeaders ''
+    install -D ${queue_h} $dev/include/sys/queue.h
+    install -D ${cdefs_h} $dev/include/sys/cdefs.h
+    install -D ${tree_h} $dev/include/sys/tree.h
+  '';
+
+  passthru.linuxHeaders = linuxHeaders;
+
+  meta = with lib; {
+    description = "An efficient, small, quality libc implementation";
+    homepage    = "https://musl.libc.org/";
+    changelog   = "https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?h=v${version}";
+    license     = licenses.mit;
+    platforms   = [
+      "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux"
+      "armv7l-linux" "i686-linux" "x86_64-linux" "m68k-linux"
+      "microblaze-linux" "microblazeel-linux" "mips-linux" "mips64-linux"
+      "mipsel-linux" "mips64el-linux" "powerpc64-linux" "powerpc64le-linux"
+      "riscv64-linux" "s390x-linux"
+    ];
+    maintainers = with maintainers; [ thoughtpolice dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix b/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix
new file mode 100644
index 000000000000..9185f50674ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenv, fetchurl, kernel, alsa-lib }:
+
+with lib;
+
+let
+  bits =
+    if stdenv.is64bit then "64"
+    else "32";
+
+  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.cc.libc alsa-lib ];
+
+in
+stdenv.mkDerivation rec {
+  pname = "mwprocapture";
+  subVersion = "4373";
+  version = "1.3.0.${subVersion}-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://www.magewell.com/files/drivers/ProCaptureForLinux_${subVersion}.tar.gz";
+    sha256 = "sha256-/6q+6CTlgkHOgq1PF8dSPfl/xm/UFczr/AGkac2mXZ8=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    cd ./src
+    export INSTALL_MOD_PATH="$out"
+  '';
+
+  hardeningDisable = [ "pic" "format" ];
+
+  makeFlags = [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=implicit-fallthrough";
+
+  postInstall = ''
+    cd ../
+    mkdir -p $out/bin
+    cp bin/mwcap-control_${bits} $out/bin/mwcap-control
+    cp bin/mwcap-info_${bits} $out/bin/mwcap-info
+    mkdir -p $out/lib/udev/rules.d
+    # source has a filename typo
+    cp scripts/10-procatpure-event-dev.rules $out/lib/udev/rules.d/10-procapture-event-dev.rules
+    cp -r src/res $out
+
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath "${libpath}" \
+      "$out"/bin/mwcap-control
+
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath "${libpath}" \
+      "$out"/bin/mwcap-info
+  '';
+
+  meta = {
+    homepage = "https://www.magewell.com/";
+    description = "Linux driver for the Magewell Pro Capture family";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ flexiondotorg MP2E ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix b/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix
new file mode 100644
index 000000000000..17d0c6938206
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+let
+  srcs = import (./srcs.nix) { inherit fetchurl; };
+in
+stdenv.mkDerivation rec {
+  pname = "mxu11x0";
+
+  src = if lib.versionAtLeast kernel.version "5.0" then srcs.mxu11x0_5.src else srcs.mxu11x0_4.src;
+  mxu_version = if lib.versionAtLeast kernel.version "5.0" then srcs.mxu11x0_5.version else srcs.mxu11x0_4.version;
+
+  version = mxu_version + "-${kernel.version}";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = ''
+    sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/mxconf
+    sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/Makefile
+  '';
+
+  installPhase = ''
+    install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/usb/serial/mxu11x0.ko"
+    install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/misc/mxu11x0.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  hardeningDisable = [ "pic" ];
+
+  meta = with lib; {
+    description = "MOXA UPort 11x0 USB to Serial Hub driver";
+    homepage = "https://www.moxa.com/en/products/industrial-edge-connectivity/usb-to-serial-converters-usb-hubs/usb-to-serial-converters/uport-1000-series";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ uralbash ];
+    platforms = platforms.linux;
+    # broken due to API change in write_room() > v5.14-rc1
+    # https://github.com/torvalds/linux/commit/94cc7aeaf6c0cff0b8aeb7cb3579cee46b923560
+    broken = kernel.kernelAtLeast "5.14";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix b/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix
new file mode 100644
index 000000000000..1f7b75e6bc1e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix
@@ -0,0 +1,18 @@
+{ fetchurl }:
+
+{
+  mxu11x0_4 = {
+    version = "4.1";
+    src = fetchurl {
+      url = "https://www.moxa.com/getmedia/b152d8c2-b9d6-4bc7-b0f4-420633b4bc2d/moxa-uport-1100-series-linux-kernel-4.x-driver-v4.1.tgz";
+      sha256 = "sha256-cM3imuMG483ZinFazVa8V4Id0kUGlHaezDHnYtSSb28=";
+    };
+  };
+  mxu11x0_5 = {
+    version = "5.1";
+    src = fetchurl {
+      url = "https://www.moxa.com/getmedia/57dfa4c1-8a2a-4da6-84c1-a36944ead74d/moxa-uport-1100-series-linux-kernel-5.x-driver-v5.1.tgz";
+      sha256 = "sha256-P1YMlyAhS955CSBiZ/tyu5m6ds2PiFMcHmyrdTjloPs=";
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nct6687d/default.nix b/nixpkgs/pkgs/os-specific/linux/nct6687d/default.nix
new file mode 100644
index 000000000000..493d0e6af101
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nct6687d/default.nix
@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nct6687d";
+  version = "unstable-2023-09-22";
+
+  src = fetchFromGitHub {
+    owner = "Fred78290";
+    repo = "nct6687d";
+    rev = "cdfe855342a9383a9c4c918d51576c36d989070d";
+    hash = "sha256-iOLWxj4I6oYkNXFSkmw7meTQEnrIfb4Mw+/LkzgzDxM=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C" "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "Kernel module for the Nuvoton NCT6687-R chipset found on many B550/B650 motherboards from ASUS and MSI";
+    license = with licenses; [ gpl2Only ];
+    homepage = "https://github.com/Fred78290/nct6687d/";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ atemu ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix
new file mode 100644
index 000000000000..2db046e6392f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, kernel, perl, kmod, libelf }:
+let
+  version = "1.63";
+in
+stdenv.mkDerivation {
+  name = "ndiswrapper-${version}-${kernel.version}";
+  inherit version;
+
+  hardeningDisable = [ "pic" ];
+
+  patches = [ ./no-sbin.patch ];
+
+  # need at least .config and include
+  kernel = kernel.dev;
+
+  buildPhase = "
+    echo make KBUILD=$(echo \$kernel/lib/modules/*/build);
+    echo -n $kernel/lib/modules/*/build > kbuild_path
+    export PATH=${kmod}/sbin:$PATH
+    make KBUILD=$(echo \$kernel/lib/modules/*/build);
+  ";
+
+  installPhase = ''
+    make install KBUILD=$(cat kbuild_path) DESTDIR=$out
+    mv $out/usr/sbin/* $out/sbin/
+    mv $out/usr/share $out/
+    rm -r $out/usr
+
+    patchShebangs $out/sbin
+  '';
+
+  src = fetchurl {
+    url = "mirror://sourceforge/ndiswrapper/files/stable/ndiswrapper-${version}.tar.gz";
+    sha256 = "1v6b66jhisl110jfl00hm43lmnrav32vs39d85gcbxrjqnmcx08g";
+  };
+
+  buildInputs = [ perl libelf ];
+
+  meta = {
+    description = "Ndis driver wrapper for the Linux kernel";
+    homepage = "https://sourceforge.net/projects/ndiswrapper";
+    license = "GPL";
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = lib.versionAtLeast kernel.version "5.8";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
new file mode 100644
index 000000000000..373965fb0853
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
@@ -0,0 +1,11 @@
+--- a/driver/Makefile
++++ b/driver/Makefile
+@@ -191,7 +191,7 @@ clean:
+ 	rm -rf .tmp_versions
+ 
+ install: config_check $(MODULE)
+-	@/sbin/modinfo $(MODULE) | grep -q "^vermagic: *$(KVERS) " || \
++	@modinfo $(MODULE) | grep -q "^vermagic: *$(KVERS) " || \
+ 		{ echo "$(MODULE)" is not for Linux $(KVERS); exit 1; }
+ 	mkdir -p -m 755 $(DESTDIR)$(INST_DIR)
+ 	install -m 0644 $(MODULE) $(DESTDIR)$(INST_DIR)
diff --git a/nixpkgs/pkgs/os-specific/linux/net-tools/config.h b/nixpkgs/pkgs/os-specific/linux/net-tools/config.h
new file mode 100644
index 000000000000..dedaac6247d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/net-tools/config.h
@@ -0,0 +1,79 @@
+/*
+* config.h	Automatically generated configuration includefile
+*
+* NET-TOOLS	A collection of programs that form the base set of the
+*		NET-3 Networking Distribution for the LINUX operating
+*		system.
+*
+*		DO  NOT  EDIT  DIRECTLY
+*
+*/
+
+/* 
+ * 
+ * Internationalization
+ * 
+ * The net-tools package has currently been translated to French,
+ * German and Brazilian Portugese.  Other translations are, of
+ * course, welcome.  Answer `n' here if you have no support for
+ * internationalization on your system.
+ * 
+ */
+#define I18N 0
+
+/* 
+ * 
+ * Protocol Families.
+ * 
+ */
+#define HAVE_AFUNIX 1
+#define HAVE_AFINET 1
+#define HAVE_AFINET6 1
+#define HAVE_AFIPX 1
+#define HAVE_AFATALK 1
+#define HAVE_AFAX25 0
+#define HAVE_AFNETROM 1
+#define HAVE_AFROSE 0
+#define HAVE_AFX25 0
+#define HAVE_AFECONET 0
+#define HAVE_AFDECnet 0
+#define HAVE_AFASH 0
+#define HAVE_AFBLUETOOTH 0
+
+/* 
+ * 
+ * Device Hardware types.
+ * 
+ */
+#define HAVE_HWETHER 1
+#define HAVE_HWARC 1
+#define HAVE_HWSLIP 1
+#define HAVE_HWPPP 1
+#define HAVE_HWTUNNEL 1
+#define HAVE_HWSTRIP 0
+#define HAVE_HWTR 0
+#define HAVE_HWAX25 0
+#define HAVE_HWROSE 0
+#define HAVE_HWNETROM 1
+#define HAVE_HWX25 0
+#define HAVE_HWFR 1
+#define HAVE_HWSIT 1
+#define HAVE_HWFDDI 0
+#define HAVE_HWHIPPI 0
+#define HAVE_HWASH 0
+#define HAVE_HWHDLCLAPB 0
+#define HAVE_HWIRDA 1
+#define HAVE_HWEC 0
+#define HAVE_HWEC 0
+#define HAVE_HWEUI64 1
+#define HAVE_HWIB 1
+
+/* 
+ * 
+ * Other Features.
+ * 
+ */
+#define HAVE_FW_MASQUERADE 0
+#define HAVE_IP_TOOLS 0
+#define HAVE_MII 0
+#define HAVE_SELINUX 0
diff --git a/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix
new file mode 100644
index 000000000000..bedeaadc294e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "net-tools";
+  version = "2.10";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.xz";
+    sha256 = "sha256-smJDWlJB6Jv6UcPKvVEzdTlS96e3uT8y4Iy52W9YDWk=";
+  };
+
+  preBuild =
+    ''
+      cp ${./config.h} config.h
+    '';
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "AR=${stdenv.cc.targetPrefix}ar"
+    "BASEDIR=$(out)"
+    "mandir=/share/man"
+    "HAVE_ARP_TOOLS=1"
+    "HAVE_PLIP_TOOLS=1"
+    "HAVE_SERIAL_TOOLS=1"
+    "HAVE_HOSTNAME_TOOLS=1"
+    "HAVE_HOSTNAME_SYMLINKS=1"
+    "HAVE_MII=1"
+  ];
+
+  meta = {
+    homepage = "http://net-tools.sourceforge.net/";
+    description = "A set of tools for controlling the network subsystem in Linux";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/default.nix b/nixpkgs/pkgs/os-specific/linux/netatop/default.nix
new file mode 100644
index 000000000000..d7d04e8368db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchurl, kernel, kmod, zlib }:
+
+let
+  version = "3.1";
+in
+
+stdenv.mkDerivation {
+  name = "netatop-${kernel.version}-${version}";
+
+  src = fetchurl {
+    url = "http://www.atoptool.nl/download/netatop-${version}.tar.gz";
+    sha256 = "0qjw8glfdmngfvbn1w63q128vxdz2jlabw13y140ga9i5ibl6vvk";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  buildInputs = [ kmod zlib ];
+
+  hardeningDisable = [ "pic" ];
+  env.NIX_CFLAGS_COMPILE = toString [ "-Wno-error=implicit-fallthrough" ];
+
+  patches = [
+    # fix paths in netatop.service
+    ./fix-paths.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./netatop.service.patch
+  ];
+  preConfigure = ''
+    patchShebangs mkversion
+    sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \
+        */Makefile
+    sed -i -e 's,/lib/modules.*extra,'$out'/lib/modules/${kernel.modDirVersion}/extra,' \
+        -e s,/usr,$out, \
+        -e /init.d/d \
+        -e /depmod/d \
+        -e s,/lib/systemd,$out/lib/systemd, \
+        Makefile
+
+    kmod=${kmod} substituteAllInPlace netatop.service
+  '';
+
+  makeFlags = kernel.makeFlags;
+
+  preInstall = ''
+    mkdir -p $out/lib/systemd/system $out/bin $out/sbin $out/share/man/man{4,8}
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/extra
+  '';
+
+  meta = {
+    description = "Network monitoring module for atop";
+    homepage = "https://www.atoptool.nl/downloadnetatop.php";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ viric ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch
new file mode 100644
index 000000000000..0e71c4efdd31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -8,5 +8,5 @@
+ Type=oneshot
+-ExecStartPre=/sbin/modprobe netatop
+-ExecStart=/usr/sbin/netatopd
+-ExecStopPost=/sbin/rmmod netatop
++ExecStartPre=@kmod@/bin/modprobe netatop
++ExecStart=@out@/bin/netatopd
++ExecStopPost=@kmod@/bin/rmmod netatop
+ PIDFile=/var/run/netatop.pid
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch b/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch
new file mode 100644
index 000000000000..c7c798ee06bc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch
@@ -0,0 +1,7 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -11,3 +11,3 @@
+ ExecStopPost=@kmod@/bin/rmmod netatop
+-PIDFile=/var/run/netatop.pid
++PIDFile=/run/netatop.pid
+ RemainAfterExit=yes
diff --git a/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix b/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix
new file mode 100644
index 000000000000..a92ee9ae64b5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, kernel, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "new-lg4ff";
+  version = "0.4.0";
+
+  src = fetchFromGitHub {
+    owner = "berarma";
+    repo = "new-lg4ff";
+    rev = version;
+    sha256 = "ZFwNdeJcSxzWtqjOF86SZpqhuz8jXZ2drvlQeIqsaNY=";
+  };
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+    sed -i '/depmod/d' Makefile
+    sed -i "10i\\\trmmod hid-logitech 2> /dev/null || true" Makefile
+    sed -i "11i\\\trmmod hid-logitech-new 2> /dev/null || true" Makefile
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KVERSION=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "Experimental Logitech force feedback module for Linux";
+    homepage = "https://github.com/berarma/new-lg4ff";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ matthiasbenaets ];
+    platforms = platforms.linux;
+    broken = stdenv.isAarch64;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix
new file mode 100644
index 000000000000..4fde1dcf910d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix
@@ -0,0 +1,131 @@
+{ stdenv, fetchurl, fetchpatch, lib, pkg-config, util-linux, libcap, libtirpc, libevent
+, sqlite, libkrb5, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
+, python3, buildPackages, nixosTests, rpcsvc-proto
+, enablePython ? true
+}:
+
+let
+  statdPath = lib.makeBinPath [ systemd util-linux coreutils ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "nfs-utils";
+  version = "2.6.2";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/nfs-utils/${version}/${pname}-${version}.tar.xz";
+    hash = "sha256-UgCHPoHE1hDiRi/CYv4YE18tvni3l5+VrM0VmuZNUBE=";
+  };
+
+  # libnfsidmap is built together with nfs-utils from the same source,
+  # put it in the "lib" output, and the headers in "dev"
+  outputs = [ "out" "dev" "lib" "man" ];
+
+  nativeBuildInputs = [ pkg-config buildPackages.stdenv.cc rpcsvc-proto ];
+
+  buildInputs = [
+    libtirpc libcap libevent sqlite lvm2
+    libuuid keyutils libkrb5 tcp_wrappers
+  ] ++ lib.optional enablePython python3;
+
+  enableParallelBuilding = true;
+
+  preConfigure =
+    ''
+      substituteInPlace configure \
+        --replace '$dir/include/gssapi' ${lib.getDev libkrb5}/include/gssapi \
+        --replace '$dir/bin/krb5-config' ${lib.getDev libkrb5}/bin/krb5-config
+    '';
+
+  configureFlags =
+    [ "--enable-gss"
+      "--enable-svcgss"
+      "--with-statedir=/var/lib/nfs"
+      "--with-krb5=${lib.getLib libkrb5}"
+      "--with-systemd=${placeholder "out"}/etc/systemd/system"
+      "--enable-libmount-mount"
+      "--with-pluginpath=${placeholder "lib"}/lib/libnfsidmap" # this installs libnfsidmap
+      "--with-rpcgen=${buildPackages.rpcsvc-proto}/bin/rpcgen"
+      "--with-modprobedir=${placeholder "out"}/etc/modprobe.d"
+    ];
+
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
+    # http://openwall.com/lists/musl/2015/08/18/10
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/alpinelinux/aports/cb880042d48d77af412d4688f24b8310ae44f55f/main/nfs-utils/musl-getservbyport.patch";
+      sha256 = "1fqws9dz8n1d9a418c54r11y3w330qgy2652dpwcy96cm44sqyhf";
+    })
+  ];
+
+  postPatch =
+    ''
+      patchShebangs tests
+      sed -i "s,/usr/sbin,$out/bin,g" utils/statd/statd.c
+      sed -i "s,^PATH=.*,PATH=$out/bin:${statdPath}," utils/statd/start-statd
+
+      configureFlags="--with-start-statd=$out/bin/start-statd $configureFlags"
+
+      substituteInPlace systemd/nfs-utils.service \
+        --replace "/bin/true" "${coreutils}/bin/true"
+
+      substituteInPlace tools/nfsrahead/Makefile.in \
+        --replace "/usr/lib/udev/rules.d/" "$out/lib/udev/rules.d/"
+
+      substituteInPlace utils/mount/Makefile.in \
+        --replace "chmod 4511" "chmod 0511"
+
+      sed '1i#include <stdint.h>' -i support/nsm/rpc.c
+    '';
+
+  makeFlags = [
+    "sbindir=$(out)/bin"
+    "generator_dir=$(out)/etc/systemd/system-generators"
+  ];
+
+  installFlags = [
+    "statedir=$(TMPDIR)"
+    "statdpath=$(TMPDIR)"
+  ];
+
+  stripDebugList = [ "lib" "libexec" "bin" "etc/systemd/system-generators" ];
+
+  postInstall =
+    ''
+      # Not used on NixOS
+      sed -i \
+        -e "s,/sbin/modprobe,${kmod}/bin/modprobe,g" \
+        -e "s,/usr/sbin,$out/bin,g" \
+        $out/etc/systemd/system/*
+    '' + lib.optionalString (!enablePython) ''
+      # Remove all scripts that require python (currently mountstats and nfsiostat)
+      grep -l /usr/bin/python $out/bin/* | xargs -I {} rm -v {}
+    '';
+
+  # One test fails on mips.
+  # doCheck = !stdenv.isMips;
+  # https://bugzilla.kernel.org/show_bug.cgi?id=203793
+  doCheck = false;
+
+  disallowedReferences = [ (lib.getDev libkrb5) ];
+
+  passthru.tests = {
+    nfs3-simple = nixosTests.nfs3.simple;
+    nfs4-simple = nixosTests.nfs4.simple;
+    nfs4-kerberos = nixosTests.nfs4.kerberos;
+  };
+
+  meta = with lib; {
+    description = "Linux user-space NFS utilities";
+
+    longDescription = ''
+      This package contains various Linux user-space Network File
+      System (NFS) utilities, including RPC `mount' and `nfs'
+      daemons.
+    '';
+
+    homepage = "https://linux-nfs.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nftables/default.nix b/nixpkgs/pkgs/os-specific/linux/nftables/default.nix
new file mode 100644
index 000000000000..4482170d346b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nftables/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl, pkg-config, bison, flex
+, asciidoc, libxslt, findXMLCatalogs, docbook_xml_dtd_45, docbook_xsl
+, libmnl, libnftnl, libpcap
+, gmp, jansson
+, autoreconfHook
+, withDebugSymbols ? false
+, withCli ? true, libedit
+, withPython ? false, python3
+, withXtables ? true, iptables
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.0.9";
+  pname = "nftables";
+
+  src = fetchurl {
+    url = "https://netfilter.org/projects/nftables/files/${pname}-${version}.tar.xz";
+    hash = "sha256-o8MEzZugYSOe4EdPmvuTipu5nYm5YCRvZvDDoKheFM0=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config bison flex
+    asciidoc docbook_xml_dtd_45 docbook_xsl findXMLCatalogs libxslt
+  ];
+
+  buildInputs = [
+    libmnl libnftnl libpcap
+    gmp jansson
+  ] ++ lib.optional withCli libedit
+    ++ lib.optional withXtables iptables
+    ++ lib.optionals withPython [
+      python3
+      python3.pkgs.setuptools
+    ];
+
+  configureFlags = [
+    "--with-json"
+    (lib.withFeatureAs withCli "cli" "editline")
+  ] ++ lib.optional (!withDebugSymbols) "--disable-debug"
+    ++ lib.optional (!withPython) "--disable-python"
+    ++ lib.optional withPython "--enable-python"
+    ++ lib.optional withXtables "--with-xtables";
+
+  passthru.tests = {
+    inherit (nixosTests) firewall-nftables;
+    lxd-nftables = nixosTests.lxd.nftables;
+    nat = { inherit (nixosTests.nat.nftables) firewall standalone; };
+  };
+
+  meta = with lib; {
+    description = "The project that aims to replace the existing {ip,ip6,arp,eb}tables framework";
+    homepage = "https://netfilter.org/projects/nftables/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ izorkin ajs124 ];
+    mainProgram = "nft";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix b/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix
new file mode 100644
index 000000000000..84685e77aaea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, nixosTests
+}:
+let
+  libDir = if builtins.elem stdenv.system [ "x86_64-linux" "mips64-linux" "powerpc64le-linux" ]
+           then "/lib64"
+           else "/lib";
+in
+stdenv.mkDerivation rec {
+  pname = "nix-ld";
+  version = "1.2.2";
+
+  src = fetchFromGitHub {
+    owner = "mic92";
+    repo = "nix-ld";
+    rev = version;
+    hash = "sha256-+z9t7BLugZO1WhyYEq6FI38TMh2EwfgfAv3RDFSjwtc=";
+  };
+
+  doCheck = true;
+
+  nativeBuildInputs = [ meson ninja ];
+
+  mesonFlags = [
+    "-Dnix-system=${stdenv.system}"
+  ];
+
+  hardeningDisable = [
+    "stackprotector"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/nix-support
+
+    ldpath=${libDir}/$(basename $(< ${stdenv.cc}/nix-support/dynamic-linker))
+    echo "$ldpath" > $out/nix-support/ldpath
+    mkdir -p $out/lib/tmpfiles.d/
+    cat > $out/lib/tmpfiles.d/nix-ld.conf <<EOF
+      L+ $ldpath - - - - $out/libexec/nix-ld
+    EOF
+  '';
+
+  passthru.tests.nix-ld = nixosTests.nix-ld;
+
+  meta = with lib; {
+    description = "Run unpatched dynamic binaries on NixOS";
+    homepage = "https://github.com/Mic92/nix-ld";
+    license = licenses.mit;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild
new file mode 100644
index 000000000000..84e8d223bd80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild
@@ -0,0 +1,165 @@
+#!/usr/bin/env bash
+
+# We're faking a `nix build` command-line to re-use Nix's own completion
+# for the few options passed through to Nix.
+_nixos-rebuild_pretend-nix() {
+  COMP_LINE="nix build ${COMP_LINE}"
+  # number of prepended chars
+  (( COMP_POINT = COMP_POINT + 10))
+
+  COMP_WORDS=(
+    nix build
+    "${COMP_WORDS[@]}"
+  )
+  # Add the amount of prepended words
+  (( COMP_CWORD = COMP_CWORD + 2))
+  _complete_nix "nix"
+}
+
+_nixos-rebuild() {
+  local curr="$2"
+  local prev="$3"
+  local subcommandGiven=0
+  local word
+  local subcommand
+
+  __load_completion nix
+
+  # Arrays are re-ordered by the completion, so it's fine to sort them in logical chunks
+  local all_args=(
+    --verbose -v
+
+    # nixos-rebuild options
+    --fast
+    --no-build-nix
+    --profile-name -p # name
+    --rollback
+    --specialisation -c # name
+    --use-remote-sudo
+    --build-host # host
+    --target-host # host
+    # Used with list-generations
+    --json
+
+    # generation switching options
+    --install-bootloader
+
+    # nix-channel options
+    --upgrade
+    --upgrade-all
+
+    # flakes options
+    --commit-lock-file
+    --flake # flake-uri
+    --override-input # input-name flake-uri
+    --recreate-lock-file
+    --update-input
+    --no-flake
+    --no-registries
+    --no-update-lock-file
+    --no-write-lock-file
+
+    # Nix-copy options
+    --use-substitutes --substitute-on-destination -s
+
+    # Nix options
+    --option
+    --impure
+    --builders # builder-spec
+    --show-trace
+    --keep-failed -K
+    --keep-going -k
+    --max-jobs -j # number
+    --log-format # format
+    -I # NIX_PATH
+  )
+
+  local all_subcommands=(
+    boot
+    build
+    build-vm
+    build-vm-with-bootloader
+    dry-activate
+    dry-build
+    edit
+    list-generations
+    switch
+    test
+  )
+
+  # Suggest arguments that can be consumed under some conditions only
+  for word in "${COMP_WORDS[@]}"; do
+    for subcommand in "${all_subcommands[@]}"; do
+      if [[ "$word" == "$subcommand" ]]; then
+        subcommandGiven=1
+      fi
+    done
+  done
+
+  # Fake out a way to complete the second arg to some options
+  case "${COMP_WORDS[COMP_CWORD-2]}" in
+    "--override-input")
+      prev="--override-input_2"
+      ;;
+    "--option")
+      prev="--option_2"
+      ;;
+  esac
+
+  case "$prev" in
+    --max-jobs|-j)
+      COMPREPLY=( )
+      ;;
+
+    --profile-name|-p)
+      if [[ "$curr" == "" ]]; then
+        COMPREPLY=( /nix/var/nix/profiles/* )
+      else
+        COMPREPLY=( "$curr"* )
+      fi
+      ;;
+
+    --build-host|--target-host|-t|-h)
+      _known_hosts_real "$curr"
+    ;;
+
+    --specialisation|-c)
+      COMPREPLY=()
+      ;;
+
+    -I)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --builders)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --flake)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --override-input)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --override-input_2)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --log-format)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --option)
+      _nixos-rebuild_pretend-nix
+      ;;
+    --option_2)
+      _nixos-rebuild_pretend-nix
+      ;;
+
+    *)
+      if [[ "$curr" == -* ]] || (( subcommandGiven )); then
+        COMPREPLY=( $(compgen -W "${all_args[*]}" -- "$2") )
+      else
+        COMPREPLY=( $(compgen -W "${all_subcommands[*]}" -- "$2") )
+      fi
+    ;;
+  esac
+}
+
+complete -F _nixos-rebuild nixos-rebuild
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix
new file mode 100644
index 000000000000..6c150b1b8cdb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix
@@ -0,0 +1,50 @@
+{ substituteAll
+, runtimeShell
+, coreutils
+, gnused
+, gnugrep
+, jq
+, util-linux
+, nix
+, lib
+, nixosTests
+, installShellFiles
+}:
+let
+  fallback = import ./../../../../nixos/modules/installer/tools/nix-fallback-paths.nix;
+in
+substituteAll {
+  name = "nixos-rebuild";
+  src = ./nixos-rebuild.sh;
+  dir = "bin";
+  isExecutable = true;
+  inherit runtimeShell nix;
+  nix_x86_64_linux = fallback.x86_64-linux;
+  nix_i686_linux = fallback.i686-linux;
+  nix_aarch64_linux = fallback.aarch64-linux;
+  path = lib.makeBinPath [ coreutils gnused gnugrep jq util-linux ];
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+  postInstall = ''
+    installManPage ${./nixos-rebuild.8}
+
+    installShellCompletion \
+      --bash ${./_nixos-rebuild}
+  '';
+
+  # run some a simple installer tests to make sure nixos-rebuild still works for them
+  passthru.tests = {
+    install-bootloader = nixosTests.nixos-rebuild-install-bootloader;
+    simple-installer = nixosTests.installer.simple;
+    specialisations = nixosTests.nixos-rebuild-specialisations;
+  };
+
+  meta = {
+    description = "Rebuild your NixOS configuration and switch to it, on local hosts and remote.";
+    homepage = "https://github.com/NixOS/nixpkgs/tree/master/pkgs/os-specific/linux/nixos-rebuild";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.Profpatsch ];
+    mainProgram = "nixos-rebuild";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8 b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8
new file mode 100644
index 000000000000..d947361b3bc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8
@@ -0,0 +1,468 @@
+.Dd January 1, 1980
+.Dt nixos-rebuild 8
+.Os
+.Sh NAME
+.Nm nixos-rebuild
+.Nd reconfigure a NixOS machine
+.
+.
+.
+.Sh SYNOPSIS
+.Nm
+.Bro
+.Cm switch | boot | test | build | dry-build | dry-activate | edit | build-vm | build-vm-with-bootloader | list-generations Op Fl -json
+.Brc
+.br
+.Op Fl -upgrade | -upgrade-all
+.Op Fl -install-bootloader
+.Op Fl -no-build-nix
+.Op Fl -fast
+.Op Fl -rollback
+.Op Fl -builders Ar builder-spec
+.br
+.Op Fl -flake Ar flake-uri
+.Op Fl -no-flake
+.Op Fl -override-input Ar input-name flake-uri
+.br
+.Op Fl -profile-name | p Ar name
+.Op Fl -specialisation | c Ar name
+.br
+.Op Fl -build-host Va host
+.Op Fl -target-host Va host
+.Op Fl -use-remote-sudo
+.br
+.Op Fl -show-trace
+.Op Fl I Va NIX_PATH
+.Op Fl -verbose | v
+.Op Fl -impure
+.Op Fl -max-jobs | j Va number
+.Op Fl -keep-failed | K
+.Op Fl -keep-going | k
+.
+.
+.
+.Sh DESCRIPTION
+This command updates the system so that it corresponds to the
+configuration specified in
+.Pa /etc/nixos/configuration.nix
+or
+.Pa /etc/nixos/flake.nix Ns
+\&. Thus, every time you modify the configuration or any other NixOS module, you
+must run
+.Nm
+to make the changes take effect. It builds the new system in
+.Pa /nix/store Ns
+, runs its activation script, and stop and (re)starts any system services if
+needed. Please note that user services need to be started manually as they
+aren't detected by the activation script at the moment.
+.
+.Pp
+This command has one required argument, which specifies the desired
+operation. It must be one of the following:
+.Bl -tag -width indent
+.It Cm switch
+Build and activate the new configuration, and make it the boot default. That
+is, the configuration is added to the GRUB boot menu as the default
+menu entry, so that subsequent reboots will boot the system into the new
+configuration. Previous configurations activated with
+.Ic nixos-rebuild switch
+or
+.Ic nixos-rebuild boot
+remain available in the GRUB menu.
+.Pp
+Note that if you are using specializations, running just
+.Ic nixos-rebuild switch
+will switch you back to the unspecialized, base system \(em in that case, you
+might want to use this instead:
+.Bd -literal -offset indent
+$ nixos-rebuild switch --specialisation your-specialisation-name
+.Ed
+.Pp
+This command will build all specialisations and make them bootable just
+like regular
+.Ic nixos-rebuild switch
+does \(em the only thing different is that it will switch to given
+specialisation instead of the base system; it can be also used to switch from
+the base system into a specialised one, or to switch between specialisations.
+.
+.It Cm boot
+Build the new configuration and make it the boot default (as with
+.Ic nixos-rebuild switch Ns
+), but do not activate it. That is, the system continues to run the previous
+configuration until the next reboot.
+.
+.It Cm test
+Build and activate the new configuration, but do not add it to the GRUB
+boot menu. Thus, if you reboot the system (or if it crashes), you will
+automatically revert to the default configuration (i.e. the
+configuration resulting from the last call to
+.Ic nixos-rebuild switch
+or
+.Ic nixos-rebuild boot Ns
+).
+.Pp
+Note that if you are using specialisations, running just
+.Ic nixos-rebuild test
+will activate the unspecialised, base system \(em in that case, you might want
+to use this instead:
+.Bd -literal -offset indent
+$ nixos-rebuild test --specialisation your-specialisation-name
+.Ed
+.Pp
+This command can be also used to switch from the base system into a
+specialised one, or to switch between specialisations.
+.
+.It Cm build
+Build the new configuration, but neither activate it nor add it to the
+GRUB boot menu. It leaves a symlink named
+.Pa result
+in the current directory, which points to the output of the top-level
+.Dq system
+derivation. This is essentially the same as doing
+.Bd -literal -offset indent
+$ nix-build /path/to/nixpkgs/nixos -A system
+.Ed
+.Pp
+Note that you do not need to be root to run
+.Ic nixos-rebuild build Ns
+\&.
+.
+.It Cm dry-build
+Show what store paths would be built or downloaded by any of the
+operations above, but otherwise do nothing.
+.
+.It Cm dry-activate
+Build the new configuration, but instead of activating it, show what
+changes would be performed by the activation (i.e. by
+.Ic nixos-rebuild test Ns
+). For instance, this command will print which systemd units would be restarted.
+The list of changes is not guaranteed to be complete.
+.
+.It Cm edit
+Opens
+.Pa configuration.nix
+in the default editor.
+.
+.It Cm build-vm
+Build a script that starts a NixOS virtual machine with the desired
+configuration. It leaves a symlink
+.Pa result
+in the current directory that points (under
+.Ql result/bin/run\- Ns Va hostname Ns \-vm Ns
+)
+at the script that starts the VM. Thus, to test a NixOS configuration in
+a virtual machine, you should do the following:
+.Bd -literal -offset indent
+$ nixos-rebuild build-vm
+$ ./result/bin/run-*-vm
+.Ed
+.Pp
+The VM is implemented using the
+.Ql qemu
+package. For best performance, you should load the
+.Ql kvm-intel
+or
+.Ql kvm-amd
+kernel modules to get hardware virtualisation.
+.Pp
+The VM mounts the Nix store of the host through the 9P file system. The
+host Nix store is read-only, so Nix commands that modify the Nix store
+will not work in the VM. This includes commands such as
+.Nm Ns
+; to change the VM’s configuration, you must halt the VM and re-run the commands
+above.
+.Pp
+The VM has its own ext3 root file system, which is automatically created when
+the VM is first started, and is persistent across reboots of the VM. It is
+stored in
+.Ql ./ Ns Va hostname Ns .qcow2 Ns
+\&.
+.\" The entire file system hierarchy of the host is available in
+.\" the VM under
+.\" .Pa /hostfs Ns
+.\" .
+.
+.It Cm build-vm-with-bootloader
+Like
+.Cm build-vm Ns
+, but boots using the regular boot loader of your configuration (e.g. GRUB 1 or
+2), rather than booting directly into the kernel and initial ramdisk of the
+system. This allows you to test whether the boot loader works correctly. \
+However, it does not guarantee that your NixOS configuration will boot
+successfully on the host hardware (i.e., after running
+.Ic nixos-rebuild switch Ns
+), because the hardware and boot loader configuration in the VM are different.
+The boot loader is installed on an automatically generated virtual disk
+containing a
+.Pa /boot
+partition.
+.
+.It Cm list-generations Op Fl -json
+List the available generations in a similar manner to the boot loader
+menu. It shows the generation number, build date and time, NixOS version,
+kernel version and the configuration revision. This is useful to get
+information e.g. for which generation to roll back to with
+.Ic nixos-rebuild switch Fl -generation Ar N
+There is also a json version of output available.
+.El
+.
+.
+.
+.Sh OPTIONS
+.Bl -tag -width indent
+.It Fl -upgrade , -upgrade-all
+Update the root user's channel named
+.Ql nixos
+before rebuilding the system.
+.Pp
+In addition to the
+.Ql nixos
+channel, the root user's channels which have a file named
+.Ql .update-on-nixos-rebuild
+in their base directory will also be updated.
+.Pp
+Passing
+.Fl -upgrade-all
+updates all of the root user's channels.
+.
+.It Fl -install-bootloader
+Causes the boot loader to be (re)installed on the device specified by the
+relevant configuration options.
+.
+.It Fl -no-build-nix
+Normally,
+.Nm
+first builds the
+.Ql nixUnstable
+attribute in Nixpkgs, and uses the resulting instance of the Nix package manager
+to build the new system configuration. This is necessary if the NixOS modules
+use features not provided by the currently installed version of Nix. This option
+disables building a new Nix.
+.
+.It Fl -fast
+Equivalent to
+.Fl -no-build-nix Ns
+\&. This option is useful if you call
+.Nm
+frequently (e.g. if you’re hacking on a NixOS module).
+.
+.It Fl -rollback
+Instead of building a new configuration as specified by
+.Pa /etc/nixos/configuration.nix Ns
+, roll back to the previous configuration. (The previous configuration is
+defined as the one before the “current” generation of the Nix profile
+.Pa /nix/var/nix/profiles/system Ns
+\&.)
+.
+.It Fl -builders Ar builder-spec
+Allow ad-hoc remote builders for building the new system. This requires
+the user executing
+.Nm
+(usually root) to be configured as a trusted user in the Nix daemon. This can be
+achieved by using the
+.Va nix.settings.trusted-users
+NixOS option. Examples values for that option are described in the
+.Dq Remote builds
+chapter in the Nix manual, (i.e.
+.Ql --builders \(dqssh://bigbrother x86_64-linux\(dq Ns
+). By specifying an empty string existing builders specified in
+.Pa /etc/nix/machines
+can be ignored:
+.Ql --builders \(dq\(dq
+for example when they are not reachable due to network connectivity.
+.
+.It Fl -profile-name Ar name , Fl p Ar name
+Instead of using the Nix profile
+.Pa /nix/var/nix/profiles/system
+to keep track of the current and previous system configurations, use
+.Pa /nix/var/nix/profiles/system-profiles/ Ns Va name Ns
+\&. When you use GRUB 2, for every system profile created with this flag, NixOS
+will create a submenu named
+.Dq NixOS - Profile Va name
+in GRUB’s boot menu, containing the current and previous configurations of this profile.
+.Pp
+For instance, if you want to test a configuration file named
+.Pa test.nix
+without affecting the default system profile, you would do:
+.Bd -literal -offset indent
+$ nixos-rebuild switch -p test -I nixos-config=./test.nix
+.Ed
+.Pp
+The new configuration will appear in the GRUB 2 submenu
+.Dq NixOS - Profile 'test' Ns
+\&.
+.
+.It Fl -specialisation Ar name , Fl c Ar name
+Activates given specialisation; when not specified, switching and testing
+will activate the base, unspecialised system.
+.
+.It Fl -build-host Ar host
+Instead of building the new configuration locally, use the specified host
+to perform the build. The host needs to be accessible with
+.Ic ssh Ns ,
+and must be able to perform Nix builds. If the option
+.Fl -target-host
+is not set, the build will be copied back to the local machine when done.
+.Pp
+Note that, if
+.Fl -no-build-nix
+is not specified, Nix will be built both locally and remotely. This is because
+the configuration will always be evaluated locally even though the building
+might be performed remotely.
+.Pp
+You can include a remote user name in the host name
+.Ns ( Va user@host Ns
+). You can also set ssh options by defining the
+.Ev NIX_SSHOPTS
+environment variable.
+.
+.It Fl -target-host Ar host
+Specifies the NixOS target host. By setting this to something other than an
+empty string, the system activation will happen on the remote host instead of
+the local machine. The remote host needs to be accessible over
+.Ic ssh Ns ,
+and for the commands
+.Cm switch Ns
+,
+.Cm boot
+and
+.Cm test
+you need root access.
+.Pp
+If
+.Fl -build-host
+is not explicitly specified or empty, building will take place locally.
+.Pp
+You can include a remote user name in the host name
+.Ns ( Va user@host Ns
+). You can also set ssh options by defining the
+.Ev NIX_SSHOPTS
+environment variable.
+.Pp
+Note that
+.Nm
+honors the
+.Va nixpkgs.crossSystem
+setting of the given configuration but disregards the true architecture of the
+target host. Hence the
+.Va nixpkgs.crossSystem
+setting has to match the target platform or else activation will fail.
+.
+.It Fl -use-substitutes
+When set, nixos-rebuild will add
+.Fl -use-substitutes
+to each invocation of nix-copy-closure. This will only affect the behavior of
+nixos-rebuild if
+.Fl -target-host
+or
+.Fl -build-host
+is also set. This is useful when the target-host connection to cache.nixos.org
+is faster than the connection between hosts.
+.
+.It Fl -use-remote-sudo
+When set, nixos-rebuild prefixes remote commands that run on the
+.Fl -build-host
+and
+.Fl -target-host
+systems with
+.Ic sudo Ns
+\&. Setting this option allows deploying as a non-root user.
+.
+.It Fl -flake Va flake-uri Ns Op Va #name
+Build the NixOS system from the specified flake. It defaults to the directory
+containing the target of the symlink
+.Pa /etc/nixos/flake.nix Ns
+, if it exists. The flake must contain an output named
+.Ql nixosConfigurations. Ns Va name Ns
+\&. If
+.Va name
+is omitted, it default to the current host name.
+.
+.It Fl -no-flake
+Do not imply
+.Fl -flake
+if
+.Pa /etc/nixos/flake.nix
+exists. With this option, it is possible to build non-flake NixOS configurations
+even if the current NixOS systems uses flakes.
+.El
+.Pp
+In addition,
+.Nm
+accepts various Nix-related flags, including
+.Fl -max-jobs Ns ,
+.Fl j Ns ,
+.Fl I Ns ,
+.Fl -show-trace Ns ,
+.Fl -keep-failed Ns ,
+.Fl -keep-going Ns ,
+.Fl -impure Ns ,
+.Fl -verbose Ns , and
+.Fl v Ns
+\&. See the Nix manual for details.
+.
+.
+.
+.Sh ENVIRONMENT
+.Bl -tag -width indent
+.It Ev NIXOS_CONFIG
+Path to the main NixOS configuration module. Defaults to
+.Pa /etc/nixos/configuration.nix Ns
+\&.
+.
+.It Ev NIX_PATH
+A colon-separated list of directories used to look up Nix expressions enclosed
+in angle brackets (e.g. <nixpkgs>). Example:
+.Bd -literal -offset indent
+nixpkgs=./my-nixpkgs
+.Ed
+.
+.It Ev NIX_SSHOPTS
+Additional options to be passed to
+.Ic ssh
+on the command line.
+.Ed
+.
+.It Ev NIXOS_SWITCH_USE_DIRTY_ENV
+Expose the the current environment variables to post activation scripts. Will
+skip usage of
+.Ic systemd-run
+during system activation. Possibly dangerous, specially in remote environments
+(e.g.: via SSH). Will be removed in the future.
+.El
+.
+.
+.
+.Sh FILES
+.Bl -tag -width indent
+.It Pa /etc/nixos/flake.nix
+If this file exists, then
+.Nm
+will use it as if the
+.Fl -flake
+option was given. This file may be a symlink to a
+.Pa flake.nix
+in an actual flake; thus
+.Pa /etc/nixos
+need not be a flake.
+.
+.It Pa /run/current-system
+A symlink to the currently active system configuration in the Nix store.
+.
+.It Pa /nix/var/nix/profiles/system
+The Nix profile that contains the current and previous system
+configurations. Used to generate the GRUB boot menu.
+.El
+.
+.
+.
+.Sh BUGS
+This command should be renamed to something more descriptive.
+.
+.
+.
+.Sh AUTHORS
+.An -nosplit
+.An Eelco Dolstra
+and
+.An the Nixpkgs/NixOS contributors
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
new file mode 100755
index 000000000000..dddae8da2068
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
@@ -0,0 +1,715 @@
+#! @runtimeShell@
+# shellcheck shell=bash
+
+if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi;
+
+set -e
+set -o pipefail
+shopt -s inherit_errexit
+
+export PATH=@path@:$PATH
+
+showSyntax() {
+    exec man nixos-rebuild
+    exit 1
+}
+
+
+# Parse the command line.
+origArgs=("$@")
+copyFlags=()
+extraBuildFlags=()
+lockFlags=()
+flakeFlags=(--extra-experimental-features 'nix-command flakes')
+action=
+buildNix=1
+fast=
+rollback=
+upgrade=
+upgrade_all=
+profile=/nix/var/nix/profiles/system
+specialisation=
+buildHost=
+targetHost=
+remoteSudo=
+verboseScript=
+noFlake=
+# comma separated list of vars to preserve when using sudo
+preservedSudoVars=NIXOS_INSTALL_BOOTLOADER
+json=
+
+# log the given argument to stderr
+log() {
+    echo "$@" >&2
+}
+
+while [ "$#" -gt 0 ]; do
+    i="$1"; shift 1
+    case "$i" in
+      --help)
+        showSyntax
+        ;;
+      switch|boot|test|build|edit|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader|list-generations)
+        if [ "$i" = dry-run ]; then i=dry-build; fi
+        # exactly one action mandatory, bail out if multiple are given
+        if [ -n "$action" ]; then showSyntax; fi
+        action="$i"
+        ;;
+      --install-grub)
+        log "$0: --install-grub deprecated, use --install-bootloader instead"
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --install-bootloader)
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --no-build-nix)
+        buildNix=
+        ;;
+      --rollback)
+        rollback=1
+        ;;
+      --upgrade)
+        upgrade=1
+        ;;
+      --upgrade-all)
+        upgrade=1
+        upgrade_all=1
+        ;;
+      --use-substitutes|--substitute-on-destination|-s)
+        copyFlags+=("-s")
+        ;;
+      -I|--max-jobs|-j|--cores|--builders|--log-format)
+        j="$1"; shift 1
+        extraBuildFlags+=("$i" "$j")
+        ;;
+      -j*|--quiet|--print-build-logs|-L|--no-build-output|-Q| --show-trace|--keep-going|-k|--keep-failed|-K|--fallback|--refresh|--repair|--impure|--offline|--no-net)
+        extraBuildFlags+=("$i")
+        ;;
+      --verbose|-v|-vv|-vvv|-vvvv|-vvvvv)
+        verboseScript="true"
+        extraBuildFlags+=("$i")
+        ;;
+      --option)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        extraBuildFlags+=("$i" "$j" "$k")
+        ;;
+      --fast)
+        buildNix=
+        fast=1
+        ;;
+      --profile-name|-p)
+        if [ -z "$1" ]; then
+            log "$0: ‘--profile-name’ requires an argument"
+            exit 1
+        fi
+        if [ "$1" != system ]; then
+            profile="/nix/var/nix/profiles/system-profiles/$1"
+            mkdir -p -m 0755 "$(dirname "$profile")"
+        fi
+        shift 1
+        ;;
+      --specialisation|-c)
+        if [ -z "$1" ]; then
+            log "$0: ‘--specialisation’ requires an argument"
+            exit 1
+        fi
+        specialisation="$1"
+        shift 1
+        ;;
+      --build-host)
+        buildHost="$1"
+        shift 1
+        ;;
+      --target-host)
+        targetHost="$1"
+        shift 1
+        ;;
+      --use-remote-sudo)
+        remoteSudo=1
+        ;;
+      --flake)
+        flake="$1"
+        shift 1
+        ;;
+      --no-flake)
+        noFlake=1
+        ;;
+      --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+        lockFlags+=("$i")
+        ;;
+      --update-input)
+        j="$1"; shift 1
+        lockFlags+=("$i" "$j")
+        ;;
+      --override-input)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        lockFlags+=("$i" "$j" "$k")
+        ;;
+      --json)
+        json=1
+        ;;
+      *)
+        log "$0: unknown option \`$i'"
+        exit 1
+        ;;
+    esac
+done
+
+if [[ -n "$SUDO_USER" || -n $remoteSudo ]]; then
+    maybeSudo=(sudo --preserve-env="$preservedSudoVars" --)
+fi
+
+# log the given argument to stderr if verbose mode is on
+logVerbose() {
+    if [ -n "$verboseScript" ]; then
+      echo "$@" >&2
+    fi
+}
+
+# Run a command, logging it first if verbose mode is on
+runCmd() {
+    logVerbose "$" "$@"
+    "$@"
+}
+
+buildHostCmd() {
+    if [ -z "$buildHost" ]; then
+        runCmd "$@"
+    elif [ -n "$remoteNix" ]; then
+        runCmd ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" env PATH="$remoteNix":'$PATH' "$@"
+    else
+        runCmd ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+targetHostCmd() {
+    if [ -z "$targetHost" ]; then
+        runCmd "${maybeSudo[@]}" "$@"
+    else
+        runCmd ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+copyToTarget() {
+    if ! [ "$targetHost" = "$buildHost" ]; then
+        if [ -z "$targetHost" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure "${copyFlags[@]}" --from "$buildHost" "$1"
+        elif [ -z "$buildHost" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure "${copyFlags[@]}" --to "$targetHost" "$1"
+        else
+            buildHostCmd nix-copy-closure "${copyFlags[@]}" --to "$targetHost" "$1"
+        fi
+    fi
+}
+
+nixBuild() {
+    logVerbose "Building in legacy (non-flake) mode."
+    if [ -z "$buildHost" ]; then
+        logVerbose "No --build-host given, running nix-build locally"
+        runCmd nix-build "$@"
+    else
+        logVerbose "buildHost set to \"$buildHost\", running nix-build remotely"
+        local instArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              -o)
+                local out="$1"; shift 1
+                buildArgs+=("--add-root" "$out" "--indirect")
+                ;;
+              -A)
+                local j="$1"; shift 1
+                instArgs+=("$i" "$j")
+                ;;
+              -I) # We don't want this in buildArgs
+                shift 1
+                ;;
+              --no-out-link) # We don't want this in buildArgs
+                ;;
+              "<"*) # nix paths
+                instArgs+=("$i")
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(runCmd nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure --to "$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            log "nix-instantiate failed"
+            exit 1
+        fi
+  fi
+}
+
+nixFlakeBuild() {
+    logVerbose "Building in flake mode."
+    if [[ -z "$buildHost" && -z "$targetHost" && "$action" != switch && "$action" != boot && "$action" != test && "$action" != dry-activate ]]
+    then
+        runCmd nix "${flakeFlags[@]}" build "$@"
+        readlink -f ./result
+    elif [ -z "$buildHost" ]; then
+        runCmd nix "${flakeFlags[@]}" build "$@" --out-link "${tmpDir}/result"
+        readlink -f "${tmpDir}/result"
+    else
+        local attr="$1"
+        shift 1
+        local evalArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+                evalArgs+=("$i")
+                ;;
+              --update-input)
+                local j="$1"; shift 1
+                evalArgs+=("$i" "$j")
+                ;;
+              --override-input)
+                local j="$1"; shift 1
+                local k="$1"; shift 1
+                evalArgs+=("$i" "$j" "$k")
+                ;;
+              --impure) # We don't want this in buildArgs, it's only needed at evaluation time, and unsupported during realisation
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(runCmd nix "${flakeFlags[@]}" eval --raw "${attr}.drvPath" "${evalArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            logVerbose "Running nix with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix "${flakeFlags[@]}" copy "${copyFlags[@]}" --derivation --to "ssh://$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            log "nix eval failed"
+            exit 1
+        fi
+    fi
+}
+
+
+if [ -z "$action" ]; then showSyntax; fi
+
+# Only run shell scripts from the Nixpkgs tree if the action is
+# "switch", "boot", or "test". With other actions (such as "build"),
+# the user may reasonably expect that no code from the Nixpkgs tree is
+# executed, so it's safe to run nixos-rebuild against a potentially
+# untrusted tree.
+canRun=
+if [[ "$action" = switch || "$action" = boot || "$action" = test ]]; then
+    canRun=1
+fi
+
+
+# If ‘--upgrade’ or `--upgrade-all` is given,
+# run ‘nix-channel --update nixos’.
+if [[ -n $upgrade && -z $_NIXOS_REBUILD_REEXEC && -z $flake ]]; then
+    # If --upgrade-all is passed, or there are other channels that
+    # contain a file called ".update-on-nixos-rebuild", update them as
+    # well. Also upgrade the nixos channel.
+
+    for channelpath in /nix/var/nix/profiles/per-user/root/channels/*; do
+        channel_name=$(basename "$channelpath")
+
+        if [[ "$channel_name" == "nixos" ]]; then
+            runCmd nix-channel --update "$channel_name"
+        elif [ -e "$channelpath/.update-on-nixos-rebuild" ]; then
+            runCmd nix-channel --update "$channel_name"
+        elif [[ -n $upgrade_all ]] ; then
+            runCmd nix-channel --update "$channel_name"
+        fi
+    done
+fi
+
+# Make sure that we use the Nix package we depend on, not something
+# else from the PATH for nix-{env,instantiate,build}.  This is
+# important, because NixOS defaults the architecture of the rebuilt
+# system to the architecture of the nix-* binaries used.  So if on an
+# amd64 system the user has an i686 Nix package in her PATH, then we
+# would silently downgrade the whole system to be i686 NixOS on the
+# next reboot.
+if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
+    export PATH=@nix@/bin:$PATH
+fi
+
+# Use /etc/nixos/flake.nix if it exists. It can be a symlink to the
+# actual flake.
+if [[ -z $flake && -e /etc/nixos/flake.nix && -z $noFlake ]]; then
+    flake="$(dirname "$(readlink -f /etc/nixos/flake.nix)")"
+fi
+
+# For convenience, use the hostname as the default configuration to
+# build from the flake.
+if [[ -n $flake ]]; then
+    if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then
+       flake="${BASH_REMATCH[1]}"
+       flakeAttr="${BASH_REMATCH[2]}"
+    fi
+    if [[ -z $flakeAttr ]]; then
+        read -r hostname < /proc/sys/kernel/hostname
+        if [[ -z $hostname ]]; then
+            hostname=default
+        fi
+        flakeAttr="nixosConfigurations.\"$hostname\""
+    else
+        flakeAttr="nixosConfigurations.\"$flakeAttr\""
+    fi
+fi
+
+if [[ ! -z "$specialisation" && ! "$action" = switch && ! "$action" = test ]]; then
+    log "error: ‘--specialisation’ can only be used with ‘switch’ and ‘test’"
+    exit 1
+fi
+
+tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX)
+
+cleanup() {
+    for ctrl in "$tmpDir"/ssh-*; do
+        ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true
+    done
+    rm -rf "$tmpDir"
+}
+trap cleanup EXIT
+
+
+# Re-execute nixos-rebuild from the Nixpkgs tree.
+if [[ -z $_NIXOS_REBUILD_REEXEC && -n $canRun && -z $fast ]]; then
+    if [[ -z $flake ]]; then
+        if p=$(runCmd nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
+            SHOULD_REEXEC=1
+        fi
+    else
+        runCmd nix "${flakeFlags[@]}" build --out-link "${tmpDir}/nixos-rebuild" "$flake#$flakeAttr.config.system.build.nixos-rebuild" "${extraBuildFlags[@]}" "${lockFlags[@]}"
+        if p=$(readlink -e "${tmpDir}/nixos-rebuild"); then
+            SHOULD_REEXEC=1
+        fi
+    fi
+
+    if [[ -n $SHOULD_REEXEC ]]; then
+        export _NIXOS_REBUILD_REEXEC=1
+        # Manually call cleanup as the EXIT trap is not triggered when using exec
+        cleanup
+        runCmd exec "$p/bin/nixos-rebuild" "${origArgs[@]}"
+        exit 1
+    fi
+fi
+
+# Find configuration.nix and open editor instead of building.
+if [ "$action" = edit ]; then
+    if [[ -z $flake ]]; then
+        NIXOS_CONFIG=${NIXOS_CONFIG:-$(runCmd nix-instantiate --find-file nixos-config)}
+        if [[ -d $NIXOS_CONFIG ]]; then
+            NIXOS_CONFIG=$NIXOS_CONFIG/default.nix
+        fi
+        runCmd exec ${EDITOR:-nano} "$NIXOS_CONFIG"
+    else
+        runCmd exec nix "${flakeFlags[@]}" edit "${lockFlags[@]}" -- "$flake#$flakeAttr"
+    fi
+    exit 1
+fi
+
+SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60"
+
+# First build Nix, since NixOS may require a newer version than the
+# current one.
+if [[ -n "$rollback" || "$action" = dry-build ]]; then
+    buildNix=
+fi
+
+nixSystem() {
+    machine="$(uname -m)"
+    if [[ "$machine" =~ i.86 ]]; then
+        machine=i686
+    fi
+    echo $machine-linux
+}
+
+prebuiltNix() {
+    machine="$1"
+    if [ "$machine" = x86_64 ]; then
+        echo @nix_x86_64_linux@
+    elif [[ "$machine" =~ i.86 ]]; then
+        echo @nix_i686_linux@
+    elif [[ "$machine" = aarch64 ]]; then
+        echo @nix_aarch64_linux@
+    else
+        log "$0: unsupported platform"
+        exit 1
+    fi
+}
+
+if [[ -n $buildNix && -z $flake ]]; then
+    log "building Nix..."
+    nixDrv=
+    if ! nixDrv="$(runCmd nix-instantiate '<nixpkgs/nixos>' --add-root "$tmpDir/nix.drv" --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(runCmd nix-instantiate '<nixpkgs>' --add-root "$tmpDir/nix.drv" --indirect -A nix "${extraBuildFlags[@]}")"; then
+            if ! nixStorePath="$(runCmd nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A "$(nixSystem)" | sed -e 's/^"//' -e 's/"$//')"; then
+                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            fi
+            if ! runCmd nix-store -r "$nixStorePath" --add-root "${tmpDir}/nix" --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
+                log "warning: don't know how to get latest Nix"
+            fi
+            # Older version of nix-store -r don't support --add-root.
+            [ -e "$tmpDir/nix" ] || ln -sf "$nixStorePath" "$tmpDir/nix"
+            if [ -n "$buildHost" ]; then
+                remoteNixStorePath="$(runCmd prebuiltNix "$(buildHostCmd uname -m)")"
+                remoteNix="$remoteNixStorePath/bin"
+                if ! buildHostCmd nix-store -r "$remoteNixStorePath" \
+                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
+                    remoteNix=
+                    log "warning: don't know how to get latest Nix"
+                fi
+            fi
+        fi
+    fi
+    if [ -a "$nixDrv" ]; then
+        nix-store -r "$nixDrv"'!'"out" --add-root "$tmpDir/nix" --indirect >/dev/null
+        if [ -n "$buildHost" ]; then
+            nix-copy-closure "${copyFlags[@]}" --to "$buildHost" "$nixDrv"
+            # The nix build produces multiple outputs, we add them all to the remote path
+            for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do
+                remoteNix="$remoteNix${remoteNix:+:}$p/bin"
+            done
+        fi
+    fi
+    PATH="$tmpDir/nix/bin:$PATH"
+fi
+
+
+# Update the version suffix if we're building from Git (so that
+# nixos-version shows something useful).
+if [[ -n $canRun && -z $flake ]]; then
+    if nixpkgs=$(runCmd nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
+        suffix=$(runCmd $SHELL "$nixpkgs/nixos/modules/installer/tools/get-version-suffix" "${extraBuildFlags[@]}" || true)
+        if [ -n "$suffix" ]; then
+            echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
+        fi
+    fi
+fi
+
+
+if [ "$action" = dry-build ]; then
+    extraBuildFlags+=(--dry-run)
+fi
+
+if [ "$action" = list-generations ]; then
+    if [ ! -L "$profile" ]; then
+        log "No profile \`$(basename "$profile")' found"
+        exit 1
+    fi
+
+    generation_from_dir() {
+        generation_dir="$1"
+        generation_base="$(basename "$generation_dir")" # Has the format "system-123-link" for generation 123
+        no_link_gen="${generation_base%-link}"  # remove the "-link"
+        echo "${no_link_gen##*-}" # remove everything before the last dash
+    }
+    describe_generation(){
+        generation_dir="$1"
+        generation_number="$(generation_from_dir "$generation_dir")"
+        nixos_version="$(cat "$generation_dir/nixos-version" 2> /dev/null || echo "Unknown")"
+
+        kernel_dir="$(dirname "$(realpath "$generation_dir/kernel")")"
+        kernel_version="$(ls "$kernel_dir/lib/modules" || echo "Unknown")"
+
+        configurationRevision="$("$generation_dir/sw/bin/nixos-version" --configuration-revision 2> /dev/null || true)"
+
+        # Old nixos-version output ignored unknown flags and just printed the version
+        # therefore the following workaround is done not to show the default output
+        nixos_version_default="$("$generation_dir/sw/bin/nixos-version")"
+        if [ "$configurationRevision" == "$nixos_version_default" ]; then
+             configurationRevision=""
+        fi
+
+        # jq automatically quotes the output => don't try to quote it in output!
+        build_date="$(stat "$generation_dir" --format=%W | jq 'todate')"
+
+        pushd "$generation_dir/specialisation/" > /dev/null || :
+        specialisation_list=(*)
+        popd > /dev/null || :
+
+        specialisations="$(jq --compact-output --null-input '$ARGS.positional' --args -- "${specialisation_list[@]}")"
+
+        if [ "$(basename "$generation_dir")" = "$(readlink "$profile")" ]; then
+            current_generation_tag="true"
+        else
+            current_generation_tag="false"
+        fi
+
+        # Escape userdefined strings
+        nixos_version="$(jq -aR <<< "$nixos_version")"
+        kernel_version="$(jq -aR <<< "$kernel_version")"
+        configurationRevision="$(jq -aR <<< "$configurationRevision")"
+        cat << EOF
+{
+  "generation": $generation_number,
+  "date": $build_date,
+  "nixosVersion": $nixos_version,
+  "kernelVersion": $kernel_version,
+  "configurationRevision": $configurationRevision,
+  "specialisations": $specialisations,
+  "current": $current_generation_tag
+}
+EOF
+    }
+
+    find "$(dirname "$profile")" -regex "$profile-[0-9]+-link" |
+        sort -Vr |
+        while read -r generation_dir; do
+            describe_generation "$generation_dir"
+        done |
+        if [ -z "$json" ]; then
+            jq --slurp -r '.[] | [
+                    ([.generation, (if .current == true then "current" else "" end)] | join(" ")),
+                    (.date | fromdate | strflocaltime("%Y-%m-%d %H:%M:%S")),
+                    .nixosVersion, .kernelVersion, .configurationRevision,
+                    (.specialisations | join(" "))
+                ] | @tsv' |
+                column --separator $'\t' --table --table-columns "Generation,Build-date,NixOS version,Kernel,Configuration Revision,Specialisation" |
+                ${PAGER:cat}
+        else
+            jq --slurp .
+        fi
+    exit 0
+fi
+
+
+# Either upgrade the configuration in the system profile (for "switch"
+# or "boot"), or just build it and create a symlink "result" in the
+# current directory (for "build" and "test").
+if [ -z "$rollback" ]; then
+    log "building the system configuration..."
+    if [[ "$action" = switch || "$action" = boot ]]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+        copyToTarget "$pathToConfig"
+        targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
+    elif [[ "$action" = test || "$action" = build || "$action" = dry-build || "$action" = dry-activate ]]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vm" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm-with-bootloader ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vmWithBootLoader" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    else
+        showSyntax
+    fi
+    # Copy build to target host if we haven't already done it
+    if ! [[ "$action" = switch || "$action" = boot ]]; then
+        copyToTarget "$pathToConfig"
+    fi
+else # [ -n "$rollback" ]
+    if [[ "$action" = switch || "$action" = boot ]]; then
+        targetHostCmd nix-env --rollback -p "$profile"
+        pathToConfig="$profile"
+    elif [[ "$action" = test || "$action" = build ]]; then
+        systemNumber=$(
+            targetHostCmd nix-env -p "$profile" --list-generations |
+            sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h'
+        )
+        pathToConfig="$profile"-${systemNumber}-link
+        if [ -z "$targetHost" ]; then
+            ln -sT "$pathToConfig" ./result
+        fi
+    else
+        showSyntax
+    fi
+fi
+
+
+# If we're not just building, then make the new configuration the boot
+# default and/or activate it now.
+if [[ "$action" = switch || "$action" = boot || "$action" = test || "$action" = dry-activate ]]; then
+    # Using systemd-run here to protect against PTY failures/network
+    # disconnections during rebuild.
+    # See: https://github.com/NixOS/nixpkgs/issues/39118
+    cmd=(
+        "systemd-run"
+        "-E" "LOCALE_ARCHIVE" # Will be set to new value early in switch-to-configuration script, but interpreter starts out with old value
+        "-E" "NIXOS_INSTALL_BOOTLOADER"
+        "--collect"
+        "--no-ask-password"
+        "--pty"
+        "--quiet"
+        "--same-dir"
+        "--service-type=exec"
+        "--unit=nixos-rebuild-switch-to-configuration"
+        "--wait"
+    )
+    # Check if we have a working systemd-run. In chroot environments we may have
+    # a non-working systemd, so we fallback to not using systemd-run.
+    # You may also want to explicitly set NIXOS_SWITCH_USE_DIRTY_ENV environment
+    # variable, since systemd-run runs inside an isolated environment and
+    # this may break some post-switch scripts. However keep in mind that this
+    # may be dangerous in remote access (e.g. SSH).
+    if [[ -n "$NIXOS_SWITCH_USE_DIRTY_ENV" ]]; then
+        log "warning: skipping systemd-run since NIXOS_SWITCH_USE_DIRTY_ENV is set. This environment variable will be ignored in the future"
+        cmd=()
+    elif ! targetHostCmd "${cmd[@]}" true &>/dev/null; then
+        logVerbose "Skipping systemd-run to switch configuration since it is not working in target host."
+        cmd=(
+            "env"
+            "-i"
+            "LOCALE_ARCHIVE=$LOCALE_ARCHIVE"
+            "NIXOS_INSTALL_BOOTLOADER=$NIXOS_INSTALL_BOOTLOADER"
+        )
+    else
+        logVerbose "Using systemd-run to switch configuration."
+    fi
+    if [[ -z "$specialisation" ]]; then
+        cmd+=("$pathToConfig/bin/switch-to-configuration")
+    else
+        cmd+=("$pathToConfig/specialisation/$specialisation/bin/switch-to-configuration")
+
+        if [[ ! -f "${cmd[-1]}" ]]; then
+            log "error: specialisation not found: $specialisation"
+            exit 1
+        fi
+    fi
+
+    if ! targetHostCmd "${cmd[@]}" "$action"; then
+        log "warning: error(s) occurred while switching to the new configuration"
+        exit 1
+    fi
+fi
+
+
+if [[ "$action" = build-vm || "$action" = build-vm-with-bootloader ]]; then
+    cat >&2 <<EOF
+
+Done.  The virtual machine can be started by running $(echo "${pathToConfig}/bin/"run-*-vm)
+EOF
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/nmon/default.nix b/nixpkgs/pkgs/os-specific/linux/nmon/default.nix
new file mode 100644
index 000000000000..768e8e43edc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nmon/default.nix
@@ -0,0 +1,33 @@
+{ fetchurl, lib, stdenv, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "nmon";
+  version = "16p";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/nmon/lmon${version}.c";
+    sha256 = "sha256-XcYEX2cl4ySalpkY+uaWY6HWaRYgh3ILq825D86eayo=";
+  };
+
+  buildInputs = [ ncurses ];
+  dontUnpack = true;
+  buildPhase = "${stdenv.cc.targetPrefix}cc -o nmon ${src} -g -O2 -D JFS -D GETUSER -Wall -D LARGEMEM -lncurses -lm -g -D ${
+    with stdenv.targetPlatform;
+    if isx86 then "X86"
+    else if isAarch then "ARM"
+    else if isPower then "POWER"
+    else "UNKNOWN"
+  }";
+  installPhase = ''
+    mkdir -p $out/bin
+    cp nmon $out/bin
+  '';
+
+  meta = with lib; {
+    description = "AIX & Linux Performance Monitoring tool";
+    homepage = "https://nmon.sourceforge.net";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ sveitser ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nsncd/default.nix b/nixpkgs/pkgs/os-specific/linux/nsncd/default.nix
new file mode 100644
index 000000000000..81590a6f8692
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nsncd/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, rustPlatform
+, nix-gitignore
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "nsncd";
+  version = "unstable-2023-10-26";
+
+  # https://github.com/twosigma/nsncd/pull/71 has not been upstreamed
+  # to twosigma/nsncd yet. Using the nix-community fork in the
+  # meantime.
+  src = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "nsncd";
+    rev =  "d6513421f420e407248c6d0aee39ae2f861a7cec";
+    hash = "sha256-PykzwpPxMDHJOr2HubXuw+Krk9Jbi0E3M2lEAOXhx2M=";
+  };
+
+  cargoSha256 = "sha256-cUM7rYXWpJ0aMiurXBp15IlxAmf/x5uiodxEqBPCQT0=";
+
+  meta = with lib; {
+    description = "the name service non-caching daemon";
+    longDescription = ''
+      nsncd is a nscd-compatible daemon that proxies lookups, without caching.
+    '';
+    homepage = "https://github.com/twosigma/nsncd";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ flokli picnoir ];
+    # never built on aarch64-darwin, x86_64-darwin since first introduction in nixpkgs
+    broken = stdenv.isDarwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch b/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch
new file mode 100644
index 000000000000..48250141e82a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch
@@ -0,0 +1,104 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=488857
+
+
+Distinguish between contexts that are somewhat persistent and one-offs
+which are used to fulfill part of a larger request.
+
+diff -up nss_ldap-253/ldap-grp.c nss_ldap-253/ldap-grp.c
+--- nss_ldap-253/ldap-grp.c	2009-05-08 13:30:43.000000000 -0400
++++ nss_ldap-253/ldap-grp.c	2009-05-08 13:34:41.000000000 -0400
+@@ -857,7 +857,7 @@ ng_chase (const char *dn, ldap_initgroup
+   LA_STRING (a) = dn;
+   LA_TYPE (a) = LA_TYPE_STRING;
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       return NSS_UNAVAIL;
+     }
+@@ -930,7 +930,7 @@ ng_chase_backlink (const char ** members
+   LA_STRING_LIST (a) = filteredMembersOf;
+   LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       free (filteredMembersOf);
+       return NSS_UNAVAIL;
+diff -up nss_ldap-253/ldap-netgrp.c nss_ldap-253/ldap-netgrp.c
+--- nss_ldap-253/ldap-netgrp.c	2009-05-08 13:31:35.000000000 -0400
++++ nss_ldap-253/ldap-netgrp.c	2009-05-08 13:33:14.000000000 -0400
+@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
+   LA_TYPE (a) = LA_TYPE_STRING;
+   LA_STRING (a) = nested;	/* memberNisNetgroup */
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       debug ("<== do_innetgr_nested: failed to initialize context");
+       return NSS_UNAVAIL;
+diff -up nss_ldap-253/ldap-nss.c nss_ldap-253/ldap-nss.c
+--- nss_ldap-253/ldap-nss.c	2009-05-08 13:27:17.000000000 -0400
++++ nss_ldap-253/ldap-nss.c	2009-05-08 14:05:51.000000000 -0400
+@@ -1961,6 +1961,7 @@ _nss_ldap_ent_context_init_locked (ent_c
+ 	  debug ("<== _nss_ldap_ent_context_init_locked");
+ 	  return NULL;
+ 	}
++      ctx->ec_internal = 0;
+       *pctx = ctx;
+     }
+   else
+@@ -1990,6 +1991,15 @@ _nss_ldap_ent_context_init_locked (ent_c
+ 
+   return ctx;
+ }
++ent_context_t *
++_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
++{
++  ent_context_t *ctx;
++  ctx = _nss_ldap_ent_context_init_locked (pctx);
++  if (ctx != NULL)
++    ctx->ec_internal = 1;
++  return ctx;
++}
+ 
+ /*
+  * Clears a given context; we require the caller
+@@ -2031,7 +2041,8 @@ _nss_ldap_ent_context_release (ent_conte
+ 
+   LS_INIT (ctx->ec_state);
+ 
+-  if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
++  if (!ctx->ec_internal &&
++      _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+     {
+       do_close ();
+     }
+diff -up nss_ldap-253/ldap-nss.h nss_ldap-253/ldap-nss.h
+--- nss_ldap-253/ldap-nss.h	2009-05-08 13:35:47.000000000 -0400
++++ nss_ldap-253/ldap-nss.h	2009-05-08 13:52:25.000000000 -0400
+@@ -560,6 +560,8 @@ struct ent_context
+   ldap_state_t ec_state;	/* eg. for services */
+   int ec_msgid;			/* message ID */
+   LDAPMessage *ec_res;		/* result chain */
++  int ec_internal;		/* this context is just a part of a larger
++				 * query for information */
+   ldap_service_search_descriptor_t *ec_sd;	/* current sd */
+   struct berval *ec_cookie;     /* cookie for paged searches */
+ };
+@@ -744,6 +746,15 @@ ent_context_t *_nss_ldap_ent_context_ini
+ ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
+ 
+ /*
++ * _nss_ldap_ent_context_init_internal_locked() has the same
++ * behaviour, except it marks the context as one that's being
++ * used to fetch additional data used in answering a request, i.e.
++ * that this isn't the "main" context
++ */
++
++ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
++
++/*
+  * _nss_ldap_ent_context_release() is used to manually free a context 
+  */
+ void _nss_ldap_ent_context_release (ent_context_t *);
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix b/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix
new file mode 100644
index 000000000000..23bc8ff0dfad
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix
@@ -0,0 +1,39 @@
+{lib, stdenv, fetchurl, openldap, perl}:
+
+stdenv.mkDerivation rec {
+  pname = "nss_ldap";
+  version = "265";
+
+  src = fetchurl {
+    url = "http://www.padl.com/download/nss_ldap-${version}.tar.gz";
+    sha256 = "1a16q9p97d2blrj0h6vl1xr7dg7i4s8x8namipr79mshby84vdbp";
+  };
+
+  preConfigure = ''
+    patchShebangs ./vers_string
+    sed -i s,vers_string,./vers_string, Makefile*
+    substituteInPlace vers_string --replace "cvslib.pl" "./cvslib.pl"
+  '';
+
+  patches = [ ./crashes.patch ];
+
+  postPatch = ''
+    patch -p0 < ${./nss_ldap-265-glibc-2.16.patch}
+  '';
+
+  preInstall = ''
+    installFlagsArray=(INST_UID=$(id -u) INST_GID=$(id -g) LIBC_VERS=2.5 NSS_VERS=2 NSS_LDAP_PATH_CONF=$out/etc/ldap.conf)
+    substituteInPlace Makefile \
+      --replace '/usr$(libdir)' $TMPDIR \
+      --replace 'install-data-local:' 'install-data-local-disabled:'
+    mkdir -p $out/etc
+  '';
+
+  buildInputs = [ openldap perl ];
+
+  meta = with lib; {
+    description = "LDAP module for the Solaris Nameservice Switch (NSS)";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch b/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch
new file mode 100644
index 000000000000..8b0b9289327a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch
@@ -0,0 +1,139 @@
+https://github.com/archlinuxarm/PKGBUILDs/issues/296
+
+Fixes the bug causing a segfault on nscd and sshd:
+symbol lookup error: /usr/lib/libnss_ldap.so.2: undefined symbol: __libc_lock_lock
+
+--- ldap-nss.c.orig	2012-10-17 12:32:03.908730283 +0000
++++ ldap-nss.c	2012-10-17 12:38:10.906767283 +0000
+@@ -148,7 +148,7 @@
+  */
+ static ldap_session_t __session = { NULL, NULL, 0, LS_UNINITIALIZED };
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ static pthread_once_t __once = PTHREAD_ONCE_INIT;
+ #endif
+ 
+@@ -168,7 +168,7 @@
+ static int __ssl_initialized = 0;
+ #endif /* HAVE_LDAPSSL_CLIENT_INIT */
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ /*
+  * Prepare for fork(); lock mutex.
+  */
+@@ -519,7 +519,7 @@
+ }
+ #endif /* HAVE_NSSWITCH_H */
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ static void
+ do_atfork_prepare (void)
+ {
+@@ -553,7 +553,7 @@
+ #ifdef HAVE_PTHREAD_ATFORK
+   (void) pthread_atfork (do_atfork_prepare, do_atfork_parent,
+ 			 do_atfork_child);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ATFORK)
+   (void) __libc_atfork (do_atfork_prepare, do_atfork_parent, do_atfork_child);
+ #endif
+ 
+@@ -1119,7 +1119,7 @@
+     }
+ 
+ #ifndef HAVE_PTHREAD_ATFORK
+-#if defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE___LIBC_ONCE)
+   /*
+    * This bogosity is necessary because Linux uses different
+    * PIDs for different threads (like IRIX, which we don't
+@@ -1151,7 +1151,7 @@
+     pid = -1;			/* linked against libpthreads, don't care */
+ #else
+   pid = getpid ();
+-#endif /* HAVE_LIBC_LOCK_H || HAVE_BITS_LIBC_LOCK_H */
++#endif /* HAVE___LIBC_ONCE */
+ #endif /* HAVE_PTHREAD_ATFORK */
+ 
+   euid = geteuid ();
+@@ -1161,7 +1161,7 @@
+   syslog (LOG_DEBUG,
+ 	  "nss_ldap: __session.ls_state=%d, __session.ls_conn=%p, __euid=%i, euid=%i",
+ 	  __session.ls_state, __session.ls_conn, __euid, euid);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ONCE)
+   syslog (LOG_DEBUG,
+ 	  "nss_ldap: libpthreads=%s, __session.ls_state=%d, __session.ls_conn=%p, __pid=%i, pid=%i, __euid=%i, euid=%i",
+  	  ((__pthread_once == NULL || __pthread_atfork == NULL) ? "FALSE" : "TRUE"),
+@@ -1185,11 +1185,11 @@
+     }
+   else
+ #ifndef HAVE_PTHREAD_ATFORK
+-#if defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE___LIBC_ONCE)
+   if ((__pthread_once == NULL || __pthread_atfork == NULL) && __pid != pid)
+ #else
+   if (__pid != pid)
+-#endif /* HAVE_LIBC_LOCK_H || HAVE_BITS_LIBC_LOCK_H */
++#endif /* HAVE___LIBC_ONCE */
+     {
+       do_close_no_unbind ();
+     }
+@@ -1250,9 +1250,9 @@
+       debug ("<== do_init (pthread_once failed)");
+       return NSS_UNAVAIL;
+     }
+-#elif defined(HAVE_PTHREAD_ATFORK) && ( defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H) )
++#elif defined(HAVE_PTHREAD_ATFORK) && defined(HAVE___LIBC_ONCE)
+   __libc_once (__once, do_atfork_setup);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ONCE)
+   /*
+    * Only install the pthread_atfork() handlers i
+    * we are linked against libpthreads. Otherwise,
+--- ldap-nss.h.orig	2012-10-17 12:33:05.681379283 +0000
++++ ldap-nss.h	2012-10-17 12:34:06.337050753 +0000
+@@ -671,7 +671,7 @@
+ #define NSS_LDAP_LOCK(m)		mutex_lock(&m)
+ #define NSS_LDAP_UNLOCK(m)		mutex_unlock(&m)
+ #define NSS_LDAP_DEFINE_LOCK(m)		static mutex_t m = DEFAULTMUTEX
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_LOCK_LOCK) && defined(HAVE___LIBC_LOCK_UNLOCK)
+ #define NSS_LDAP_LOCK(m)		__libc_lock_lock(m)
+ #define NSS_LDAP_UNLOCK(m)		__libc_lock_unlock(m)
+ #define NSS_LDAP_DEFINE_LOCK(m)		static pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER
+--- ldap-nss.c.orig	2012-10-17 12:58:20.270783283 +0000
++++ ldap-nss.c	2012-10-17 12:58:43.699267283 +0000
+@@ -156,7 +156,7 @@
+ static FILE *__debugfile;
+ #endif /* LBER_OPT_LOG_PRINT_FILE */
+ 
+-#ifndef HAVE_PTHREAD_ATFORK
++#if !defined(HAVE_PTHREAD_ATFORK) || !defined(HAVE___LIBC_ONCE)
+ /* 
+  * Process ID that opened the session.
+  */
+--- configure.in.orig	2012-10-17 12:59:31.707235283 +0000
++++ configure.in	2012-10-17 13:00:15.854289283 +0000
+@@ -255,6 +255,7 @@
+ AC_CHECK_FUNCS(pthread_once)
+ AC_CHECK_FUNCS(ether_aton)
+ AC_CHECK_FUNCS(ether_ntoa)
++AC_CHECK_FUNCS(__libc_once __libc_atfork __libc_lock_lock __libc_lock_unlock)
+ 
+ AC_MSG_CHECKING(for struct ether_addr)
+ AC_TRY_COMPILE([#include <sys/types.h>
+--- ldap-nss.c.orig	2012-10-17 13:02:01.418010283 +0000
++++ ldap-nss.c	2012-10-17 13:03:25.017240283 +0000
+@@ -1102,7 +1102,7 @@
+ do_init (void)
+ {
+   ldap_config_t *cfg;
+-#ifndef HAVE_PTHREAD_ATFORK
++#if !defined(HAVE_PTHREAD_ATFORK) || !defined(HAVE___LIBC_ONCE)
+   pid_t pid;
+ #endif
+   uid_t euid;
diff --git a/nixpkgs/pkgs/os-specific/linux/numactl/default.nix b/nixpkgs/pkgs/os-specific/linux/numactl/default.nix
new file mode 100644
index 000000000000..998b7d052b35
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numactl/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "numactl";
+  version = "2.0.16";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-aDKzkmvrPDzQl4n0KgeiU5LOLhQA0tmwzGiXvJDp7ZI=";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  postPatch = ''
+    patchShebangs test
+  '';
+
+  LDFLAGS = lib.optionalString stdenv.hostPlatform.isRiscV "-latomic";
+
+  # You probably shouldn't ever run these! They will reconfigure Linux
+  # NUMA settings, which on my build machine makes the rest of package
+  # building ~5% slower until reboot. Ugh!
+  doCheck = false; # never ever!
+
+  meta = with lib; {
+    description = "Library and tools for non-uniform memory access (NUMA) machines";
+    homepage = "https://github.com/numactl/numactl";
+    license = with licenses; [ gpl2 lgpl21 ]; # libnuma is lgpl21
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numad/default.nix b/nixpkgs/pkgs/os-specific/linux/numad/default.nix
new file mode 100644
index 000000000000..24fc9e188741
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numad/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchgit }:
+
+stdenv.mkDerivation rec {
+  pname = "numad";
+  version = "0.5";
+
+  src = fetchgit {
+    url = "https://pagure.io/numad.git";
+    rev = "334278ff3d774d105939743436d7378a189e8693";
+    sha256 = "sha256-6nrbfooUI1ufJhsPf68li5584oKQcznXQlxfpStuX5I=";
+  };
+
+  hardeningDisable = [ "format" ];
+
+  patches = [
+    ./numad-linker-flags.patch
+  ];
+  postPatch = ''
+    substituteInPlace Makefile --replace "install -m" "install -Dm"
+  '';
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  meta = with lib; {
+    description = "A user-level daemon that monitors NUMA topology and processes resource consumption to facilitate good NUMA resource access";
+    homepage = "https://fedoraproject.org/wiki/Features/numad";
+    license = licenses.lgpl21;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch b/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch
new file mode 100644
index 000000000000..97f3dc8b6cf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch
@@ -0,0 +1,33 @@
+From 9eb3cc5c51d846c8c8b750a4eb55545d7b5fea6c Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 23 Apr 2014 15:41:26 -0400
+Subject: [PATCH] use LDLIBS for linker flags
+
+When you put -lfoo into the dependency line of make, it forces it to
+search /lib and /usr/lib for files to link against.  This can cause
+problems when trying to cross-compile or build for different ABIs.
+Use the standard LDLIBS variable instead.
+
+URL: https://bugs.gentoo.org/505760
+Reported-by: Georgi Georgiev <chutzimir@gmail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index f3838b4..f2e9a6e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -31,7 +31,8 @@ docdir := ${prefix}/share/doc
+ 
+ all: numad
+ 
+-numad: numad.o -lpthread
++LDLIBS := -lpthread
++numad: numad.o
+ 
+ AR ?= ar
+ RANLIB ?= ranlib
+-- 
+1.9.2
diff --git a/nixpkgs/pkgs/os-specific/linux/numatop/default.nix b/nixpkgs/pkgs/os-specific/linux/numatop/default.nix
new file mode 100644
index 000000000000..f4995264b09e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numatop/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, numactl, ncurses, check }:
+
+stdenv.mkDerivation rec {
+  pname = "numatop";
+  version = "2.2";
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "numatop";
+    rev = "v${version}";
+    sha256 = "sha256-GJvTwqgx34ZW10eIJj/xiKe3ZkAfs7GlJImz8jrnjfI=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ numactl ncurses ];
+  nativeCheckInputs = [ check ];
+
+  patches = [
+    (fetchpatch {
+      # https://github.com/intel/numatop/pull/54
+      url = "https://github.com/intel/numatop/compare/eab0ac5253c5843aa0f0ac36e2eec7612207711b...c1001fd926c24eae2d40729492e07270ce133b72.patch";
+      sha256 = "sha256-TbMLv7TT9T8wE4uJ1a/AroyPPwrwL0eX5IBLsh9GTTM=";
+      name = "fix-string-operations.patch";
+    })
+    (fetchpatch {
+      # https://github.com/intel/numatop/pull/64
+      url = "https://github.com/intel/numatop/commit/635e2ce2ccb1ac793cc276a7fcb8a92b1ffefa5d.patch";
+      sha256 = "sha256-IevbSFJRTS5iQ5apHOVXzF67f3LJaW6j7DySFmVuyiM=";
+      name = "fix-format-strings-mvwprintw.patch";
+    })
+  ];
+
+  doCheck  = true;
+
+  meta = with lib; {
+    description = "Tool for runtime memory locality characterization and analysis of processes and threads on a NUMA system";
+    homepage = "https://01.org/numatop";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ dtzWill ];
+    platforms = [
+      "i686-linux" "x86_64-linux"
+      "powerpc64-linux" "powerpc64le-linux"
+    ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
new file mode 100644
index 000000000000..ab07de99718b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="a291", TAG+="uaccess"
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="df11", TAG+="uaccess"
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix
new file mode 100644
index 000000000000..aae7507f50cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "numworks-udev-rules";
+  version = "unstable-2020-08-31";
+
+  udevRules = ./50-numworks-calculator.rules;
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dm 644 "${udevRules}" "$out/lib/udev/rules.d/50-numworks-calculator.rules"
+  '';
+
+  meta = with lib; {
+    description = "Udev rules for Numworks calculators";
+    homepage = "https://numworks.com";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ shamilton ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh
new file mode 100755
index 000000000000..3949f6fd8f41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+wget -O 50-numworks-calculator.rules "https://workshop.numworks.com/files/drivers/linux/50-numworks-calculator.rules"
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh
new file mode 100755
index 000000000000..fbb116ab42ad
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh
@@ -0,0 +1,219 @@
+if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi
+source $stdenv/setup
+
+unpackManually() {
+    skip=$(sed 's/^skip=//; t; d' $src)
+    tail -n +$skip $src | bsdtar xvf -
+    sourceRoot=.
+}
+
+
+unpackFile() {
+    sh $src -x || unpackManually
+}
+
+
+buildPhase() {
+    if [ -n "$bin" ]; then
+        # Create the module.
+        echo "Building linux driver against kernel: $kernel";
+        cd kernel
+        unset src # used by the nv makefile
+        make $makeFlags -j $NIX_BUILD_CORES module
+
+        cd ..
+    fi
+}
+
+
+installPhase() {
+    # Install libGL and friends.
+
+    # since version 391, 32bit libraries are bundled in the 32/ sub-directory
+    if [ "$i686bundled" = "1" ]; then
+        mkdir -p "$lib32/lib"
+        cp -prd 32/*.so.* "$lib32/lib/"
+        if [ -d 32/tls ]; then
+            cp -prd 32/tls "$lib32/lib/"
+        fi
+    fi
+
+    mkdir -p "$out/lib"
+    cp -prd *.so.* "$out/lib/"
+    if [ -d tls ]; then
+        cp -prd tls "$out/lib/"
+    fi
+
+    # Install systemd power management executables
+    if [ -e systemd/nvidia-sleep.sh ]; then
+        mv systemd/nvidia-sleep.sh ./
+    fi
+    if [ -e nvidia-sleep.sh ]; then
+        sed -E 's#(PATH=).*#\1"$PATH"#' nvidia-sleep.sh > nvidia-sleep.sh.fixed
+        install -Dm755 nvidia-sleep.sh.fixed $out/bin/nvidia-sleep.sh
+    fi
+
+    if [ -e systemd/system-sleep/nvidia ]; then
+        mv systemd/system-sleep/nvidia ./
+    fi
+    if [ -e nvidia ]; then
+        sed -E "s#/usr(/bin/nvidia-sleep.sh)#$out\\1#" nvidia > nvidia.fixed
+        install -Dm755 nvidia.fixed $out/lib/systemd/system-sleep/nvidia
+    fi
+
+    for i in $lib32 $out; do
+        rm -f $i/lib/lib{glx,nvidia-wfb}.so.* # handled separately
+        rm -f $i/lib/libnvidia-gtk* # built from source
+        rm -f $i/lib/libnvidia-wayland-client* # built from source
+        if [ "$useGLVND" = "1" ]; then
+            # Pre-built libglvnd
+            rm $i/lib/lib{GL,GLX,EGL,GLESv1_CM,GLESv2,OpenGL,GLdispatch}.so.*
+        fi
+        # Use ocl-icd instead
+        rm -f $i/lib/libOpenCL.so*
+        # Move VDPAU libraries to their place
+        mkdir $i/lib/vdpau
+        mv $i/lib/libvdpau* $i/lib/vdpau
+
+        # Install ICDs, make absolute paths.
+        # Be careful not to modify any original files because this runs twice.
+
+        # OpenCL
+        sed -E "s#(libnvidia-opencl)#$i/lib/\\1#" nvidia.icd > nvidia.icd.fixed
+        install -Dm644 nvidia.icd.fixed $i/etc/OpenCL/vendors/nvidia.icd
+
+        # Vulkan
+        if [ -e nvidia_icd.json.template ] || [ -e nvidia_icd.json ]; then
+            if [ -e nvidia_icd.json.template ]; then
+                # template patching for version < 435
+                sed "s#__NV_VK_ICD__#$i/lib/libGLX_nvidia.so#" nvidia_icd.json.template > nvidia_icd.json.fixed
+            else
+                sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_icd.json > nvidia_icd.json.fixed
+            fi
+
+            # nvidia currently only supports x86_64 and i686
+            if [ "$i" == "$lib32" ]; then
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.i686.json
+            else
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.x86_64.json
+            fi
+        fi
+
+        if [ -e nvidia_layers.json ]; then
+            sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_layers.json > nvidia_layers.json.fixed
+            install -Dm644 nvidia_layers.json.fixed $i/share/vulkan/implicit_layer.d/nvidia_layers.json
+        fi
+
+        # EGL
+        if [ "$useGLVND" = "1" ]; then
+            sed -E "s#(libEGL_nvidia)#$i/lib/\\1#" 10_nvidia.json > 10_nvidia.json.fixed
+            sed -E "s#(libnvidia-egl-wayland)#$i/lib/\\1#" 10_nvidia_wayland.json > 10_nvidia_wayland.json.fixed
+
+            install -Dm644 10_nvidia.json.fixed $i/share/glvnd/egl_vendor.d/10_nvidia.json
+            install -Dm644 10_nvidia_wayland.json.fixed $i/share/egl/egl_external_platform.d/10_nvidia_wayland.json
+
+            if [[ -f "15_nvidia_gbm.json" ]]; then
+              sed -E "s#(libnvidia-egl-gbm)#$i/lib/\\1#" 15_nvidia_gbm.json > 15_nvidia_gbm.json.fixed
+              install -Dm644 15_nvidia_gbm.json.fixed $i/share/egl/egl_external_platform.d/15_nvidia_gbm.json
+
+              mkdir -p $i/lib/gbm
+              ln -s $i/lib/libnvidia-allocator.so $i/lib/gbm/nvidia-drm_gbm.so
+            fi
+        fi
+
+        # Install libraries needed by Proton to support DLSS
+        if [ -e nvngx.dll ] && [ -e _nvngx.dll ]; then
+            install -Dm644 -t $i/lib/nvidia/wine/ nvngx.dll _nvngx.dll
+        fi
+    done
+
+
+    # OptiX tries loading `$ORIGIN/nvoptix.bin` first
+    if [ -e nvoptix.bin ]; then
+        install -Dm444 -t $out/lib/ nvoptix.bin
+    fi
+
+    if [ -n "$bin" ]; then
+        # Install the X drivers.
+        mkdir -p $bin/lib/xorg/modules
+        if [ -f libnvidia-wfb.so ]; then
+            cp -p libnvidia-wfb.* $bin/lib/xorg/modules/
+        fi
+        mkdir -p $bin/lib/xorg/modules/drivers
+        cp -p nvidia_drv.so $bin/lib/xorg/modules/drivers
+        mkdir -p $bin/lib/xorg/modules/extensions
+        cp -p libglx*.so* $bin/lib/xorg/modules/extensions
+
+        # Install the kernel module.
+        mkdir -p $bin/lib/modules/$kernelVersion/misc
+        for i in $(find ./kernel -name '*.ko'); do
+            nuke-refs $i
+            cp $i $bin/lib/modules/$kernelVersion/misc/
+        done
+
+        # Install application profiles.
+        if [ "$useProfiles" = "1" ]; then
+            mkdir -p $bin/share/nvidia
+            cp nvidia-application-profiles-*-rc $bin/share/nvidia/nvidia-application-profiles-rc
+            cp nvidia-application-profiles-*-key-documentation $bin/share/nvidia/nvidia-application-profiles-key-documentation
+        fi
+    fi
+
+    if [ -n "$firmware" ]; then
+        # Install the GSP firmware
+        install -Dm644 -t $firmware/lib/firmware/nvidia/$version firmware/gsp*.bin
+    fi
+
+    # All libs except GUI-only are installed now, so fixup them.
+    for libname in $(find "$out/lib/" $(test -n "$lib32" && echo "$lib32/lib/") $(test -n "$bin" && echo "$bin/lib/") -name '*.so.*')
+    do
+      # I'm lazy to differentiate needed libs per-library, as the closure is the same.
+      # Unfortunately --shrink-rpath would strip too much.
+      if [[ -n $lib32 && $libname == "$lib32/lib/"* ]]; then
+        patchelf --set-rpath "$lib32/lib:$libPath32" "$libname"
+      else
+        patchelf --set-rpath "$out/lib:$libPath" "$libname"
+      fi
+
+      libname_short=`echo -n "$libname" | sed 's/so\..*/so/'`
+
+      if [[ "$libname" != "$libname_short" ]]; then
+        ln -srnf "$libname" "$libname_short"
+      fi
+
+      if [[ $libname_short =~ libEGL.so || $libname_short =~ libEGL_nvidia.so || $libname_short =~ libGLX.so || $libname_short =~ libGLX_nvidia.so ]]; then
+          major=0
+      else
+          major=1
+      fi
+
+      if [[ "$libname" != "$libname_short.$major" ]]; then
+        ln -srnf "$libname" "$libname_short.$major"
+      fi
+    done
+
+    if [ -n "$bin" ]; then
+        # Install /share files.
+        mkdir -p $bin/share/man/man1
+        cp -p *.1.gz $bin/share/man/man1
+        rm -f $bin/share/man/man1/{nvidia-xconfig,nvidia-settings,nvidia-persistenced}.1.gz
+        if [ -e "nvidia-dbus.conf" ]; then
+            install -Dm644 nvidia-dbus.conf $bin/share/dbus-1/system.d/nvidia-dbus.conf
+        fi
+
+        # Install the programs.
+        for i in nvidia-cuda-mps-control nvidia-cuda-mps-server nvidia-smi nvidia-debugdump nvidia-powerd; do
+            if [ -e "$i" ]; then
+                install -Dm755 $i $bin/bin/$i
+                # unmodified binary backup for mounting in containers
+                install -Dm755 $i $bin/origBin/$i
+                patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+                    --set-rpath $out/lib:$libPath $bin/bin/$i
+            fi
+        done
+        # FIXME: needs PATH and other fixes
+        # install -Dm755 nvidia-bug-report.sh $bin/bin/nvidia-bug-report.sh
+    fi
+}
+
+genericBuild
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix
new file mode 100644
index 000000000000..7fec21a8237b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -0,0 +1,146 @@
+{ lib, callPackage, fetchFromGitHub, fetchurl, fetchpatch, stdenv, pkgsi686Linux }:
+
+let
+  generic = args: let
+    imported = import ./generic.nix args;
+  in callPackage imported {
+    lib32 = (pkgsi686Linux.callPackage imported {
+      libsOnly = true;
+      kernel = null;
+    }).out;
+  };
+
+  kernel = callPackage # a hacky way of extracting parameters from callPackage
+    ({ kernel, libsOnly ? false }: if libsOnly then { } else kernel) { };
+
+  selectHighestVersion = a: b: if lib.versionOlder a.version b.version
+    then b
+    else a;
+in
+rec {
+  mkDriver = generic;
+
+  # Official Unix Drivers - https://www.nvidia.com/en-us/drivers/unix/
+  # Branch/Maturity data - http://people.freedesktop.org/~aplattner/nvidia-versions.txt
+
+  # Policy: use the highest stable version as the default (on our master).
+  stable = if stdenv.hostPlatform.system == "i686-linux" then legacy_390 else latest;
+
+  production = generic {
+    version = "535.129.03";
+    sha256_64bit = "sha256-5tylYmomCMa7KgRs/LfBrzOLnpYafdkKwJu4oSb/AC4=";
+    sha256_aarch64 = "sha256-i6jZYUV6JBvN+Rt21v4vNstHPIu9sC+2ZQpiLOLoWzM=";
+    openSha256 = "sha256-/Hxod/LQ4CGZN1B1GRpgE/xgoYlkPpMh+n8L7tmxwjs=";
+    settingsSha256 = "sha256-QKN/gLGlT+/hAdYKlkIjZTgvubzQTt4/ki5Y+2Zj3pk=";
+    persistencedSha256 = "sha256-FRMqY5uAJzq3o+YdM2Mdjj8Df6/cuUUAnh52Ne4koME=";
+  };
+
+  latest = selectHighestVersion production (generic {
+    version = "545.29.02";
+    sha256_64bit = "sha256-RncPlaSjhvBFUCOzWdXSE3PAfRPCIrWAXyJMdLPKuIU=";
+    sha256_aarch64 = "sha256-Y2RDOuDtiIclr06gmLrPDfE5VFmFamXxiIIKtKAewro=";
+    openSha256 = "sha256-PukpOBtG5KvZKWYfJHVQO6SuToJUd/rkjpOlEi8pSmk=";
+    settingsSha256 = "sha256-zj173HCZJaxAbVV/A2sbJ9IPdT1+3yrwyxD+AQdkSD8=";
+    persistencedSha256 = "sha256-mmMi2pfwzI1WYOffMVdD0N1HfbswTGg7o57x9/IiyVU=";
+
+    patchFlags = [ "-p1" "-d" "kernel" ];
+    patches = [];
+  });
+
+  beta = selectHighestVersion latest (generic {
+    version = "545.23.06";
+    sha256_64bit = "sha256-QTnTKAGfcvKvKHik0BgAemV3PrRqRlM3B9jjZeupCC8=";
+    sha256_aarch64 = "sha256-qkVP6AiXNoRTqgqPvs/AfErEq8BTQw25rtJ6GS06JTM=";
+    openSha256 = "sha256-m7D5LZdhFCZYAIbhrgZ0pN2z19LsU3I3Q7qsKX7Z6mM=";
+    settingsSha256 = "sha256-+X6gDeU8Qlvprb05aB2quM55y0zEcBXtb65e3Rq9gKg=";
+    persistencedSha256 = "sha256-RQJAIwPqOUI5FB3uf0/Y4K/iwFfoLpU1/+BOK/KF5VA=";
+  });
+
+  # Vulkan developer beta driver
+  # See here for more information: https://developer.nvidia.com/vulkan-driver
+  vulkan_beta = generic rec {
+    version = "535.43.16";
+    persistencedVersion = "535.98";
+    settingsVersion = "535.98";
+    sha256_64bit = "sha256-c93CJSMPlGZgk+jhp9zTHCKSZ0LdnJu+ifLo+qMvIIk=";
+    openSha256 = "sha256-509KaBavGIOOpzdrdJuAR1PYq91Clwo8n+nhruxO1wM=";
+    settingsSha256 = "sha256-jCRfeB1w6/dA27gaz6t5/Qo7On0zbAPIi74LYLel34s=";
+    persistencedSha256 = "sha256-WviDU6B50YG8dO64CGvU3xK8WFUX8nvvVYm/fuGyroM=";
+    url = "https://developer.nvidia.com/downloads/vulkan-beta-${lib.concatStrings (lib.splitString "." version)}-linux";
+  };
+
+  # data center driver compatible with current default cudaPackages
+  dc = dc_520;
+  dc_520 = generic rec {
+    version = "520.61.05";
+    url = "https://us.download.nvidia.com/tesla/${version}/NVIDIA-Linux-x86_64-${version}.run";
+    sha256_64bit = "sha256-EPYWZwOur/6iN/otDMrNDpNXr1mzu8cIqQl8lXhQlzU==";
+    fabricmanagerSha256 = "sha256-o8Kbmkg7qczKQclaGvEyXNzEOWq9ZpQZn9syeffnEiE==";
+    useSettings = false;
+    usePersistenced = false;
+    useFabricmanager = true;
+  };
+
+  # Update note:
+  # If you add a legacy driver here, also update `top-level/linux-kernels.nix`,
+  # adding to the `nvidia_x11_legacy*` entries.
+
+  # Last one supporting Kepler architecture
+  legacy_470 = generic {
+    version = "470.223.02";
+    sha256_64bit = "sha256-s2hi1TNsw+br6Ow6tPiFsYPaJY8d+x4FrkBrP2xNRPg=";
+    sha256_aarch64 = "sha256-CFkg2ARlGWqlFQKm8SlbwMH6eLidHKA/q5QGVOpPGuU=";
+    settingsSha256 = "sha256-r6DuIH/rnsCm/y51iRgPNi5/kz+EFMVABREdTjBneZ0=";
+    persistencedSha256 = "sha256-e71fpPBBv8S/aoeXxBXkzKy5bsMMbv8y024cSLc8DYc=";
+
+    patchFlags = [ "-p1" "-d" "kernel" ];
+    patches = [];
+  };
+
+  # Last one supporting x86
+  legacy_390 = generic {
+    version = "390.157";
+    sha256_32bit = "sha256-VdZeCkU5qct5YgDF8Qgv4mP7CVHeqvlqnP/rioD3B5k=";
+    sha256_64bit = "sha256-W+u8puj+1da52BBw+541HxjtxTSVJVPL3HHo/QubMoo=";
+    settingsSha256 = "sha256-uJZO4ak/w/yeTQ9QdXJSiaURDLkevlI81de0q4PpFpw=";
+    persistencedSha256 = "sha256-NuqUQbVt80gYTXgIcu0crAORfsj9BCRooyH3Gp1y1ns=";
+
+    broken = kernel.kernelAtLeast "6.2";
+  };
+
+  legacy_340 = let
+    # Source cooresponding to https://aur.archlinux.org/packages/nvidia-340xx-dkms
+    aurPatches = fetchFromGitHub {
+      owner = "archlinux-jerry";
+      repo = "nvidia-340xx";
+      rev = "fa434fb5da47e9423db2b19577817eb8c65d2f4e";
+      hash = "sha256-KeMTYHGuZSAPGnYaERZSMu/4lWyB25ZCIv4nJhXxABY=";
+    };
+    patchset = [
+      "0001-kernel-5.7.patch"
+      "0002-kernel-5.8.patch"
+      "0003-kernel-5.9.patch"
+      "0004-kernel-5.10.patch"
+      "0005-kernel-5.11.patch"
+      "0006-kernel-5.14.patch"
+      "0007-kernel-5.15.patch"
+      "0008-kernel-5.16.patch"
+      "0009-kernel-5.17.patch"
+      "0010-kernel-5.18.patch"
+      "0011-kernel-6.0.patch"
+      "0012-kernel-6.2.patch"
+      "0013-kernel-6.3.patch"
+      "0014-kernel-6.5.patch"
+    ];
+  in generic {
+    version = "340.108";
+    sha256_32bit = "1jkwa1phf0x4sgw8pvr9d6krmmr3wkgwyygrxhdazwyr2bbalci0";
+    sha256_64bit = "06xp6c0sa7v1b82gf0pq0i5p0vdhmm3v964v0ypw36y0nzqx8wf6";
+    settingsSha256 = "0zm29jcf0mp1nykcravnzb5isypm8l8mg2gpsvwxipb7nk1ivy34";
+    persistencedSha256 = "1ax4xn3nmxg1y6immq933cqzw6cj04x93saiasdc0kjlv0pvvnkn";
+    useGLVND = false;
+
+    broken = kernel.kernelAtLeast "6.6";
+    patches = map (patch: "${aurPatches}/${patch}") patchset;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/fabricmanager.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/fabricmanager.nix
new file mode 100644
index 000000000000..58cf8c0e3557
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/fabricmanager.nix
@@ -0,0 +1,47 @@
+nvidia_x11: sha256:
+
+{ stdenv, lib, fetchurl, patchelf }:
+
+let
+  sys = with lib; concatStringsSep "-" (reverseList (splitString "-" stdenv.system));
+  bsys = builtins.replaceStrings ["_"] ["-"] sys;
+  fmver = nvidia_x11.version;
+in
+
+stdenv.mkDerivation rec {
+  pname = "fabricmanager";
+  version = fmver;
+  src = fetchurl {
+    url = "https://developer.download.nvidia.com/compute/cuda/redist/fabricmanager/" +
+          "${sys}/${pname}-${sys}-${fmver}-archive.tar.xz";
+    inherit sha256;
+  };
+  phases = [ "unpackPhase" "installPhase" ];
+
+  installPhase = ''
+    find .
+    mkdir -p $out/{bin,share/nvidia-fabricmanager}
+    for bin in nv{-fabricmanager,switch-audit};do
+    ${patchelf}/bin/patchelf \
+      --set-interpreter ${stdenv.cc.libc}/lib/ld-${bsys}.so.2 \
+      --set-rpath ${lib.makeLibraryPath [ stdenv.cc.libc ]} \
+      bin/$bin
+    done
+    mv bin/nv{-fabricmanager,switch-audit} $out/bin/.
+    for d in etc systemd share/nvidia;do
+      mv $d $out/share/nvidia-fabricmanager/.
+    done
+    for d in include lib;do
+      mv $d $out/.
+    done
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.nvidia.com/object/unix.html";
+    description = "Fabricmanager daemon for NVLink intialization and control";
+    license = licenses.unfreeRedistributable;
+    platforms = nvidia_x11.meta.platforms;
+    mainProgram = "nv-fabricmanager";
+    maintainers = with maintainers; [ edwtjo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix
new file mode 100644
index 000000000000..8ec292f27251
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix
@@ -0,0 +1,194 @@
+{ version
+, url ? null
+, sha256_32bit ? null
+, sha256_64bit
+, sha256_aarch64 ? null
+, openSha256 ? null
+, settingsSha256 ? null
+, settingsVersion ? version
+, persistencedSha256 ? null
+, persistencedVersion ? version
+, fabricmanagerSha256 ? null
+, fabricmanagerVersion ? version
+, useGLVND ? true
+, useProfiles ? true
+, preferGtk2 ? false
+, settings32Bit ? false
+, useSettings ? true
+, usePersistenced ? true
+, useFabricmanager ? false
+, ibtSupport ? false
+
+, prePatch ? ""
+, postPatch ? null
+, patchFlags ? null
+, patches ? []
+, broken ? false
+, brokenOpen ? broken
+}@args:
+
+{ lib, stdenv, callPackage, pkgs, pkgsi686Linux, fetchurl
+, kernel ? null, perl, nukeReferences, which, libarchive
+, # Whether to build the libraries only (i.e. not the kernel module or
+  # nvidia-settings).  Used to support 32-bit binaries on 64-bit
+  # Linux.
+  libsOnly ? false
+, # don't include the bundled 32-bit libraries on 64-bit platforms,
+  # even if it’s in downloaded binary
+  disable32Bit ? stdenv.hostPlatform.system == "aarch64-linux"
+  # 32 bit libs only version of this package
+, lib32 ? null
+  # Whether to extract the GSP firmware, datacenter drivers needs to extract the
+  # firmware
+, firmware ? openSha256 != null || useFabricmanager
+  # Whether the user accepts the NVIDIA Software License
+, config, acceptLicense ? config.nvidia.acceptLicense or false
+}:
+
+with lib;
+
+assert !libsOnly -> kernel != null;
+assert versionOlder version "391" -> sha256_32bit != null;
+assert useSettings -> settingsSha256 != null;
+assert usePersistenced -> persistencedSha256 != null;
+assert useFabricmanager -> fabricmanagerSha256 != null;
+assert useFabricmanager -> !(useSettings || usePersistenced);
+
+let
+  nameSuffix = optionalString (!libsOnly) "-${kernel.version}";
+  pkgSuffix = optionalString (versionOlder version "304") "-pkg0";
+  i686bundled = versionAtLeast version "391" && !disable32Bit;
+
+  libPathFor = pkgs: lib.makeLibraryPath (with pkgs; [
+    libdrm xorg.libXext xorg.libX11
+    xorg.libXv xorg.libXrandr xorg.libxcb zlib stdenv.cc.cc
+    wayland mesa libGL openssl
+    dbus # for nvidia-powerd
+  ]);
+
+  # maybe silly since we've ignored this previously and just unfree..
+  throwLicense = throw ''
+    Use of NVIDIA Software requires license acceptance of the license:
+
+      - License For Customer Use of NVIDIA Software [1]
+
+    You can express acceptance by setting acceptLicense to true your nixpkgs.config.
+    Example:
+
+      configuration.nix:
+        nixpkgs.config.allowUnfree = true;
+        nixpkgs.config.nvidia.acceptLicense = true;
+
+      config.nix:
+        allowUnfree = true;
+        nvidia.acceptLicense = true;
+
+    [1]: https://www.nvidia.com/content/DriverDownloads/licence.php?lang=us
+  '';
+
+  self = stdenv.mkDerivation {
+    name = "nvidia-${if useFabricmanager then "dc" else "x11"}-${version}${nameSuffix}";
+
+    builder = ./builder.sh;
+
+    src =
+      if !acceptLicense && (openSha256 == null) then throwLicense else
+      if stdenv.hostPlatform.system == "x86_64-linux" then
+        fetchurl {
+          urls = if args ? url then [ args.url ] else [
+            "https://us.download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run"
+            "https://download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run"
+          ];
+          sha256 = sha256_64bit;
+        }
+      else if stdenv.hostPlatform.system == "i686-linux" then
+        fetchurl {
+          urls = if args ? url then [ args.url ] else [
+            "https://us.download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run"
+            "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run"
+          ];
+          sha256 = sha256_32bit;
+        }
+      else if stdenv.hostPlatform.system == "aarch64-linux" && sha256_aarch64 != null then
+        fetchurl {
+          urls = if args ? url then [ args.url ] else [
+            "https://us.download.nvidia.com/XFree86/aarch64/${version}/NVIDIA-Linux-aarch64-${version}${pkgSuffix}.run"
+            "https://download.nvidia.com/XFree86/Linux-aarch64/${version}/NVIDIA-Linux-aarch64-${version}${pkgSuffix}.run"
+          ];
+          sha256 = sha256_aarch64;
+        }
+      else throw "nvidia-x11 does not support platform ${stdenv.hostPlatform.system}";
+
+    patches = if libsOnly then null else patches;
+    inherit prePatch postPatch patchFlags;
+    inherit version useGLVND useProfiles;
+    inherit (stdenv.hostPlatform) system;
+    inherit i686bundled;
+
+    outputs = [ "out" ]
+        ++ optional i686bundled "lib32"
+        ++ optional (!libsOnly) "bin"
+        ++ optional (!libsOnly && firmware) "firmware";
+    outputDev = if libsOnly then null else "bin";
+
+    kernel = if libsOnly then null else kernel.dev;
+    kernelVersion = if libsOnly then null else kernel.modDirVersion;
+
+    makeFlags = optionals (!libsOnly) (kernel.makeFlags ++ [
+      "IGNORE_PREEMPT_RT_PRESENCE=1"
+      "NV_BUILD_SUPPORTS_HMM=1"
+      "SYSSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+      "SYSOUT=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    ]);
+
+    hardeningDisable = [ "pic" "format" ];
+
+    dontStrip = true;
+    dontPatchELF = true;
+
+    libPath = libPathFor pkgs;
+    libPath32 = optionalString i686bundled (libPathFor pkgsi686Linux);
+
+    nativeBuildInputs = [ perl nukeReferences which libarchive ]
+      ++ optionals (!libsOnly) kernel.moduleBuildDependencies;
+
+    disallowedReferences = optionals (!libsOnly) [ kernel.dev ];
+
+    passthru = {
+      open = mapNullable (hash: callPackage ./open.nix {
+        inherit hash;
+        nvidia_x11 = self;
+        broken = brokenOpen;
+      }) openSha256;
+      settings = if useSettings then
+        (if settings32Bit then pkgsi686Linux.callPackage else callPackage) (import ./settings.nix self settingsSha256) {
+          withGtk2 = preferGtk2;
+          withGtk3 = !preferGtk2;
+        } else {};
+      persistenced = if usePersistenced then
+        mapNullable (hash: callPackage (import ./persistenced.nix self hash) { }) persistencedSha256
+      else {};
+      fabricmanager = if useFabricmanager then
+        mapNullable (hash: callPackage (import ./fabricmanager.nix self hash) { }) fabricmanagerSha256
+      else {};
+      inherit persistencedVersion settingsVersion;
+      compressFirmware = false;
+      ibtSupport = ibtSupport || (lib.versionAtLeast version "530");
+    } // optionalAttrs (!i686bundled) {
+      inherit lib32;
+    };
+
+    meta = with lib; {
+      homepage = "https://www.nvidia.com/object/unix.html";
+      description = "${if useFabricmanager then "Data Center" else "X.org"} driver and kernel module for NVIDIA cards";
+      license = licenses.unfreeRedistributable;
+      platforms = [ "x86_64-linux" ]
+        ++ optionals (sha256_32bit != null) [ "i686-linux" ]
+        ++ optionals (sha256_aarch64 != null) [ "aarch64-linux" ];
+      maintainers = with maintainers; [ jonringer kiskae edwtjo ];
+      priority = 4; # resolves collision with xorg-server's "lib/xorg/modules/extensions/libglx.so"
+      inherit broken;
+    };
+  };
+
+in self
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix
new file mode 100644
index 000000000000..a6795c3fd5e7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix
@@ -0,0 +1,46 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, kernel
+, nvidia_x11
+, hash
+, broken ? false
+}:
+
+stdenv.mkDerivation ({
+  pname = "nvidia-open";
+  version = "${kernel.version}-${nvidia_x11.version}";
+
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "open-gpu-kernel-modules";
+    rev = nvidia_x11.version;
+    inherit hash;
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "SYSSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+    "SYSOUT=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "MODLIB=$(out)/lib/modules/${kernel.modDirVersion}"
+    {
+      aarch64-linux = "TARGET_ARCH=aarch64";
+      x86_64-linux = "TARGET_ARCH=x86_64";
+    }.${stdenv.hostPlatform.system}
+  ];
+
+  installTargets = [ "modules_install" ];
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "NVIDIA Linux Open GPU Kernel Module";
+    homepage = "https://github.com/NVIDIA/open-gpu-kernel-modules";
+    license = with licenses; [ gpl2Plus mit ];
+    platforms = [ "x86_64-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ nickcao ];
+    inherit broken;
+  };
+} // lib.optionalAttrs stdenv.hostPlatform.isAarch64 {
+  env.NIX_CFLAGS_COMPILE = "-fno-stack-protector";
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
new file mode 100644
index 000000000000..03ad03a472d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
@@ -0,0 +1,49 @@
+nvidia_x11: sha256:
+
+{ stdenv
+, lib
+, fetchFromGitHub
+, m4
+, libtirpc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nvidia-persistenced";
+  version = nvidia_x11.persistencedVersion;
+
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "nvidia-persistenced";
+    rev = nvidia_x11.persistencedVersion;
+    inherit sha256;
+  };
+
+  nativeBuildInputs = [ m4 ];
+  buildInputs = [ libtirpc ];
+
+  inherit (nvidia_x11) makeFlags;
+
+  installFlags = [ "PREFIX=$(out)" ];
+
+  postFixup = ''
+    # Save a copy of persistenced for mounting in containers
+    mkdir $out/origBin
+    cp $out/{bin,origBin}/nvidia-persistenced
+    patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 $out/origBin/nvidia-persistenced
+
+    patchelf --set-rpath "$(patchelf --print-rpath $out/bin/nvidia-persistenced):${nvidia_x11}/lib" \
+      $out/bin/nvidia-persistenced
+  '';
+
+  env.NIX_CFLAGS_COMPILE = toString [ "-I${libtirpc.dev}/include/tirpc" ];
+  NIX_LDFLAGS = [ "-ltirpc" ];
+
+  meta = with lib; {
+    homepage = "https://www.nvidia.com/object/unix.html";
+    description = "Settings application for NVIDIA graphics cards";
+    license = licenses.unfreeRedistributable;
+    platforms = nvidia_x11.meta.platforms;
+    maintainers = with maintainers; [ abbradar ];
+    mainProgram = pname;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix
new file mode 100644
index 000000000000..b11dc06c85eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix
@@ -0,0 +1,143 @@
+nvidia_x11: sha256:
+
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch
+, pkg-config
+, m4
+, jansson
+, gtk2
+, dbus
+, gtk3
+, libXv
+, libXrandr
+, libXext
+, libXxf86vm
+, libvdpau
+, librsvg
+, wrapGAppsHook
+, addOpenGLRunpath
+, withGtk2 ? false
+, withGtk3 ? true
+}:
+
+let
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "nvidia-settings";
+    rev = nvidia_x11.settingsVersion;
+    inherit sha256;
+  };
+
+  libXNVCtrl = stdenv.mkDerivation {
+    pname = "libXNVCtrl";
+    version = nvidia_x11.settingsVersion;
+    inherit src;
+
+    buildInputs = [ libXrandr libXext ];
+
+    preBuild = ''
+      cd src/libXNVCtrl
+    '';
+
+    makeFlags = [
+      "OUTPUTDIR=." # src/libXNVCtrl
+    ];
+
+    installPhase = ''
+      mkdir -p $out/lib
+      mkdir -p $out/include/NVCtrl
+
+      cp libXNVCtrl.a $out/lib
+      cp NVCtrl.h     $out/include/NVCtrl
+      cp NVCtrlLib.h  $out/include/NVCtrl
+    '';
+  };
+
+in
+
+stdenv.mkDerivation {
+  pname = "nvidia-settings";
+  version = nvidia_x11.settingsVersion;
+
+  inherit src;
+
+  patches = lib.optional (lib.versionOlder nvidia_x11.settingsVersion "440")
+    (fetchpatch {
+      # fixes "multiple definition of `VDPAUDeviceFunctions'" linking errors
+      url = "https://github.com/NVIDIA/nvidia-settings/commit/a7c1f5fce6303a643fadff7d85d59934bd0cf6b6.patch";
+      hash = "sha256-ZwF3dRTYt/hO8ELg9weoz1U/XcU93qiJL2d1aq1Jlak=";
+    })
+  ++ lib.optional
+    ((lib.versionAtLeast nvidia_x11.settingsVersion "515.43.04")
+      && (lib.versionOlder nvidia_x11.settingsVersion "545.29"))
+    (fetchpatch {
+      # fix wayland support for compositors that use wl_output version 4
+      url = "https://github.com/NVIDIA/nvidia-settings/pull/99/commits/2e0575197e2b3247deafd2a48f45afc038939a06.patch";
+      hash = "sha256-wKuO5CUTUuwYvsP46Pz+6fI0yxLNpZv8qlbL0TFkEFE=";
+    });
+
+  postPatch = lib.optionalString nvidia_x11.useProfiles ''
+    sed -i 's,/usr/share/nvidia/,${nvidia_x11.bin}/share/nvidia/,g' src/gtk+-2.x/ctkappprofile.c
+  '';
+
+  enableParallelBuilding = true;
+  makeFlags = [ "NV_USE_BUNDLED_LIBJANSSON=0" ];
+
+  preBuild = ''
+    if [ -e src/libXNVCtrl/libXNVCtrl.a ]; then
+      ( cd src/libXNVCtrl
+        make $makeFlags
+      )
+    fi
+  '';
+
+  nativeBuildInputs = [ pkg-config m4 addOpenGLRunpath ];
+
+  buildInputs = [ jansson libXv libXrandr libXext libXxf86vm libvdpau nvidia_x11 gtk2 dbus ]
+    ++ lib.optionals withGtk3 [ gtk3 librsvg wrapGAppsHook ];
+
+  installFlags = [ "PREFIX=$(out)" ];
+
+  postInstall = ''
+    ${lib.optionalString (!withGtk2) ''
+      rm -f $out/lib/libnvidia-gtk2.so.*
+    ''}
+    ${lib.optionalString (!withGtk3) ''
+      rm -f $out/lib/libnvidia-gtk3.so.*
+    ''}
+
+    # Install the desktop file and icon.
+    # The template has substitution variables intended to be replaced resulting
+    # in absolute paths. Because absolute paths break after the desktop file is
+    # copied by a desktop environment, make Exec and Icon be just a name.
+    sed -i doc/nvidia-settings.desktop \
+      -e "s|^Exec=.*$|Exec=nvidia-settings|" \
+      -e "s|^Icon=.*$|Icon=nvidia-settings|" \
+      -e "s|__NVIDIA_SETTINGS_DESKTOP_CATEGORIES__|Settings|g"
+    install doc/nvidia-settings.desktop -D -t $out/share/applications/
+    install doc/nvidia-settings.png -D -t $out/share/icons/hicolor/128x128/apps/
+  '';
+
+  binaryName = if withGtk3 then ".nvidia-settings-wrapped" else "nvidia-settings";
+  postFixup = ''
+    patchelf --set-rpath "$(patchelf --print-rpath $out/bin/$binaryName):$out/lib:${libXv}/lib" \
+      $out/bin/$binaryName
+
+    addOpenGLRunpath $out/bin/$binaryName
+  '';
+
+  passthru = {
+    inherit libXNVCtrl;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.nvidia.com/object/unix.html";
+    description = "Settings application for NVIDIA graphics cards";
+    license = licenses.unfreeRedistributable;
+    platforms = nvidia_x11.meta.platforms;
+    mainProgram = "nvidia-settings";
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix b/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix
new file mode 100644
index 000000000000..0f4d485a4edc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "nvidiabl-${version}-${kernel.version}";
+  version = "2020-10-01";
+
+  # We use a fork which adds support for newer kernels -- upstream has been abandoned.
+  src = fetchFromGitHub {
+    owner = "yorickvP";
+    repo = "nvidiabl";
+    rev = "9e21bdcb7efedf29450373a2e9ff2913d1b5e3ab";
+    sha256 = "1z57gbnayjid2jv782rpfpp13qdchmbr1vr35g995jfnj624nlgy";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|/sbin/depmod|#/sbin/depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "DESTDIR=$(out)"
+    "KVER=${kernel.modDirVersion}"
+  ];
+
+  meta = with lib; {
+    description = "Linux driver for setting the backlight brightness on laptops using NVIDIA GPU";
+    homepage = "https://github.com/yorickvP/nvidiabl";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ yorickvp ];
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix b/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix
new file mode 100644
index 000000000000..e0d0372fd6ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config
+, meson
+, ninja
+, libnvme
+, json_c
+, zlib
+, libhugetlbfs
+, python3Packages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nvme-cli";
+  version = "2.6";
+
+  src = fetchFromGitHub {
+    owner = "linux-nvme";
+    repo = "nvme-cli";
+    rev = "v${version}";
+    hash = "sha256-MFyBkwTNOBQdHWj7In1OquRIAsjsd4/DHYfUyFA9YDQ=";
+  };
+
+  mesonFlags = [
+    "-Dversion-tag=${version}"
+  ];
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+    python3Packages.nose2
+  ];
+  buildInputs = [
+    libnvme
+    json_c
+    zlib
+  ] ++ lib.optionals (lib.meta.availableOn stdenv.hostPlatform libhugetlbfs) [
+    libhugetlbfs
+  ];
+
+  meta = with lib; {
+    inherit (src.meta) homepage; # https://nvmexpress.org/
+    description = "NVM-Express user space tooling for Linux";
+    longDescription = ''
+      NVM-Express is a fast, scalable host controller interface designed to
+      address the needs for not only PCI Express based solid state drives, but
+      also NVMe-oF(over fabrics).
+      This nvme program is a user space utility to provide standards compliant
+      tooling for NVM-Express drives. It was made specifically for Linux as it
+      relies on the IOCTLs defined by the mainline kernel driver.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 vifino ];
+    mainProgram = "nvme";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix b/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix
new file mode 100644
index 000000000000..4196efeae672
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix
@@ -0,0 +1,25 @@
+{ lib, python3Packages, fetchurl }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "nvmet-cli";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "ftp://ftp.infradead.org/pub/nvmetcli/nvmetcli-${version}.tar.gz";
+    sha256 = "051y1b9w46azy35118154c353v3mhjkdzh6h59brdgn5054hayj2";
+  };
+
+  buildInputs = with python3Packages; [ nose2 ];
+
+  propagatedBuildInputs = with python3Packages; [ configshell ];
+
+  # This package requires the `nvmet` kernel module to be loaded for tests.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "NVMe target CLI";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ hoverbear ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix b/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix
new file mode 100644
index 000000000000..11f094f72c9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix
@@ -0,0 +1,68 @@
+# This combines together OCF definitions from other derivations.
+# https://github.com/ClusterLabs/resource-agents/blob/master/doc/dev-guides/ra-dev-guide.asc
+{ stdenv
+, lib
+, runCommand
+, lndir
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, glib
+, drbd
+, pacemaker
+}:
+
+let
+  drbdForOCF = drbd.override {
+    forOCF = true;
+  };
+  pacemakerForOCF = pacemaker.override {
+    forOCF = true;
+  };
+
+  resource-agentsForOCF = stdenv.mkDerivation rec {
+    pname = "resource-agents";
+    version = "4.10.0";
+
+    src = fetchFromGitHub {
+      owner = "ClusterLabs";
+      repo = pname;
+      rev = "v${version}";
+      sha256 = "0haryi3yrszdfpqnkfnppxj1yiy6ipah6m80snvayc7v0ss0wnir";
+    };
+
+    nativeBuildInputs = [
+      autoreconfHook
+      pkg-config
+    ];
+
+    buildInputs = [
+      glib
+      python3
+    ];
+
+    env.NIX_CFLAGS_COMPILE = toString (lib.optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "12") [
+      # Needed with GCC 12 but breaks on darwin (with clang) or older gcc
+      "-Wno-error=maybe-uninitialized"
+    ]);
+
+    meta = with lib; {
+      homepage = "https://github.com/ClusterLabs/resource-agents";
+      description = "Combined repository of OCF agents from the RHCS and Linux-HA projects";
+      license = licenses.gpl2Plus;
+      platforms = platforms.linux;
+      maintainers = with maintainers; [ ryantm astro ];
+    };
+  };
+
+in
+
+# This combines together OCF definitions from other derivations.
+# https://github.com/ClusterLabs/resource-agents/blob/master/doc/dev-guides/ra-dev-guide.asc
+runCommand "ocf-resource-agents" {} ''
+  mkdir -p $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${resource-agentsForOCF}/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${drbdForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${pacemakerForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix b/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
new file mode 100644
index 000000000000..61a27bd51f02
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, go-md2man
+, installShellFiles
+, pkg-config
+, bcc
+, libseccomp
+}:
+
+buildGoModule rec {
+  pname = "oci-seccomp-bpf-hook";
+  version = "1.2.10";
+  src = fetchFromGitHub {
+    owner = "containers";
+    repo = "oci-seccomp-bpf-hook";
+    rev = "v${version}";
+    sha256 = "sha256-bWlm+JYNf7+faKSQfW5fhxoH/D2I8ujjakswH+1r49o=";
+  };
+  vendorHash = null;
+
+  outputs = [ "out" "man" ];
+  nativeBuildInputs = [
+    go-md2man
+    installShellFiles
+    pkg-config
+  ];
+  buildInputs = [
+    bcc
+    libseccomp
+  ];
+
+  checkPhase = ''
+    go test -v ./...
+  '';
+
+  buildPhase = ''
+    make
+  '';
+
+  postBuild = ''
+    substituteInPlace oci-seccomp-bpf-hook.json --replace HOOK_BIN_DIR "$out/bin"
+  '';
+
+  installPhase = ''
+    install -Dm755 bin/* -t $out/bin
+    install -Dm644 oci-seccomp-bpf-hook.json -t $out
+    installManPage docs/*.[1-9]
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/containers/oci-seccomp-bpf-hook";
+    description = ''
+      OCI hook to trace syscalls and generate a seccomp profile
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ saschagrunert ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/oddjob/default.nix b/nixpkgs/pkgs/os-specific/linux/oddjob/default.nix
new file mode 100644
index 000000000000..bcbea9086488
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/oddjob/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, fetchurl
+, stdenv
+, autoreconfHook
+, dbus
+, libxml2
+, pam
+, pkg-config
+, systemd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "oddjob";
+  version = "0.34.7";
+
+  src = fetchurl {
+     url = "https://pagure.io/oddjob/archive/${pname}-${version}/oddjob-${pname}-${version}.tar.gz";
+     hash = "sha256-SUOsMH55HtEsk5rX0CXK0apDObTj738FGOaL5xZRnIM=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+
+  buildInputs =[
+    libxml2
+    dbus
+    pam
+    systemd
+  ];
+
+  postPatch = ''
+    substituteInPlace configure.ac \
+      --replace 'SYSTEMDSYSTEMUNITDIR=`pkg-config --variable=systemdsystemunitdir systemd 2> /dev/null`' "SYSTEMDSYSTEMUNITDIR=${placeholder "out"}" \
+      --replace 'SYSTEMDSYSTEMUNITDIR=`pkg-config --variable=systemdsystemunitdir systemd`' "SYSTEMDSYSTEMUNITDIR=${placeholder "out"}"
+  '';
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--sysconfdir=${placeholder "out"}/etc"
+    "--with-selinux-acls=no"
+    "--with-selinux-labels=no"
+    "--disable-systemd"
+  ];
+
+  postConfigure = ''
+    substituteInPlace src/oddjobd.c \
+      --replace "globals.selinux_enabled" "FALSE"
+  '';
+
+  meta = with lib; {
+    description = "Odd Job Daemon";
+    homepage = "https://pagure.io/oddjob";
+    changelog = "https://pagure.io/oddjob/blob/oddjob-${version}/f/ChangeLog";
+    license = licenses.bsd0;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ SohamG ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix b/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix
new file mode 100644
index 000000000000..7ac560824db8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix
@@ -0,0 +1,65 @@
+{ lib
+, stdenv
+, fetchurl
+, autoreconfHook
+, pkg-config
+, dpdk
+, libbpf
+, libconfig
+, libpcap
+, numactl
+, openssl
+, zlib
+, libbsd
+, libelf
+, jansson
+, libnl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "odp-dpdk";
+  version = "1.42.0.0_DPDK_22.11";
+
+  src = fetchurl {
+    url = "https://git.linaro.org/lng/odp-dpdk.git/snapshot/${pname}-${version}.tar.gz";
+    hash = "sha256-qtdqYE4+ab6/9Z0YXXCItcfj+3+gyprcNMAnAZkl4GA=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+
+  buildInputs = [
+    dpdk
+    libconfig
+    libpcap
+    numactl
+    openssl
+    zlib
+    libbsd
+    libelf
+    jansson
+    libbpf
+    libnl
+  ];
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    # Needed with GCC 12
+    "-Wno-error=maybe-uninitialized"
+    "-Wno-error=uninitialized"
+  ];
+
+  # binaries will segfault otherwise
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Open Data Plane optimized for DPDK";
+    homepage = "https://www.opendataplane.org";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.abuibrahim ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix b/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix
new file mode 100644
index 000000000000..9306099213a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix
@@ -0,0 +1,67 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, meson
+, pkg-config
+, ninja
+, perl
+, util-linux
+, open-isns
+, openssl
+, kmod
+, systemd
+, runtimeShell
+, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "open-iscsi";
+  version = "2.1.9";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "open-iscsi";
+    rev = version;
+    hash = "sha256-y0NIb/KsKpCd8byr/SXI7nwTKXP2/bSSoW8QgeL5xdc=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    pkg-config
+    ninja
+    perl
+  ];
+  buildInputs = [
+    kmod
+    (lib.getLib open-isns)
+    openssl
+    systemd
+    util-linux
+  ];
+
+  preConfigure = ''
+    patchShebangs .
+  '';
+
+  prePatch = ''
+    substituteInPlace etc/systemd/iscsi-init.service.template \
+      --replace /usr/bin/sh ${runtimeShell}
+    sed -i '/install_dir: db_root/d' meson.build
+  '';
+
+  mesonFlags = [
+    "-Discsi_sbindir=${placeholder "out"}/sbin"
+    "-Drulesdir=${placeholder "out"}/etc/udev/rules.d"
+    "-Dsystemddir=${placeholder "out"}/lib/systemd"
+    "-Ddbroot=/etc/iscsi"
+  ];
+
+  passthru.tests = { inherit (nixosTests) iscsi-root; };
+
+  meta = with lib; {
+    description = "A high performance, transport independent, multi-platform implementation of RFC3720";
+    license = licenses.gpl2Plus;
+    homepage = "https://www.open-iscsi.com";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cleverca22 zaninime ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix b/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix
new file mode 100644
index 000000000000..7afe13eea86a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, openssl, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "open-isns";
+  version = "0.102";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "open-isns";
+    rev = "v${version}";
+    sha256 = "sha256-Vz6VqqvEr0f8AdN9NcVnruapswmoOgvAXxXSfrM3yRA=";
+  };
+
+  propagatedBuildInputs = [ openssl ];
+  outputs = [ "out" "lib" ];
+  outputInclude = "lib";
+
+  configureFlags = [ "--enable-shared" ];
+
+  installFlags = [ "etcdir=$(out)/etc" "vardir=$(out)/var/lib/isns" ];
+  installTargets = [ "install" "install_hdrs" "install_lib" ];
+
+  meta = with lib; {
+    description = "iSNS server and client for Linux";
+    license = licenses.lgpl21Only;
+    homepage = "https://github.com/open-iscsi/open-isns";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.markuskowa ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
new file mode 100644
index 000000000000..ed2c60da2612
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
@@ -0,0 +1,17 @@
+if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi
+source $stdenv/setup
+
+mkdir -p $out/lib
+
+ln -s /usr/lib/libGL.so.1 $out/lib/
+ln -s /usr/lib/libGLU.so.1 $out/lib/
+ln -s /usr/lib/libGLcore.so.1 $out/lib/
+ln -s /usr/lib/tls/libnvidia-tls.so.1 $out/lib/
+#ln -s /usr/lib/libdrm.so.2 $out/lib/
+
+for i in $neededLibs; do
+    ln -s $i/lib/*.so* $out/lib/
+done
+
+
+
diff --git a/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
new file mode 100644
index 000000000000..b7f1b6574404
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
@@ -0,0 +1,21 @@
+# This is a very dirty hack to allow hardware acceleration of OpenGL
+# applications for most (?) users.  It will use the driver that your
+# Linux distribution installed in /usr/lib/libGL.so.1.  Hopefully,
+# this driver uses hardware acceleration.
+#
+# Of course, use of the driver in /usr/lib is highly impure.  But it
+# might actually work ;-)
+
+{lib, stdenv, xorg, expat, libdrm}:
+
+stdenv.mkDerivation {
+  pname = "xorg-sys-opengl";
+  version = "3";
+  builder = ./builder.sh;
+  neededLibs = map (p: p.out)
+    [xorg.libXxf86vm xorg.libXext expat libdrm stdenv.cc.cc];
+
+  meta = {
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix b/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix
new file mode 100644
index 000000000000..f98fe5cfc743
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix
@@ -0,0 +1,50 @@
+{ coreutils
+, fetchFromGitHub
+, kernel
+, stdenv
+, lib
+, util-linux
+}:
+
+let
+  common = import ../../../development/python-modules/openrazer/common.nix { inherit lib fetchFromGitHub; };
+in
+stdenv.mkDerivation (common // {
+  pname = "openrazer";
+  version = "${common.version}-${kernel.version}";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hid"
+    mkdir -p "$binDir"
+    cp -v driver/*.ko "$binDir"
+    RAZER_MOUNT_OUT="$out/bin/razer_mount"
+    RAZER_RULES_OUT="$out/etc/udev/rules.d/99-razer.rules"
+    install -m 644 -v -D install_files/udev/99-razer.rules $RAZER_RULES_OUT
+    install -m 755 -v -D install_files/udev/razer_mount $RAZER_MOUNT_OUT
+    substituteInPlace $RAZER_RULES_OUT \
+      --replace razer_mount $RAZER_MOUNT_OUT \
+      --replace plugdev openrazer
+    substituteInPlace $RAZER_MOUNT_OUT \
+      --replace /usr/bin/logger ${util-linux}/bin/logger \
+      --replace chgrp ${coreutils}/bin/chgrp \
+      --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" "" \
+      --replace plugdev openrazer
+
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = common.meta // {
+    description = "An entirely open source Linux driver that allows you to manage your Razer peripherals on GNU/Linux";
+    broken = kernel.kernelOlder "4.19";
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/opensnitch-ebpf/default.nix b/nixpkgs/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
new file mode 100644
index 000000000000..70332abbe6ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, kernel
+, stdenv
+, clang-tools
+, llvmPackages
+, elfutils
+, flex
+, bison
+, bc
+, opensnitch
+}:
+
+stdenv.mkDerivation rec {
+  pname = "opensnitch_ebpf";
+  version = "${opensnitch.version}-${kernel.version}";
+
+  inherit (opensnitch) src;
+
+  sourceRoot = "source/ebpf_prog";
+
+  nativeBuildInputs = with llvmPackages; [
+    bc
+    bison
+    clang
+    clang-tools
+    elfutils
+    flex
+    libllvm
+  ];
+
+  # We set -fno-stack-protector here to work around a clang regression.
+  # This is fine - bpf programs do not use stack protectors
+  # https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=opensnitch-ebpf-module&id=984b952a784eb701f691dd9f2d45dfeb8d15053b
+  env.NIX_CFLAGS_COMPILE = "-fno-stack-protector";
+
+  env.KERNEL_DIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/source";
+  env.KERNEL_HEADERS="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  extraConfig =''
+    CONFIG_UPROBE_EVENTS=y
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    for file in opensnitch*.o; do
+      install -Dm644 "$file" "$out/etc/opensnitchd/$file"
+    done
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "eBPF process monitor module for OpenSnitch";
+    homepage = "https://github.com/evilsocket/opensnitch";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ onny ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix b/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix
new file mode 100644
index 000000000000..664adfdc164c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix
@@ -0,0 +1,4 @@
+import ./generic.nix {
+  version = "3.1.1";
+  hash = "sha256-YEiRg6RNO5WlUiQHIhfF9tN6oRvhKnV2JRDO25Ok4gQ=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/generic.nix b/nixpkgs/pkgs/os-specific/linux/openvswitch/generic.nix
new file mode 100644
index 000000000000..be4bc90fe428
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/generic.nix
@@ -0,0 +1,126 @@
+{ version
+, hash
+}:
+
+{ lib
+, stdenv
+, fetchurl
+, autoconf
+, automake
+, installShellFiles
+, iproute2
+, kernel ? null
+, libcap_ng
+, libtool
+, openssl
+, perl
+, pkg-config
+, procps
+, python3
+, sphinxHook
+, util-linux
+, which
+}:
+
+let
+  _kernel = kernel;
+in stdenv.mkDerivation rec {
+  pname = "openvswitch";
+  inherit version;
+
+  kernel = lib.optional (_kernel != null) _kernel.dev;
+
+  src = fetchurl {
+    url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
+    inherit hash;
+  };
+
+  outputs = [
+    "out"
+    "man"
+  ];
+
+  patches = [
+    # 8: vsctl-bashcomp - argument completion FAILED (completion.at:664)
+    ./patches/disable-bash-arg-completion-test.patch
+  ];
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    installShellFiles
+    libtool
+    pkg-config
+    sphinxHook
+  ];
+
+  sphinxBuilders = [
+    "man"
+  ];
+
+  sphinxRoot = "./Documentation";
+
+  buildInputs = [
+    libcap_ng
+    openssl
+    perl
+    procps
+    python3
+    util-linux
+    which
+  ];
+
+  preConfigure = "./boot.sh";
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--sharedstatedir=/var"
+    "--sbindir=$(out)/bin"
+  ] ++ (lib.optionals (_kernel != null) ["--with-linux"]);
+
+  # Leave /var out of this!
+  installFlags = [
+    "LOGDIR=$(TMPDIR)/dummy"
+    "RUNDIR=$(TMPDIR)/dummy"
+    "PKIDIR=$(TMPDIR)/dummy"
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    installShellCompletion --bash utilities/ovs-appctl-bashcomp.bash
+    installShellCompletion --bash utilities/ovs-vsctl-bashcomp.bash
+  '';
+
+  doCheck = true;
+  preCheck = ''
+    patchShebangs tests/
+  '';
+
+  nativeCheckInputs = [
+    iproute2
+  ] ++ (with python3.pkgs; [
+    netaddr
+    pyparsing
+    pytest
+  ]);
+
+  meta = with lib; {
+    changelog = "https://www.openvswitch.org/releases/NEWS-${version}.txt";
+    description = "A multilayer virtual switch";
+    longDescription = ''
+      Open vSwitch is a production quality, multilayer virtual switch
+      licensed under the open source Apache 2.0 license. It is
+      designed to enable massive network automation through
+      programmatic extension, while still supporting standard
+      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
+      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
+      support distribution across multiple physical servers similar
+      to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+    '';
+    homepage = "https://www.openvswitch.org/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ netixx kmcopper ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix b/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix
new file mode 100644
index 000000000000..9fb9977c2017
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix
@@ -0,0 +1,4 @@
+import ./generic.nix {
+  version = "2.17.6";
+  hash = "sha256-dNqvK+c0iuXdQBe6RbjaxlNB8Vn0+0paecVC/tQQENk=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch b/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch
new file mode 100644
index 000000000000..2b4542741763
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch
@@ -0,0 +1,12 @@
+diff --git a/tests/completion.at b/tests/completion.at
+index b6155af25..6367cb545 100644
+--- a/tests/completion.at
++++ b/tests/completion.at
+@@ -425,6 +425,7 @@ AT_CLEANUP
+ 
+ 
+ AT_SETUP([vsctl-bashcomp - argument completion])
++AT_SKIP_IF([true])
+ AT_SKIP_IF([test -z ${BASH_VERSION+x}])
+ AT_SKIP_IF([eval 'test ${BASH_VERSINFO[[0]]} -lt 4'])
+ OVS_VSWITCHD_START(
diff --git a/nixpkgs/pkgs/os-specific/linux/otpw/default.nix b/nixpkgs/pkgs/os-specific/linux/otpw/default.nix
new file mode 100644
index 000000000000..6c53bf16efc1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/otpw/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, pam, libxcrypt }:
+
+stdenv.mkDerivation rec {
+  pname = "otpw";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://www.cl.cam.ac.uk/~mgk25/download/otpw-${version}.tar.gz";
+    sha256 = "1k3hc7xbxz6hkc55kvddi3cibafwf93ivn58sy1l888d3l5dwmrk";
+  };
+
+  patchPhase = ''
+    sed -i 's/^CFLAGS.*/CFLAGS=-O2 -fPIC/' Makefile
+    sed -i -e 's,PATH=.*;,,' conf.h
+    sed -i -e '/ENTROPY_ENV/d' otpw-gen.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/security $out/share/man/man{1,8}
+    cp pam_*.so $out/lib/security
+    cp otpw-gen $out/bin
+    cp *.1 $out/share/man/man1
+    cp *.8 $out/share/man/man8
+  '';
+
+  buildInputs = [ pam libxcrypt ];
+
+  hardeningDisable = [ "stackprotector" ];
+
+  meta = {
+    homepage = "http://www.cl.cam.ac.uk/~mgk25/otpw.html";
+    description = "A one-time password login package";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/oxtools/default.nix b/nixpkgs/pkgs/os-specific/linux/oxtools/default.nix
new file mode 100644
index 000000000000..c16e12ab5e14
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/oxtools/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub
+, glibc, python3
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "0xtools";
+  version = "1.2.4";
+
+  src = fetchFromGitHub {
+    owner = "tanelpoder";
+    repo = "0xtools";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-h0/HIbwb1CvFUh/NpozDUCjYGCH647lC7JhbpDCvaLk=";
+  };
+
+  postPatch = ''
+    substituteInPlace lib/0xtools/psnproc.py \
+      --replace /usr/include/asm/unistd_64.h ${glibc.dev}/include/asm/unistd_64.h
+  '';
+
+  buildInputs = [ python3 ];
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Utilities for analyzing application performance";
+    homepage = "https://0x.tools";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ astro ];
+    platforms = [ "x86_64-linux" ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix b/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix
new file mode 100644
index 000000000000..2ce723913578
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "pagemon";
+  version = "0.01.18";
+
+  src = fetchFromGitHub {
+    sha256 = "1aq1mq3k8n70h81s64w2zg4kksw1y05326bn4y8p94lpaypvxqfd";
+    rev = "V${version}";
+    repo = "pagemon";
+    owner = "ColinIanKing";
+  };
+
+  buildInputs = [ ncurses ];
+
+  makeFlags = [
+    "BINDIR=$(out)/bin"
+    "MANDIR=$(out)/share/man/man8"
+  ];
+
+  meta = with lib; {
+    inherit (src.meta) homepage;
+    description = "Interactive memory/page monitor for Linux";
+    longDescription = ''
+      pagemon is an ncurses based interactive memory/page monitoring tool
+      allowing one to browse the memory map of an active running process
+      on Linux.
+      pagemon reads the PTEs of a given process and display the soft/dirty
+      activity in real time. The tool identifies the type of memory mapping
+      a page belongs to, so one can easily scan through memory looking at
+      pages of memory belonging data, code, heap, stack, anonymous mappings
+      or even swapped-out pages.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/default.nix b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
new file mode 100644
index 000000000000..a35f40be5955
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
@@ -0,0 +1,72 @@
+{ lib, stdenv, buildPackages, fetchurl
+, fetchpatch
+, flex, cracklib, db4, gettext, audit, libxcrypt
+, nixosTests
+, autoreconfHook269, pkg-config-unwrapped
+}:
+
+stdenv.mkDerivation rec {
+  pname = "linux-pam";
+  version = "1.5.2";
+
+  src = fetchurl {
+    url    = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz";
+    sha256 = "sha256-5OxxMakdpEUSV0Jo9JPG2MoQXIcJFpG46bVspoXU+U0=";
+  };
+
+  patches = [
+    ./suid-wrapper-path.patch
+    # Pull support for localization on non-default --prefix:
+    #   https://github.com/NixOS/nixpkgs/issues/249010
+    #   https://github.com/linux-pam/linux-pam/pull/604
+    (fetchpatch {
+      name = "bind-locales.patch";
+      url = "https://github.com/linux-pam/linux-pam/commit/77bd338125cde583ecdfb9fd69619bcd2baf15c2.patch";
+      hash = "sha256-tlc9RcLZpEH315NFD4sdN9yOco8qhC6+bszl4OHm+AI=";
+    })
+  ];
+
+  outputs = [ "out" "doc" "man" /* "modules" */ ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  # autoreconfHook269 is needed for `suid-wrapper-path.patch` and
+  # `bind-locales.patch` above.
+  # pkg-config-unwrapped is needed for `AC_CHECK_LIB` and `AC_SEARCH_LIBS`
+  nativeBuildInputs = [ flex autoreconfHook269 pkg-config-unwrapped ]
+    ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
+
+  buildInputs = [ cracklib db4 libxcrypt ]
+    ++ lib.optional stdenv.buildPlatform.isLinux audit;
+
+  enableParallelBuilding = true;
+
+  preConfigure = lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
+      # export ac_cv_search_crypt=no
+      # (taken from Alpine linux, apparently insecure but also doesn't build O:))
+      # disable insecure modules
+      # sed -e 's/pam_rhosts//g' -i modules/Makefile.am
+      sed -e 's/pam_rhosts//g' -i modules/Makefile.in
+  '';
+
+  configureFlags = [
+    "--includedir=${placeholder "out"}/include/security"
+    "--enable-sconfigdir=/etc/security"
+  ];
+
+  installFlags = [
+    "SCONFIGDIR=${placeholder "out"}/etc/security"
+  ];
+
+  doCheck = false; # fails
+
+  passthru.tests = {
+    inherit (nixosTests) pam-oath-login pam-u2f shadow sssd-ldap;
+  };
+
+  meta = with lib; {
+    homepage = "http://www.linux-pam.org/";
+    description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch b/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
new file mode 100644
index 000000000000..a427ccf38816
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
@@ -0,0 +1,6 @@
+It needs the SUID version during runtime, and that can't be in /nix/store/**
+--- a/modules/pam_unix/Makefile.am
++++ b/modules/pam_unix/Makefile.am
+@@ -21 +21 @@
+-	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix
new file mode 100644
index 000000000000..4b2cc7a3822b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix
@@ -0,0 +1,23 @@
+{lib, stdenv, fetchurl, pam, openssl, db}:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ccreds";
+  version = "10";
+
+  src = fetchurl {
+    url = "https://www.padl.com/download/pam_ccreds-${version}.tar.gz";
+    sha256 = "1h7zyg1b1h69civyvrj95w22dg0y7lgw3hq4gqkdcg35w1y76fhz";
+  };
+  patchPhase = ''
+    sed 's/-o root -g root//' -i Makefile.in
+  '';
+
+  buildInputs = [ pam openssl db ];
+
+  meta = with lib; {
+    homepage = "https://www.padl.com/OSS/pam_ccreds.html";
+    description = "PAM module to locally authenticate using an enterprise identity when the network is unavailable";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_dp9ik/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_dp9ik/default.nix
new file mode 100644
index 000000000000..bd097caee497
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_dp9ik/default.nix
@@ -0,0 +1,29 @@
+{ lib
+, tlsclient
+, stdenv
+, pkg-config
+, pam
+}:
+
+stdenv.mkDerivation {
+  inherit (tlsclient) src version enableParallelBuilding;
+
+  pname = "pam_dp9ik";
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ pam ];
+
+  buildFlags = [ "pam_p9.so" ];
+  installFlags = [ "PREFIX=$(out)" ];
+  installTargets = "pam.install";
+
+  meta = with lib; {
+    description = "dp9ik pam module";
+    longDescription = "Uses tlsclient to authenticate users against a 9front auth server";
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix
new file mode 100644
index 000000000000..1c54c42120ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pam, gnupg }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_gnupg";
+  version = "0.4";
+
+  src = fetchFromGitHub {
+    owner = "cruegge";
+    repo = "pam-gnupg";
+    rev = "v${version}";
+    sha256 = "sha256-6I9a841qohA42lhOgZf/hharnjkthuB8lRptPDxUgMI=";
+  };
+
+  configureFlags = [
+    "--with-moduledir=${placeholder "out"}/lib/security"
+  ];
+
+  buildInputs = [ pam gnupg ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with lib; {
+    description = "Unlock GnuPG keys on login";
+    longDescription = ''
+      A PAM module that hands over your login password to gpg-agent. This can
+      be useful if you are using a GnuPG-based password manager like pass.
+    '';
+    homepage = "https://github.com/cruegge/pam-gnupg";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ mtreca ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix
new file mode 100644
index 000000000000..157226373db0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, pam, libkrb5 }:
+
+stdenv.mkDerivation rec {
+  pname = "pam-krb5";
+  version = "4.11";
+
+  src = fetchurl {
+    url = "https://archives.eyrie.org/software/kerberos/pam-krb5-${version}.tar.gz";
+    sha256 = "sha256-UDy+LLGv9L39o7z3+T+U+2ulLCbXCJNOcDmyGC/hCyA=";
+  };
+
+  buildInputs = [ pam libkrb5 ];
+
+  meta = with lib; {
+    homepage = "https://www.eyrie.org/~eagle/software/pam-krb5/";
+    description = "PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC";
+    longDescription = ''
+      pam_krb5 can optionally convert Kerberos 5 credentials to Kerberos IV
+      credentials and/or use them to set up AFS tokens for a user's session.
+    '';
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix
new file mode 100644
index 000000000000..988256808dbb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, fetchurl, pam, openldap, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ldap";
+  version = "186";
+
+  src = fetchurl {
+    url = "https://www.padl.com/download/pam_ldap-${version}.tar.gz";
+    sha256 = "0lv4f7hc02jrd2l3gqxd247qq62z11sp3fafn8lgb8ymb7aj5zn8";
+  };
+
+  postPatch = ''
+    patchShebangs ./vers_string
+    substituteInPlace vers_string --replace "cvslib.pl" "./cvslib.pl"
+  '';
+
+  preInstall = "
+    substituteInPlace Makefile --replace '-o root -g root' ''
+  ";
+
+  nativeBuildInputs = [ perl ];
+  buildInputs = [ pam openldap ];
+
+  meta = {
+    homepage = "https://www.padl.com/OSS/pam_ldap.html";
+    description = "LDAP backend for PAM";
+    longDescription = ''
+      The pam_ldap module provides the means for Solaris and Linux servers and
+      workstations to authenticate against LDAP directories, and to change their
+      passwords in the directory.'';
+    license = "LGPL";
+    inherit (pam.meta) platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mktemp/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_mktemp/default.nix
new file mode 100644
index 000000000000..04ba58785efa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mktemp/default.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, pam
+, e2fsprogs
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pam_mktemp";
+  version = "1.1.1";
+
+  src = fetchurl {
+    url = "https://openwall.com/pam/modules/${pname}/${pname}-${version}.tar.gz";
+    hash = "sha256-Zs+AwYQ5yjRW25ZALy7qwUsaBQPMHRvn8rFtXwefPz0=";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "inherit_private_prefix_from_home.patch";
+      url = "https://git.altlinux.org/gears/p/pam_mktemp.git?p=pam_mktemp.git;a=commitdiff_plain;h=3d2e8ad6da6a44c047bf7a8afa1e1bb2a6e36a55";
+      hash = "sha256-xe44fi2xH9jqlStlIR4QPB0KS7spflRdOsvNPEmxJpU";
+     })
+    (fetchpatch {
+      name = "allow_private_prefix_to_be_stricter.patch";
+      url = "https://git.altlinux.org/gears/p/pam_mktemp.git?p=pam_mktemp.git;a=commitdiff_plain;h=bb2cee0c695d22310e5364c30d74bccb0dbf3205";
+      hash = "sha256-TouysUVlNnl+m7lJ2VKPxUTYD2om1Jh5FEJ6NHMAI4U=";
+    })
+  ];
+
+  patchFlags = "-p2";
+
+  dontConfigure = true;
+
+  buildInputs = [ pam e2fsprogs ];
+
+  makeFlags = [ "DESTDIR=$(out)" ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://www.openwall.com/pam/";
+    description = "PAM for login service to provide per-user private directories";
+    license = licenses.bsd0;
+    maintainers = with maintainers; [ wladmis ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix
new file mode 100644
index 000000000000..2ed6829f3614
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix
@@ -0,0 +1,59 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libtool, pam, libHX, libxml2, pcre2, perl, openssl, cryptsetup, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_mount";
+  version = "2.20";
+
+  src = fetchurl {
+    url = "https://inai.de/files/pam_mount/${pname}-${version}.tar.xz";
+    hash = "sha256-VCYgekhWgPjhdkukBbs4w5pODIMGvIJxkQ8bgZozbO0=";
+  };
+
+  patches = [
+    ./insert_utillinux_path_hooks.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace src/mtcrypt.c \
+      --replace @@NIX_UTILLINUX@@ ${util-linux}/bin
+  '';
+
+  nativeBuildInputs = [
+    autoreconfHook
+    libtool
+    perl
+    pkg-config
+  ];
+
+  buildInputs = [
+    cryptsetup
+    libHX
+    libxml2
+    openssl
+    pam
+    pcre2
+    util-linux
+  ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--localstatedir=${placeholder "out"}/var"
+    "--sbindir=${placeholder "out"}/bin"
+    "--sysconfdir=${placeholder "out"}/etc"
+    "--with-slibdir=${placeholder "out"}/lib"
+  ];
+
+  postInstall = ''
+    rm -r $out/var
+  '';
+
+  meta = with lib; {
+    description = "PAM module to mount volumes for a user session";
+    homepage = "https://pam-mount.sourceforge.net/";
+    license = with licenses; [ gpl2 gpl3 lgpl21 lgpl3 ];
+    maintainers = with maintainers; [ netali ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch b/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch
new file mode 100644
index 000000000000..6d9da05da295
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch
@@ -0,0 +1,30 @@
+diff -uNr pam_mount-2.15_old/src/mtcrypt.c pam_mount-2.15/src/mtcrypt.c
+--- pam_mount-2.15_old/src/mtcrypt.c	2015-07-04 16:00:12.917943336 +0200
++++ pam_mount-2.15/src/mtcrypt.c	2015-07-04 16:03:45.685302493 +0200
+@@ -534,7 +534,7 @@
+ 
+ 	/* candidate for replacement by some libmount calls, I guess. */
+ 	argk = 0;
+-	mount_args[argk++] = "mount";
++	mount_args[argk++] = "@@NIX_UTILLINUX@@/mount";
+ 	if (opt->fstype != NULL) {
+ 		mount_args[argk++] = "-t";
+ 		mount_args[argk++] = opt->fstype;
+@@ -668,7 +668,7 @@
+ 
+ 	if (!opt->no_update)
+ 		pmt_smtab_remove(mntpt, SMTABF_MOUNTPOINT);
+-	rmt_args[argk++] = "mount";
++	rmt_args[argk++] = "@@NIX_UTILLINUX@@/mount";
+ 	rmt_args[argk++] = "-o";
+ 	rmt_args[argk++] = opt->extra_opts;
+ 	rmt_args[argk++] = mntpt;
+@@ -749,7 +749,7 @@
+ 		pmt_smtab_remove(mountpoint, SMTABF_MOUNTPOINT);
+ 	pmt_cmtab_remove(mountpoint);
+ 
+-	umount_args[argk++] = "umount";
++	umount_args[argk++] = "@@NIX_UTILLINUX@@/umount";
+ 	umount_args[argk++] = "-i";
+ 	umount_args[argk++] = mountpoint;
+ 	umount_args[argk]   = NULL;
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix
new file mode 100644
index 000000000000..036d4b20cb4c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_mysql";
+  version = "1.0.0-beta2";
+
+  src = fetchFromGitHub {
+    owner = "NigelCunningham";
+    repo = "pam-MySQL";
+    rev = version;
+    sha256 = "07acf0hbhkd0kg49gnj4nb5ilnv3v4xx3dsggvzvjg8gi3cjmsap";
+  };
+
+  nativeBuildInputs = [ meson pkg-config ninja ];
+  buildInputs = [ pam libmysqlclient mariadb libxcrypt ];
+
+  meta = with lib; {
+    description = "PAM authentication module against a MySQL database";
+    homepage = "https://github.com/NigelCunningham/pam-MySQL";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ netali ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix
new file mode 100644
index 000000000000..0a7e02f4ad81
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libp11, pam, libintl, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_p11";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = "OpenSC";
+    repo = "pam_p11";
+    rev = "pam_p11-${version}";
+    sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk";
+  };
+
+  patches = [
+    # fix with openssl 3.x
+    # https://github.com/OpenSC/pam_p11/pull/22
+    (fetchpatch {
+      name = "OpenSC-pam_p11-pull-22.patch";
+      url = "https://github.com/OpenSC/pam_p11/compare/cd4eba2e921e1c2f93cde71922a76af99376246c...debd4f7acfaf998cfe4002e0be5c35ad9a9591b5.patch";
+      excludes = [ ".github/build.sh" ];
+      hash = "sha256-bm/agnBgvrr8L8yoGK4gzBqOGgsNWf9NIgcNJG7proE=";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ pam libp11.passthru.openssl libp11 ]
+    ++ lib.optionals stdenv.isDarwin [ libintl ];
+
+  meta = with lib; {
+    homepage = "https://github.com/OpenSC/pam_p11";
+    description = "Authentication with PKCS#11 modules";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ sb0 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix
new file mode 100644
index 000000000000..2eabcefe584c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam, libxcrypt }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_pgsql";
+  version = "unstable-2020-05-05";
+
+  src = fetchFromGitHub {
+    owner = "pam-pgsql";
+    repo = "pam-pgsql";
+    rev = "f9fd1e1a0daf754e6764a31db5cbec6f9fc02b3d";
+    sha256 = "1bvddrwyk1479wibyayzc24h62qzfnlbk9qvdhb31yw9yn17gp6k";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libgcrypt pam postgresql libxcrypt ];
+
+  meta = with lib; {
+    description = "Support to authenticate against PostgreSQL for PAM-enabled appliations";
+    homepage = "https://github.com/pam-pgsql/pam-pgsql";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_rssh/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_rssh/default.nix
new file mode 100644
index 000000000000..2da53d462790
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_rssh/default.nix
@@ -0,0 +1,78 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, coreutils
+, pkg-config
+, openssl
+, pam
+, openssh
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "pam_rssh";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "z4yx";
+    repo = "pam_rssh";
+    rev = "v${version}";
+    hash = "sha256-SDtMqGy2zhq9jEQVwSEl4EwRp2jgXfTVLrCX7k/kBeU=";
+    fetchSubmodules = true;
+  };
+
+  cargoHash = "sha256-gNy1tcHDUOG1XduGAIMapvx5dlq+U1LitUQkccGfb9o=";
+
+  postPatch = ''
+    substituteInPlace src/auth_keys.rs \
+      --replace '/bin/echo' '${coreutils}/bin/echo' \
+      --replace '/bin/false' '${coreutils}/bin/false'
+  '';
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+    pam
+  ];
+
+  checkFlags = [
+    # Fails because it tries finding authorized_keys in /home/$USER.
+    "--skip=tests::parse_user_authorized_keys"
+  ];
+
+  nativeCheckInputs = [
+    openssh
+  ];
+
+  env.USER = "nixbld";
+
+  # Copied from https://github.com/z4yx/pam_rssh/blob/main/.github/workflows/rust.yml.
+  preCheck = ''
+    export HOME=$(mktemp -d)
+    mkdir $HOME/.ssh
+    ssh-keygen -q -N "" -t ecdsa -b 521 -f $HOME/.ssh/id_ecdsa521
+    ssh-keygen -q -N "" -t ecdsa -b 384 -f $HOME/.ssh/id_ecdsa384
+    ssh-keygen -q -N "" -t ecdsa -b 256 -f $HOME/.ssh/id_ecdsa256
+    ssh-keygen -q -N "" -t ed25519 -f $HOME/.ssh/id_ed25519
+    ssh-keygen -q -N "" -t rsa -f $HOME/.ssh/id_rsa
+    ssh-keygen -q -N "" -t dsa -f $HOME/.ssh/id_dsa
+    export SSH_AUTH_SOCK=$HOME/ssh-agent.sock
+    eval $(ssh-agent -a $SSH_AUTH_SOCK)
+    ssh-add $HOME/.ssh/id_ecdsa521
+    ssh-add $HOME/.ssh/id_ecdsa384
+    ssh-add $HOME/.ssh/id_ecdsa256
+    ssh-add $HOME/.ssh/id_ed25519
+    ssh-add $HOME/.ssh/id_rsa
+    ssh-add $HOME/.ssh/id_dsa
+  '';
+
+  meta = with lib; {
+    description = "PAM module for authenticating via ssh-agent, written in Rust";
+    homepage = "https://github.com/z4yx/pam_rssh";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ kranzes ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
new file mode 100644
index 000000000000..f28cb28ef373
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchpatch, fetchFromGitHub, pam, openssl, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ssh_agent_auth";
+  version = "0.10.4";
+
+  src = fetchFromGitHub {
+    owner = "jbeverly";
+    repo = "pam_ssh_agent_auth";
+    rev = "pam_ssh_agent_auth-${version}";
+    sha256 = "YD1R8Cox0UoNiuWleKGzWSzxJ5lhDRCB2mZPp9OM6Cs=";
+  };
+
+  ed25519-donna = fetchFromGitHub {
+    owner = "floodyberry";
+    repo = "ed25519-donna";
+    rev = "8757bd4cd209cb032853ece0ce413f122eef212c";
+    sha256 = "ETFpIaWQnlYG8ZuDG2dNjUJddlvibB4ukHquTFn3NZM=";
+  };
+
+  buildInputs = [ pam openssl perl ];
+
+  patches = [
+    # Allow multiple colon-separated authorized keys files to be
+    # specified in the file= option.
+    ./multiple-key-files.patch
+    ./edcsa-crash-fix.patch
+  ];
+
+  configureFlags = [
+    # It's not clear to me why this is necessary, but without it, you see:
+    #
+    # checking OpenSSL header version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking OpenSSL library version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking whether OpenSSL's headers match the library... no
+    # configure: WARNING: Your OpenSSL headers do not match your
+    # library. Check config.log for details.
+    #
+    # ...despite the fact that clearly the values match
+    "--without-openssl-header-check"
+    # Make sure it can find ed25519-donna
+    "--with-cflags=-I$PWD"
+  ];
+
+  prePatch = "cp -r ${ed25519-donna}/. ed25519-donna/.";
+
+  enableParallelBuilding = true;
+
+  meta = {
+    homepage = "https://github.com/jbeverly/pam_ssh_agent_auth";
+    description = "PAM module for authentication through the SSH agent";
+    maintainers = [ lib.maintainers.eelco ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
new file mode 100644
index 000000000000..45ee87458161
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
@@ -0,0 +1,53 @@
+commit 1b0d9bcc5f5cd78b0bb1357d6a11da5d616ad26f
+Author: Wout Mertens <Wout.Mertens@gmail.com>
+Date:   Thu Jun 11 18:08:13 2020 +0200
+
+    fix segfault when using ECDSA keys.
+    
+    Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+    Bug-Ubuntu: https://bugs.launchpad.net/bugs/1869512
+
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index 5b13b30..5bf29cc 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -46,7 +46,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     u_int len, dlen;
+     Buffer b, bb;
+ #if OPENSSL_VERSION_NUMBER >= 0x10100005L
+-	BIGNUM *r, *s;
++	BIGNUM *r = NULL, *s = NULL;
+ #endif
+ 
+     if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+@@ -137,20 +137,27 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 
+     /* parse signature */
+     if ((sig = ECDSA_SIG_new()) == NULL)
+-        pamsshagentauth_fatal("ssh_ecdsa_verify: DSA_SIG_new failed");
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_new failed");
+ 
+     pamsshagentauth_buffer_init(&b);
+     pamsshagentauth_buffer_append(&b, sigblob, len);
+ #if OPENSSL_VERSION_NUMBER < 0x10100005L
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++        pamsshagentauth_fatal("ssh_ecdsa_verify:"
++            "pamsshagentauth_buffer_get_bignum2_ret failed");
+ #else
+-    DSA_SIG_get0(sig, &r, &s);
++    if ((r = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
++    if ((s = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
+-#endif
+         pamsshagentauth_fatal("ssh_ecdsa_verify:"
+             "pamsshagentauth_buffer_get_bignum2_ret failed");
++    if (ECDSA_SIG_set0(sig, r, s) != 1)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_set0 failed");
++#endif
+ 
+     /* clean up */
+     memset(sigblob, 0, len);
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
new file mode 100644
index 000000000000..71d8e08ecd0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
@@ -0,0 +1,371 @@
+diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
+--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-03-02 23:47:18.012203283 -0800
+@@ -176,7 +176,7 @@
+     return;
+ }
+ 
+-int
++const char *
+ pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
+ {
+     Buffer session_id2 = { 0 };
+@@ -184,7 +184,7 @@
+     Key *key;
+     AuthenticationConnection *ac;
+     char *comment;
+-    uint8_t retval = 0;
++    const char *key_file = 0;
+     uid_t uid = getpwnam(ruser)->pw_uid;
+ 
+     OpenSSL_add_all_digests();
+@@ -199,13 +199,11 @@
+                 id->key = key;
+                 id->filename = comment;
+                 id->ac = ac;
+-                if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
+-                    retval = 1;
+-                }
++                key_file = userauth_pubkey_from_id(ruser, id, &session_id2);
+                 pamsshagentauth_xfree(id->filename);
+                 pamsshagentauth_key_free(id->key);
+                 pamsshagentauth_xfree(id);
+-                if(retval == 1)
++                if(key_file)
+                     break;
+             }
+         }
+@@ -217,5 +215,5 @@
+     }
+     /* pamsshagentauth_xfree(session_id2); */
+     EVP_cleanup();
+-    return retval;
++    return key_file;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h
+--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h	2017-03-02 23:48:06.345803339 -0800
+@@ -31,6 +31,6 @@
+ #ifndef _ITERATE_SSH_AGENT_KEYS_H
+ #define _ITERATE_SSH_AGENT_KEYS_H
+ 
+-int pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
++const char * pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
+ 
+ #endif
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
+--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2017-03-02 23:51:57.642669946 -0800
+@@ -61,7 +61,6 @@
+ #define strncasecmp_literal(A,B) strncasecmp( A, B, sizeof(B) - 1)
+ #define UNUSED(expr) do { (void)(expr); } while (0)
+ 
+-char           *authorized_keys_file = NULL;
+ uint8_t         allow_user_owned_authorized_keys_file = 0;
+ char           *authorized_keys_command = NULL;
+ char           *authorized_keys_command_user = NULL;
+@@ -171,15 +170,13 @@
+         goto cleanexit;
+     }
+ 
+-    if(authorized_keys_file_input && user) {
+-        /*
+-         * user is the name of the target-user, and so must be used for validating the authorized_keys file
+-         */
+-        parse_authorized_key_file(user, authorized_keys_file_input);
+-    } else {
+-        pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
+-        authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
+-    }
++    if (!authorized_keys_file_input || !user)
++        authorized_keys_file_input = "/etc/security/authorized_keys";
++
++    /*
++     * user is the name of the target-user, and so must be used for validating the authorized_keys file
++     */
++    parse_authorized_key_files(user, authorized_keys_file_input);
+ 
+     /*
+      * PAM_USER and PAM_RUSER do not necessarily have to get set by the calling application, and we may be unable to divine the latter.
+@@ -184,5 +181,5 @@
+      */
+ 
+     if(user && strlen(ruser) > 0) {
+-        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+ 
+@@ -201,3 +197,3 @@
+                 retval = PAM_SUCCESS;
+-                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+ 
+@@ -211,11 +208,12 @@
+         /*
+          * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
+          */
+-        if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++        const char *key_file;
++        if((key_file = pamsshagentauth_find_authorized_keys(user, ruser, servicename))) { /* getpwnam(ruser)->pw_uid)) { */
++            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, key_file);
+             retval = PAM_SUCCESS;
+         } else {
+-            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+         }
+     } else {
+         pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
+@@ -208,7 +206,7 @@
+     free(__progname);
+ #endif
+ 
+-    free(authorized_keys_file);
++    free_authorized_key_files();
+ 
+     return retval;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod
+--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod	2017-03-02 23:52:28.914857449 -0800
+@@ -31,7 +31,7 @@
+ 
+ =item file=<path to authorized_keys>
+ 
+-Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below) 
++Specify the path(s) to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below). Paths are separated using colons.
+ 
+ =item allow_user_owned_authorized_keys_file
+ 
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
+--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2017-03-03 00:07:45.201322570 -0800
+@@ -79,8 +79,12 @@
+ 
+ #include "identity.h"
+ #include "pam_user_key_allowed2.h"
++#include "pam_user_authorized_keys.h"
+ 
+-extern char *authorized_keys_file;
++#define MAX_AUTHORIZED_KEY_FILES 16
++
++char *authorized_keys_files[MAX_AUTHORIZED_KEY_FILES];
++unsigned int nr_authorized_keys_files = 0;
+ 
+ extern char *authorized_keys_command;
+ 
+@@ -91,79 +95,88 @@
+ uid_t authorized_keys_file_allowed_owner_uid;
+ 
+ void
+-parse_authorized_key_file(const char *user,
+-                          const char *authorized_keys_file_input)
++parse_authorized_key_files(const char *user,
++                           const char *authorized_keys_file_input)
+ {
+-    char fqdn[HOST_NAME_MAX] = "";
++    const char *pos = authorized_keys_file_input;
+     char hostname[HOST_NAME_MAX] = "";
+-    char auth_keys_file_buf[4096] = "";
+-    char *slash_ptr = NULL;
+-    char owner_uname[128] = "";
+-    size_t owner_uname_len = 0;
+-
+-    /* 
+-     * temporary copy, so that both tilde expansion and percent expansion both
+-     * get to apply to the path
+-     */
+-    strncat(auth_keys_file_buf, authorized_keys_file_input,
+-            sizeof(auth_keys_file_buf) - 1);
++    char fqdn[HOST_NAME_MAX] = "";
+ 
+-    if(allow_user_owned_authorized_keys_file)
+-        authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++#if HAVE_GETHOSTNAME
++    *hostname = '\0';
++    gethostname(fqdn, HOST_NAME_MAX);
++    strncat(hostname, fqdn, strcspn(fqdn,"."));
++#endif
+ 
+-    if(*auth_keys_file_buf == '~') {
+-        if(*(auth_keys_file_buf + 1) == '/') {
+-            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++    while (pos) {
++        const char *colon = strchr(pos, ':');
++        char auth_keys_file_buf[4096] = "";
++        char *slash_ptr = NULL;
++        char owner_uname[128] = "";
++        size_t owner_uname_len = 0;
++
++        strncat(auth_keys_file_buf, pos, sizeof(auth_keys_file_buf) - 1);
++        if (colon) {
++            auth_keys_file_buf[colon - pos] = 0;
++            pos = colon + 1;
+         } else {
+-            slash_ptr = strchr(auth_keys_file_buf, '/');
+-            if(!slash_ptr)
+-                pamsshagentauth_fatal
+-                    ("cannot expand tilde in path without a `/'");
+-
+-            owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
+-            if(owner_uname_len > (sizeof(owner_uname) - 1))
+-                pamsshagentauth_fatal("Username too long");
+-
+-            strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
+-            if(!authorized_keys_file_allowed_owner_uid)
+-                authorized_keys_file_allowed_owner_uid =
+-                    getpwnam(owner_uname)->pw_uid;
++            pos = 0;
++        }
++
++        if(allow_user_owned_authorized_keys_file)
++            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++
++        if(*auth_keys_file_buf == '~') {
++            if(*(auth_keys_file_buf+1) == '/') {
++                authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++            }
++            else {
++                slash_ptr = strchr(auth_keys_file_buf,'/');
++                if(!slash_ptr)
++                    pamsshagentauth_fatal("cannot expand tilde in path without a `/'");
++
++                owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
++                if(owner_uname_len > (sizeof(owner_uname) - 1) )
++                    pamsshagentauth_fatal("Username too long");
++
++                strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
++                if(!authorized_keys_file_allowed_owner_uid)
++                    authorized_keys_file_allowed_owner_uid = getpwnam(owner_uname)->pw_uid;
++            }
++            char *tmp = pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid);
++            strncpy(auth_keys_file_buf, tmp, sizeof(auth_keys_file_buf) - 1 );
++            pamsshagentauth_xfree(tmp);
+         }
+-        authorized_keys_file =
+-            pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
+-                                                  authorized_keys_file_allowed_owner_uid);
+-        strncpy(auth_keys_file_buf, authorized_keys_file,
+-                sizeof(auth_keys_file_buf) - 1);
+-        pamsshagentauth_xfree(authorized_keys_file)        /* when we
+-                                                              percent_expand
+-                                                              later, we'd step
+-                                                              on this, so free
+-                                                              it immediately */ ;
+-    }
+ 
+-    if(strstr(auth_keys_file_buf, "%h")) {
+-        authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++        if(strstr(auth_keys_file_buf, "%h")) {
++            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++        }
++
++        if (nr_authorized_keys_files >= MAX_AUTHORIZED_KEY_FILES)
++            pamsshagentauth_fatal("Too many authorized key files");
++        authorized_keys_files[nr_authorized_keys_files++] =
++            pamsshagentauth_percent_expand(auth_keys_file_buf, "h", getpwnam(user)->pw_dir, "H", hostname, "f", fqdn, "u", user, NULL);
+     }
+-#if HAVE_GETHOSTNAME
+-    *hostname = '\0';
+-    gethostname(fqdn, HOST_NAME_MAX);
+-    strncat(hostname, fqdn, strcspn(fqdn, "."));
+-#endif
+-    authorized_keys_file =
+-        pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
+-                                       getpwnam(user)->pw_dir, "H", hostname,
+-                                       "f", fqdn, "u", user, NULL);
+ }
+ 
+-int
++void
++free_authorized_key_files()
++{
++    unsigned int n;
++    for (n = 0; n < nr_authorized_keys_files; n++)
++        free(authorized_keys_files[n]);
++    nr_authorized_keys_files = 0;
++}
++
++const char *
+ pam_user_key_allowed(const char *ruser, Key * key)
+ {
+-    return
+-        pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
+-                                          key, authorized_keys_file)
+-        || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
+-                                             authorized_keys_file)
+-        || pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
+-                                                     authorized_keys_command_user,
+-                                                     getpwnam(ruser), key);
++    unsigned int n;
++    for (n = 0; n < nr_authorized_keys_files; n++) {
++        if (pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_files[n])
++            || pamsshagentauth_user_key_allowed2(getpwuid(0), key, authorized_keys_files[n])
++            || pamsshagentauth_user_key_command_allowed2(authorized_keys_command, authorized_keys_command_user, getpwnam(ruser), key))
++            return authorized_keys_files[n];
++    }
++    return 0;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
+--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2017-03-03 00:09:17.256064914 -0800
+@@ -28,11 +28,12 @@
+  */
+ 
+ 
+-#ifndef _PAM_USER_KEY_ALLOWED_H
+-#define _PAM_USER_KEY_ALLOWED_H
++#ifndef _PAM_USER_AUTHORIZED_KEYS_H
++#define _PAM_USER_AUTHORIZED_KEYS_H
+ 
+ #include "identity.h"
+-int pam_user_key_allowed(const char *, Key *);
+-void parse_authorized_key_file(const char *, const char *);
++const char * pam_user_key_allowed(const char *, Key *);
++void parse_authorized_key_files(const char *, const char *);
++void free_authorized_key_files();
+ 
+ #endif
+diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
+--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2017-03-03 00:10:33.163545380 -0800
+@@ -52,7 +52,7 @@
+ extern uint8_t  session_id_len;
+  */
+ 
+-int
++const char *
+ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
+ {
+     Buffer          b = { 0 };
+@@ -60,11 +60,12 @@
+     u_char         *pkblob = NULL, *sig = NULL;
+     u_int           blen = 0, slen = 0;
+     int             authenticated = 0;
++    const char     *key_file;
+ 
+     pkalg = (char *) key_ssh_name(id->key);
+ 
+     /* first test if this key is even allowed */
+-    if(! pam_user_key_allowed(ruser, id->key))
++    if(!(key_file = pam_user_key_allowed(ruser, id->key)))
+         goto user_auth_clean_exit;
+ 
+     if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
+@@ -97,5 +98,5 @@
+     if(pkblob != NULL)
+         pamsshagentauth_xfree(pkblob);
+     CRYPTO_cleanup_all_ex_data();
+-    return authenticated;
++    return authenticated ? key_file : 0;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
+--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2017-03-03 00:10:59.067046872 -0800
+@@ -32,6 +32,6 @@
+ #define _USERAUTH_PUBKEY_FROM_ID_H
+ 
+ #include <identity.h>
+-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
++const char * userauth_pubkey_from_id(const char *, Identity *, Buffer *);
+ 
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix
new file mode 100644
index 000000000000..859ebedc3340
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pam }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_tmpdir";
+  version = "0.09";
+
+  src = fetchurl {
+    url = "http://deb.debian.org/debian/pool/main/p/pam-tmpdir/pam-tmpdir_${version}.tar.gz";
+    hash = "sha256-MXa1CY6alD83E/Q+MJmsv8NaImWd0pPJKZd/7nbe4J8=";
+  };
+
+  postPatch = ''
+    substituteInPlace pam_tmpdir.c \
+      --replace /sbin/pam-tmpdir-helper $out/sbin/pam-tmpdir-helper
+
+    # chmod/chown fails on files in /nix/store
+    sed -i -E -e '/^\s*(chmod|chown)/d' Makefile.{am,in}
+
+    # the symlinks in m4 assume FHS
+    rm -rf m4
+  '';
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  buildInputs = [ pam ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://tracker.debian.org/pkg/pam-tmpdir";
+    description = "PAM module for creating safe per-user temporary directories";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix
new file mode 100644
index 000000000000..085ff43a7935
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, pkg-config, libfido2, pam, openssl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_u2f";
+  version = "1.3.0";
+
+  src     = fetchurl {
+    url = "https://developers.yubico.com/pam-u2f/Releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-cjYMaHVIXrTfQJ2o+PUrF4k/BeTZmFKcI4gUSA4RUiA=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libfido2 pam openssl ];
+
+  preConfigure = ''
+    configureFlagsArray+=("--with-pam-dir=$out/lib/security")
+  '';
+
+  # a no-op makefile to prevent building the fuzz targets
+  postConfigure = ''
+    cat > fuzz/Makefile <<EOF
+    all:
+    install:
+    EOF
+  '';
+
+  meta = with lib; {
+    homepage = "https://developers.yubico.com/pam-u2f/";
+    description = "A PAM module for allowing authentication with a U2F device";
+    changelog = "https://github.com/Yubico/pam-u2f/raw/pam_u2f-${version}/NEWS";
+    license = licenses.bsd2;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ philandstuff ];
+    mainProgram = "pamu2fcfg";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix
new file mode 100644
index 000000000000..1264894ad0c9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix
@@ -0,0 +1,81 @@
+{ lib, stdenv, fetchurl, makeWrapper, dbus, libxml2, pam, pkg-config, pmount, python2Packages, writeScript, runtimeShell }:
+
+let
+
+  # Search in the environment if the same program exists with a set uid or
+  # set gid bit.  If it exists, run the first program found, otherwise run
+  # the default binary.
+  useSetUID = drv: path:
+    let
+      name = baseNameOf path;
+      bin = "${drv}${path}";
+    in assert name != "";
+      writeScript "setUID-${name}" ''
+        #!${runtimeShell}
+        inode=$(stat -Lc %i ${bin})
+        for file in $(type -ap ${name}); do
+          case $(stat -Lc %a $file) in
+            ([2-7][0-7][0-7][0-7])
+              if test -r "$file".real; then
+                orig=$(cat "$file".real)
+                if test $inode = $(stat -Lc %i "$orig"); then
+                  exec "$file" "$@"
+                fi
+              fi;;
+          esac
+        done
+        exec ${bin} "$@"
+      '';
+
+  pmountBin = useSetUID pmount "/bin/pmount";
+  pumountBin = useSetUID pmount "/bin/pumount";
+  inherit (python2Packages) python dbus-python;
+in
+
+stdenv.mkDerivation rec {
+  pname = "pam_usb";
+  version = "0.5.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/pamusb/pam_usb-${version}.tar.gz";
+    sha256 = "1g1w0s9d8mfld8abrn405ll5grv3xgs0b0hsganrz6qafdq9j7q1";
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    pkg-config
+  ];
+
+  buildInputs = [
+    # pam_usb dependencies
+    dbus libxml2 pam pmount
+    # pam_usb's tools dependencies
+    python
+    # cElementTree is included with python 2.5 and later.
+  ];
+
+  preBuild = ''
+    makeFlagsArray=(DESTDIR=$out)
+    substituteInPlace ./src/volume.c \
+      --replace 'pmount' '${pmountBin}' \
+      --replace 'pumount' '${pumountBin}'
+  '';
+
+  # pmount is append to the PATH because pmounts binaries should have a set uid bit.
+  postInstall = ''
+    mv $out/usr/* $out/. # fix color */
+    rm -rf $out/usr
+    for prog in $out/bin/pamusb-conf $out/bin/pamusb-agent; do
+      substituteInPlace $prog --replace '/usr/bin/env python' '/bin/python'
+      wrapProgram $prog \
+        --prefix PYTHONPATH : "$(toPythonPath ${dbus-python})"
+    done
+  '';
+
+  meta = {
+    homepage = "http://pamusb.org/";
+    description = "Authentication using USB Flash Drives";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix
new file mode 100644
index 000000000000..028b33bc9316
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix
@@ -0,0 +1,65 @@
+{ buildGoModule
+, fetchFromGitHub
+, pam
+, lib
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "pam_ussh";
+  version = "unstable-20210615";
+
+  src = fetchFromGitHub {
+    owner = "uber";
+    repo = "pam-ussh";
+    rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193";  # HEAD as of 2022-03-13
+    sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
+  };
+
+  preBuild = ''
+    cp ${./go.mod} go.mod
+    cp ${./go.sum} go.sum
+  '';
+
+  vendorHash = "sha256-fOIzJuTXiDNJak5ilgI2KnPOCogbFWTlPL3yNQdzUUI=";
+
+  buildInputs = [
+    pam
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    if [ -z "$enableParallelBuilding" ]; then
+      export NIX_BUILD_CORES=1
+    fi
+    go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
+
+    runHook postBuild
+  '';
+  checkPhase = ''
+    runHook preCheck
+
+    go test -v -p $NIX_BUILD_CORES .
+
+    runHook postCheck
+  '';
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/security
+    cp pam_ussh.so $out/lib/security
+
+    runHook postInstall
+  '';
+
+  passthru.tests = { inherit (nixosTests) pam-ussh; };
+
+  meta = with lib; {
+    homepage = "https://github.com/uber/pam-ussh";
+    description = "PAM module to authenticate using SSH certificates";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lukegb ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod
new file mode 100644
index 000000000000..9adc453560a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod
@@ -0,0 +1,15 @@
+module github.com/uber/pam-ussh
+
+go 1.17
+
+require (
+	github.com/stretchr/testify v1.7.0
+	golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.sum b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.sum
new file mode 100644
index 000000000000..0df3145edbd5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.sum
@@ -0,0 +1,22 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 h1:SL+8VVnkqyshUSz5iNnXtrBQzvFF2SkROm6t5RczFAE=
+golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix
new file mode 100644
index 000000000000..dcecfa4c13b8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix
@@ -0,0 +1,57 @@
+{ stdenv
+, lib
+, fetchgit
+, buildPackages
+, docbook_xml_dtd_44
+, docbook_xsl
+, withLibcap ? stdenv.isLinux, libcap
+, pkg-config
+, meson
+, ninja
+, xmlto
+, python3
+
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pax-utils";
+  version = "1.3.7";
+
+  src = fetchgit {
+    url = "https://anongit.gentoo.org/git/proj/pax-utils.git";
+    rev = "v${version}";
+    hash = "sha256-WyNng+UtfRz1+Eu4gwXLxUvBAg+m3mdrc8GdEPYRKVE=";
+  };
+
+  strictDeps = true;
+
+  mesonFlags = [
+    (lib.mesonEnable "use_libcap" withLibcap)
+  ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ docbook_xml_dtd_44 docbook_xsl meson ninja pkg-config xmlto ];
+  buildInputs = lib.optionals withLibcap [ libcap ];
+  # Needed for lddtree
+  propagatedBuildInputs = [ (python3.withPackages (p: with p; [ pyelftools ])) ];
+
+  passthru.updateScript = gitUpdater {
+    url = "https://anongit.gentoo.org/git/proj/pax-utils.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "ELF utils that can check files for security relevant properties";
+    longDescription = ''
+      A suite of ELF tools to aid auditing systems. Contains
+      various ELF related utils for ELF32, ELF64 binaries useful
+      for displaying PaX and security info on a large groups of
+      binary files.
+    '';
+    homepage = "https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities";
+    license = licenses.gpl2Only;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ thoughtpolice joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix b/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix
new file mode 100644
index 000000000000..da9928a66e3b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix
@@ -0,0 +1,34 @@
+{ fetchurl, lib, stdenv, elf-header }:
+
+stdenv.mkDerivation rec {
+  pname = "paxctl";
+  version = "0.9";
+
+  src = fetchurl {
+    url = "https://pax.grsecurity.net/${pname}-${version}.tar.gz";
+    sha256 = "0biw882fp1lmgs6kpxznp1v6758r7dg9x8iv5a06k0b82bcdsc53";
+  };
+
+  buildInputs = [ elf-header ];
+
+  preBuild = ''
+    sed -i Makefile \
+      -e 's|--owner 0 --group 0||g' \
+      -e '/CC:=gcc/d'
+  '';
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "MANDIR=share/man/man1"
+  ];
+
+  setupHook = ./setup-hook.sh;
+
+  meta = with lib; {
+    description = "A tool for controlling PaX flags on a per binary basis";
+    homepage    = "https://pax.grsecurity.net";
+    license     = licenses.gpl2;
+    platforms   = platforms.all;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh b/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh
new file mode 100644
index 000000000000..11a6bb9910f9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh
@@ -0,0 +1,8 @@
+# PaX-mark binaries.
+paxmark() {
+    local flags="$1"
+    shift
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix b/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix
new file mode 100644
index 000000000000..aae8c1296c63
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, paxctl }:
+
+stdenv.mkDerivation rec {
+  pname = "paxtest";
+  version = "0.9.15";
+
+  src = fetchurl {
+    url    = "https://www.grsecurity.net/~spender/${pname}-${version}.tar.gz";
+    sha256 = "0zv6vlaszlik98gj9200sv0irvfzrvjn46rnr2v2m37x66288lym";
+  };
+
+  enableParallelBuilding = true;
+
+  makefile     = "Makefile.psm";
+  makeFlags    = [ "PAXBIN=${paxctl}/bin/paxctl" "BINDIR=$(out)/bin" "RUNDIR=$(out)/lib/paxtest" ];
+  installFlags = [ "DESTDIR=\"\"" ];
+
+  meta = with lib; {
+    description = "Test various memory protection measures";
+    license     = licenses.gpl2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ copumpkin joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix b/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix
new file mode 100644
index 000000000000..dda4d0fff0b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pcimem";
+  version = "unstable-2018-08-29";
+
+  src = fetchFromGitHub {
+    owner = "billfarrow";
+    repo = pname;
+    rev = "09724edb1783a98da2b7ae53c5aaa87493aabc9b";
+    sha256 = "0zlbvcl5q4hgna11p3w00px1p8qgn8ga79lh6a2m7d597g86kbq3";
+  };
+
+  outputs = [ "out" "doc" ];
+
+  makeFlags = [ "CFLAGS=-Wno-maybe-uninitialized" ];
+
+  installPhase = ''
+    install -D pcimem "$out/bin/pcimem"
+    install -D README "$doc/doc/README"
+  '';
+
+  meta = with lib; {
+    description = "Simple method of reading and writing to memory registers on a PCI card";
+    homepage = "https://github.com/billfarrow/pcimem";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mafo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcm/default.nix b/nixpkgs/pkgs/os-specific/linux/pcm/default.nix
new file mode 100644
index 000000000000..fc5902e719ba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcm/default.nix
@@ -0,0 +1,24 @@
+{ cmake, fetchFromGitHub, lib, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "pcm";
+  version = "202307";
+
+  src = fetchFromGitHub {
+    owner = "opcm";
+    repo = "pcm";
+    rev = version;
+    hash = "sha256-GeLiJT5AwsMWw0ErdwD6C1jtUZjUxGw5GRSvenu3W18=";
+  };
+
+  nativeBuildInputs = [ cmake ];
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Processor counter monitor";
+    homepage = "https://www.intel.com/software/pcm";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ roosemberth ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix b/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix
new file mode 100644
index 000000000000..b5f9d8a0a2c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix
@@ -0,0 +1,55 @@
+{ config, lib, stdenv, fetchurl
+, bison, flex
+, sysfsutils, kmod, udev
+, firmware   ? config.pcmciaUtils.firmware or [] # Special pcmcia cards.
+, configOpts ? config.pcmciaUtils.config or null # Special hardware (map memory & port & irq)
+}:                   # used to generate postInstall script.
+
+# FIXME: should add an option to choose between hotplug and udev.
+stdenv.mkDerivation rec {
+  pname = "pcmciautils";
+  version = "018";
+
+  src = fetchurl {
+    url = "https://kernel.org/pub/linux/utils/kernel/pcmcia/pcmciautils-${version}.tar.gz";
+    sha256 = "0sfm3w2n73kl5w7gb1m6q8gy5k4rgwvzz79n6yhs9w3sag3ix8sk";
+  };
+
+  buildInputs = [udev bison sysfsutils kmod flex];
+
+  patchPhase = ''
+    sed -i "
+      s,/sbin/modprobe,${kmod}&,;
+      s,/lib/udev/,$out/sbin/,;
+    " udev/* # fix-color */
+    sed -i "
+      s,/lib/firmware,$out&,;
+      s,/etc/pcmcia,$out&,;
+    " src/{startup.c,pcmcia-check-broken-cis.c} # fix-color */
+  ''
+  + (lib.optionalString (firmware == []) ''sed -i "s,STARTUP = true,STARTUP = false," Makefile'')
+  + (lib.optionalString (configOpts != null) "ln -sf ${configOpts} ./config/config.opts")
+  ;
+
+  makeFlags = [ "LEX=flex" ];
+  installFlags = [ "INSTALL=install" "DESTDIR=${placeholder "out"}" ];
+  postInstall =
+    lib.concatMapStrings (path: ''
+      for f in : $(find ${path} -type f); do
+        test "$f" == ":" && continue;
+        mkdir -p $(dirname $out/lib/firmware/$\{f#${path}});
+        ln -s $f $out/lib/firmware/$\{f#${path}};
+      done;
+    '') firmware;
+
+  meta = {
+    homepage = "https://www.kernel.org/pub/linux/utils/kernel/pcmcia/";
+    longDescription = "
+      PCMCIAutils contains the initialization tools necessary to allow
+      the PCMCIA subsystem to behave (almost) as every other
+      hotpluggable bus system.
+    ";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix
new file mode 100644
index 000000000000..8c3e31e45384
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, perl }:
+
+stdenv.mkDerivation {
+  pname = "perf-tools";
+  version = "unstable-2017-12-19";
+
+  src = fetchFromGitHub {
+    owner = "brendangregg";
+    repo = "perf-tools";
+    rev = "98d42a2a1493d2d1c651a5c396e015d4f082eb20";
+    sha256 = "09qnss9pd4kr6qadvp62m2g8sfrj86fksi1rr8m8w4314pzfb93c";
+  };
+
+  buildInputs = [ perl ];
+
+  patchPhase =
+    ''
+      for i in execsnoop iolatency iosnoop kernel/funcslower killsnoop opensnoop; do
+        substituteInPlace $i \
+          --replace /usr/bin/gawk "$(type -p gawk)" \
+          --replace /usr/bin/mawk /no-such-path \
+          --replace /usr/bin/getconf "$(type -p getconf)" \
+          --replace awk=awk "awk=$(type -p gawk)"
+      done
+
+      rm -rf examples deprecated
+    '';
+
+  installPhase =
+    ''
+      d=$out/libexec/perf-tools
+      mkdir -p $d $out/share
+      cp -prvd . $d/
+      ln -s $d/bin $out/bin
+      mv $d/man $out/share/
+    '';
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    homepage = "https://github.com/brendangregg/perf-tools";
+    description = "Performance analysis tools based on Linux perf_events (aka perf) and ftrace";
+    maintainers = [ maintainers.eelco ];
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pflask/default.nix b/nixpkgs/pkgs/os-specific/linux/pflask/default.nix
new file mode 100644
index 000000000000..1270a9b9494f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pflask/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, python3, wafHook }:
+
+stdenv.mkDerivation rec {
+  pname = "pflask";
+  version = "unstable-2018-01-23";
+
+  src = fetchFromGitHub {
+    owner = "ghedo";
+    repo = pname;
+    rev = "9ac31ffe2ed29453218aac89ae992abbd6e7cc69";
+    hash = "sha256-bAKPUj/EipZ98kHbZiFZZI3hLVMoQpCrYKMmznpSDhg=";
+  };
+
+  patches = [
+    # Pull patch pending upstream inclusion for -fno-common toolchain support:
+    #  https://github.com/ghedo/pflask/pull/30
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/ghedo/pflask/commit/73ba32ec48e1e0e4a56b1bceed4635711526e079.patch";
+      hash = "sha256-KVuBS7LbYJQv6NXljpSiGGja7ar7W6A6SKzkEjB1B6U=";
+    })
+  ];
+
+  nativeBuildInputs = [ python3 wafHook ];
+
+  postInstall = ''
+    mkdir -p $out/bin
+    cp build/pflask $out/bin
+  '';
+
+  meta = {
+    description = "Lightweight process containers for Linux";
+    homepage = "https://ghedo.github.io/pflask/";
+    license = lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix b/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix
new file mode 100644
index 000000000000..a0d43b2e0e36
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchurl, kernel, which }:
+
+# Don't bother with older versions, though some might even work:
+assert lib.versionAtLeast kernel.version "4.10";
+
+let
+  release = "0.4.0";
+  revbump = "rev25"; # don't forget to change forum download id...
+in stdenv.mkDerivation rec {
+  name = "linux-phc-intel-${version}-${kernel.version}";
+  version = "${release}-${revbump}";
+
+  src = fetchurl {
+    sha256 = "1w91hpphd8i0br7g5qra26jdydqar45zqwq6jq8yyz6l0vb10zlz";
+    url = "http://www.linux-phc.org/forum/download/file.php?id=194";
+    name = "phc-intel-pack-${revbump}.tar.bz2";
+  };
+
+  nativeBuildInputs = [ which ] ++ kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = with kernel; [
+    "DESTDIR=$(out)"
+    "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build"
+  ];
+
+  configurePhase = ''
+    make $makeFlags brave
+  '';
+
+  enableParallelBuilding = false;
+
+  installPhase = ''
+    install -m 755   -d $out/lib/modules/${kernel.modDirVersion}/extra/
+    install -m 644 *.ko $out/lib/modules/${kernel.modDirVersion}/extra/
+  '';
+
+  meta = with lib; {
+    description = "Undervolting kernel driver for Intel processors";
+    longDescription = ''
+      PHC is a Linux kernel patch to undervolt processors. This can divide the
+      power consumption of the CPU by two or more, increasing battery life
+      while noticably reducing fan noise. This driver works only on supported
+      Intel architectures.
+    '';
+    homepage = "https://github.com/danielw86dev/phc-intel-dkms";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    broken = lib.versionAtLeast kernel.version "4.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/picoprobe-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/picoprobe-udev-rules/default.nix
new file mode 100644
index 000000000000..4a651bf473e5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/picoprobe-udev-rules/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl }:
+
+## Usage
+# In NixOS, simply add this package to services.udev.packages:
+#   services.udev.packages = [ pkgs.picoprobe-udev-rules ];
+
+stdenv.mkDerivation rec {
+  pname = "picoprobe-udev-rules";
+  version = "unstable-2023-01-31";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/probe-rs/webpage/1cba61acc6ecb5ff96f74641269844ad88ad8ad5/static/files/69-probe-rs.rules";
+    sha256 = "sha256-vQMPX3Amttja0u03KWGnPDAVTGM9ekJ+IBTjW+xlJS0=";
+  };
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -D $src $out/lib/udev/rules.d/69-probe-rs.rules
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://probe.rs/docs/getting-started/probe-setup/#udev-rules";
+    description = "Picoprobe udev rules list";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ mglolenstine ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/piper/default.nix b/nixpkgs/pkgs/os-specific/linux/piper/default.nix
new file mode 100644
index 000000000000..39b0eaf5325e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/piper/default.nix
@@ -0,0 +1,41 @@
+{ lib, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
+, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome
+, gobject-introspection, librsvg }:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "piper";
+  version = "0.7";
+
+  format = "other";
+
+  src = fetchFromGitHub {
+    owner  = "libratbag";
+    repo   = "piper";
+    rev    =  version;
+    sha256 = "0jsvfy0ihdcgnqljfgs41lys1nlz18qvsa0a8ndx3pyr41f8w8wf";
+  };
+
+  nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
+  buildInputs = [
+    gtk3 glib gnome.adwaita-icon-theme python3 librsvg
+  ];
+  propagatedBuildInputs = with python3.pkgs; [ lxml evdev pygobject3 ];
+
+  mesonFlags = [
+    "-Druntime-dependency-checks=false"
+    "-Dtests=false"
+  ];
+
+  postPatch = ''
+    chmod +x meson_install.sh # patchShebangs requires executable file
+    patchShebangs meson_install.sh data/generate-piper-gresource.xml.py
+  '';
+
+  meta = with lib; {
+    description = "GTK frontend for ratbagd mouse config daemon";
+    homepage    = "https://github.com/libratbag/piper";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ mvnetbiz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pipework/default.nix b/nixpkgs/pkgs/os-specific/linux/pipework/default.nix
new file mode 100644
index 000000000000..3591303a8d0c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pipework/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub, makeWrapper
+, bridge-utils, iproute2, lxc, openvswitch, docker, busybox, dhcpcd
+}:
+
+stdenv.mkDerivation {
+  pname = "pipework";
+  version = "2017-08-22";
+  src = fetchFromGitHub {
+    owner = "jpetazzo";
+    repo = "pipework";
+    rev = "ae42f1b5fef82b3bc23fe93c95c345e7af65fef3";
+    sha256 = "0c342m0bpq6ranr7dsxk9qi5mg3j5aw9wv85ql8gprdb2pz59qy8";
+  };
+  nativeBuildInputs = [ makeWrapper ];
+  installPhase = ''
+    install -D pipework $out/bin/pipework
+    wrapProgram $out/bin/pipework --prefix PATH : \
+      ${lib.makeBinPath [ bridge-utils iproute2 lxc openvswitch docker busybox dhcpcd ]};
+  '';
+  meta = with lib; {
+    description = "Software-Defined Networking tools for LXC";
+    homepage = "https://github.com/jpetazzo/pipework";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix b/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix
new file mode 100644
index 000000000000..b81bf74a3d9e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix
@@ -0,0 +1,75 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch
+, meson
+, ninja
+, pkg-config
+, dpdk
+, libbsd
+, libpcap
+, lua5_3
+, numactl
+, util-linux
+, gtk2
+, which
+, withGtk ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pktgen";
+  version = "22.07.1";
+
+  src = fetchFromGitHub {
+    owner = "pktgen";
+    repo = "Pktgen-DPDK";
+    rev = "pktgen-${version}";
+    sha256 = "sha256-wBLGwVdn3ymUTVv7J/kbQYz4WNIgV246PHg51+FStUo=";
+  };
+
+  patches = [
+    (fetchpatch {
+      # Ealier DPDK deprecated some macros, which were finally removed in >= 22.11
+      url = "https://github.com/pktgen/Pktgen-DPDK/commit/089ef94ac04629f7380f5e618443bcacb2cef5ab.patch";
+      sha256 = "sha256-ITU/dIfu7QPpdIVYuCuDhDG9rVF+n8i1YYn9bFmQUME=";
+    })
+  ];
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+
+  buildInputs = [
+    dpdk libbsd libpcap lua5_3 numactl which
+  ] ++ lib.optionals withGtk [
+    gtk2
+  ];
+
+  RTE_SDK = dpdk;
+  GUI = lib.optionalString withGtk "true";
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    # Needed with GCC 12
+    "-Wno-error=address"
+    "-Wno-error=use-after-free"
+  ];
+
+  # requires symbols from this file
+  NIX_LDFLAGS = "-lrte_net_bond";
+
+  postPatch = ''
+    substituteInPlace lib/common/lscpu.h --replace /usr/bin/lscpu ${util-linux}/bin/lscpu
+  '';
+
+  postInstall = ''
+    # meson installs unneeded files with conflicting generic names, such as
+    # include/cli.h and lib/liblua.so.
+    rm -rf $out/include $out/lib
+  '';
+
+  meta = with lib; {
+    description = "Traffic generator powered by DPDK";
+    homepage = "http://dpdk.org/";
+    license = licenses.bsdOriginal;
+    platforms =  platforms.linux;
+    maintainers = [ maintainers.abuibrahim ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ply/default.nix b/nixpkgs/pkgs/os-specific/linux/ply/default.nix
new file mode 100644
index 000000000000..dbd8925a5cb3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ply/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, kernel, fetchFromGitHub, autoreconfHook, bison, flex, p7zip, rsync }:
+
+stdenv.mkDerivation rec {
+  pname = "ply";
+  version = "2.1.1-${lib.substring 0 7 src.rev}";
+
+  nativeBuildInputs = [ autoreconfHook flex bison p7zip rsync ];
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "ply";
+    rev = "e25c9134b856cc7ffe9f562ff95caf9487d16b59";
+    sha256 = "1178z7vvnjwnlxc98g2962v16878dy7bd0b2njsgn4vqgrnia7i5";
+  };
+
+  preAutoreconf = ''
+    # If kernel sources are a folder (i.e. fetched from git), we just copy them in
+    # Since they are owned by uid 0 and read-only, we need to fix permissions
+    if [ -d ${kernel.src} ]; then
+      cp -r ${kernel.src} linux-${kernel.version}
+      chown -R $(whoami): linux-${kernel.version}
+      chmod -R a+w linux-${kernel.version}
+    else
+      # ply wants to install header files to its build directory
+      # use 7z to handle multiple archive formats transparently
+      7z x ${kernel.src} -so | 7z x -aoa -si -ttar
+    fi
+
+    configureFlagsArray+=(--with-kerneldir=$(echo $(pwd)/linux-*))
+    ./autogen.sh --prefix=$out
+  '';
+
+  meta = with lib; {
+    description = "Dynamic tracing in Linux";
+    homepage = "https://wkz.github.io/ply/";
+    license = [ licenses.gpl2Only ];
+    maintainers = with maintainers; [ mic92 mbbx6spp ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/plymouth/add-runtime-plugin-path.patch b/nixpkgs/pkgs/os-specific/linux/plymouth/add-runtime-plugin-path.patch
new file mode 100644
index 000000000000..e4bd095bfd83
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/plymouth/add-runtime-plugin-path.patch
@@ -0,0 +1,67 @@
+diff --git a/meson.build b/meson.build
+index 650ad189..1e1ebe1d 100644
+--- a/meson.build
++++ b/meson.build
+@@ -18,6 +18,11 @@ plymouth_time_dir = get_option('prefix') / get_option('localstatedir') / 'lib' /
+ 
+ plymouth_runtime_dir = get_option('runstatedir') / 'plymouth'
+ plymouth_runtime_theme_path = plymouth_runtime_dir / 'themes/'
++if get_option('runtime-plugins')
++  plymouth_runtime_plugin_path = plymouth_runtime_dir / 'plugins/'
++else
++  plymouth_runtime_plugin_path = plymouth_plugin_path
++endif
+ 
+ # Dependencies
+ cc = meson.get_compiler('c')
+@@ -76,7 +81,7 @@ conf.set('PLY_ENABLE_TRACING', get_option('tracing'))
+ conf.set_quoted('PLYMOUTH_RUNTIME_DIR', plymouth_runtime_dir)
+ conf.set_quoted('PLYMOUTH_THEME_PATH', plymouth_theme_path)
+ conf.set_quoted('PLYMOUTH_RUNTIME_THEME_PATH', plymouth_runtime_theme_path)
+-conf.set_quoted('PLYMOUTH_PLUGIN_PATH', plymouth_plugin_path)
++conf.set_quoted('PLYMOUTH_PLUGIN_PATH', plymouth_runtime_plugin_path)
+ conf.set_quoted('PLYMOUTH_POLICY_DIR', plymouth_policy_dir)
+ conf.set_quoted('PLYMOUTH_CONF_DIR', plymouth_conf_dir)
+ conf.set_quoted('PLYMOUTH_TIME_DIRECTORY', plymouth_time_dir)
+diff --git a/meson_options.txt b/meson_options.txt
+index 4f601bb0..61fccc12 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -28,6 +28,11 @@ option('runstatedir',
+   value: '/run',
+   description: 'runstatedir',
+ )
++option('runtime-plugins',
++  type: 'boolean',
++  value: false,
++  description: 'Use runstatedir for loading theme plugins',
++)
+ option('boot-tty',
+   type: 'string',
+   value: '/dev/tty1',
+diff --git a/src/libply-splash-core/meson.build b/src/libply-splash-core/meson.build
+index 69636b13..02bd5cbd 100644
+--- a/src/libply-splash-core/meson.build
++++ b/src/libply-splash-core/meson.build
+@@ -31,7 +31,7 @@ libply_splash_core_cflags = [
+   '-DPLYMOUTH_BACKGROUND_COLOR=@0@'.format(get_option('background-color')),
+   '-DPLYMOUTH_BACKGROUND_START_COLOR=@0@'.format(get_option('background-start-color-stop')),
+   '-DPLYMOUTH_BACKGROUND_END_COLOR=@0@'.format(get_option('background-end-color-stop')),
+-  '-DPLYMOUTH_PLUGIN_PATH="@0@"'.format(plymouth_plugin_path),
++  '-DPLYMOUTH_PLUGIN_PATH="@0@"'.format(plymouth_runtime_plugin_path),
+ ]
+ 
+ libply_splash_core = library('ply-splash-core',
+diff --git a/src/libply-splash-graphics/meson.build b/src/libply-splash-graphics/meson.build
+index 32fad963..02b8440b 100644
+--- a/src/libply-splash-graphics/meson.build
++++ b/src/libply-splash-graphics/meson.build
+@@ -20,7 +20,7 @@ libply_splash_graphics_cflags = [
+   '-DPLYMOUTH_BACKGROUND_COLOR=@0@'.format(get_option('background-color')),
+   '-DPLYMOUTH_BACKGROUND_START_COLOR=@0@'.format(get_option('background-start-color-stop')),
+   '-DPLYMOUTH_BACKGROUND_END_COLOR=@0@'.format(get_option('background-end-color-stop')),
+-  '-DPLYMOUTH_PLUGIN_PATH="@0@"'.format(plymouth_plugin_path),
++  '-DPLYMOUTH_PLUGIN_PATH="@0@"'.format(plymouth_runtime_plugin_path),
+ ]
+ 
+ libply_splash_graphics = library('ply-splash-graphics',
diff --git a/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix b/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix
new file mode 100644
index 000000000000..d5d46e5de7ed
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix
@@ -0,0 +1,120 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, writeText
+, meson
+, pkg-config
+, ninja
+, docbook-xsl-nons
+, gettext
+, libxslt
+, gtk3
+, libdrm
+, libevdev
+, libpng
+, libxkbcommon
+, pango
+, systemd
+, xorg
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "plymouth";
+  version = "unstable-2023-06-17";
+
+  outputs = [ "out" "dev" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "plymouth";
+    repo = "plymouth";
+    rev = "b1d5aa9d2a6033bba52cf63643e5878f8a9b68a0";
+    hash = "sha256-8DXcwt8CZTni5Ma+I63LzNejlIB0Cr1ATA7Nl3z9z6I=";
+  };
+
+  patches = [
+    # do not create unnecessary symlink to non-existent header-image.png
+    ./dont-create-broken-symlink.patch
+    # add support for loading plugins from /run to assist NixOS module
+    ./add-runtime-plugin-path.patch
+  ];
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    meson
+    pkg-config
+    ninja
+    docbook-xsl-nons
+    gettext
+    libxslt
+  ];
+
+  buildInputs = [
+    gtk3
+    libdrm
+    libevdev
+    libpng
+    libxkbcommon
+    pango
+    systemd
+    xorg.xkeyboardconfig
+  ];
+
+  mesonFlags = let
+    # https://gitlab.freedesktop.org/plymouth/plymouth/-/blob/a5eda165689864cc9a25ec14fd8c6da458598f42/meson.build#L47
+    crossFile = writeText "cross-file.conf" ''
+      [binaries]
+      systemd-tty-ask-password-agent = '${lib.getBin systemd}/bin/systemd-tty-ask-password-agent'
+    '';
+  in [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "-Dlogo=/etc/plymouth/logo.png"
+    "-Dbackground-color=0x000000"
+    "-Dbackground-start-color-stop=0x000000"
+    "-Dbackground-end-color-stop=0x000000"
+    "-Drelease-file=/etc/os-release"
+    "-Dudev=enabled"
+    "-Drunstatedir=/run"
+    "-Druntime-plugins=true"
+    "--cross-file=${crossFile}"
+  ];
+
+  postPatch = ''
+    substituteInPlace meson.build \
+      --replace "run_command(['scripts/generate-version.sh'], check: true).stdout().strip()" "'${finalAttrs.version}'"
+
+    # prevent installing unused non-$out dirs to DESTDIR
+    sed -i '/^install_emptydir/d' src/meson.build
+  '';
+
+  postInstall = ''
+    # Move stuff from DESTDIR to proper location.
+    cp -a "$DESTDIR/etc" "$out"
+    rm -r "$DESTDIR/etc"
+    for o in $(getAllOutputNames); do
+        if [[ "$o" = "debug" ]]; then continue; fi
+        cp -a "$DESTDIR/''${!o}" "$(dirname "''${!o}")"
+        rm -r "$DESTDIR/''${!o}"
+    done
+    # Ensure the DESTDIR is removed.
+    rmdir "$DESTDIR/${builtins.storeDir}" "$DESTDIR/${builtins.dirOf builtins.storeDir}" "$DESTDIR"
+  '';
+
+  # HACK: We want to install configuration files to $out/etc
+  # but Plymouth should read them from /etc on a NixOS system.
+  # With autotools, it was possible to override Make variables
+  # at install time but Meson does not support this
+  # so we need to convince it to install all files to a temporary
+  # location using DESTDIR and then move it to proper one in postInstall.
+  env.DESTDIR = "${placeholder "out"}/dest";
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/wiki/Software/Plymouth/";
+    description = "Boot splash and boot logger";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.goibhniu ] ++ teams.gnome.members;
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/plymouth/dont-create-broken-symlink.patch b/nixpkgs/pkgs/os-specific/linux/plymouth/dont-create-broken-symlink.patch
new file mode 100644
index 000000000000..7accb7c9efcb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/plymouth/dont-create-broken-symlink.patch
@@ -0,0 +1,13 @@
+diff --git a/themes/spinfinity/meson.build b/themes/spinfinity/meson.build
+index f48e8e55..5a2050c8 100644
+--- a/themes/spinfinity/meson.build
++++ b/themes/spinfinity/meson.build
+@@ -53,8 +53,3 @@ install_data(
+   'throbber-33.png',
+   install_dir: plymouth_theme_path / 'spinfinity',
+ )
+-
+-install_symlink('header-image.png',
+-  install_dir: plymouth_theme_path / 'spinfinity',
+-  pointing_to: plymouth_logo_file,
+-)
diff --git a/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix
new file mode 100644
index 000000000000..4076641717f4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchurl, coreutils, gnugrep, util-linux, kmod
+, procps, kbd, dbus }:
+
+let
+
+  binPath = lib.makeBinPath
+    [ coreutils gnugrep util-linux kmod procps kbd dbus ];
+
+  sbinPath = lib.makeSearchPathOutput "bin" "sbin"
+    [ procps ];
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "pm-utils";
+  version = "1.4.1";
+
+  src = fetchurl {
+    url = "https://pm-utils.freedesktop.org/releases/pm-utils-${version}.tar.gz";
+    sha256 = "02qc6zaf7ams6qcc470fwb6jvr4abv3lrlx16clqpn36501rkn4f";
+  };
+
+  configureFlags = [ "--sysconfdir=/etc" ];
+
+  preConfigure =
+    ''
+      # Install the manpages (xmlto isn't really needed).
+      substituteInPlace man/Makefile.in --replace '@HAVE_XMLTO_TRUE@' ""
+
+      # Set the PATH properly.
+      substituteInPlace pm/pm-functions.in --replace '/sbin:/usr/sbin:/bin:/usr/bin' '$PATH:${binPath}:${sbinPath}'
+
+      substituteInPlace src/pm-action.in --replace 'tr ' '${coreutils}/bin/tr '
+
+      substituteInPlace pm/sleep.d/00logging --replace /bin/uname "$(type -P uname)"
+
+      substituteInPlace pm/sleep.d/90clock --replace /sbin/hwclock hwclock
+    '';
+
+  postInstall =
+    ''
+      # Remove some hooks that have doubtful usefulness.  See
+      # http://zinc.canonical.com/~cking/power-benchmarking/pm-utils-results/results.txt.
+      # In particular, journal-commit breaks things if you have
+      # read-only bind mounts, since it ends up remounting the
+      # underlying filesystem read-only.
+      rm $out/lib/pm-utils/power.d/{journal-commit,readahead}
+    '';
+
+  meta = {
+    homepage = "https://pm-utils.freedesktop.org/wiki/";
+    description = "A small collection of scripts that handle suspend and resume on behalf of HAL";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pmount/default.nix b/nixpkgs/pkgs/os-specific/linux/pmount/default.nix
new file mode 100644
index 000000000000..8267a2d4a7f9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pmount/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, intltool, ntfs3g, util-linux
+, mediaDir ? "/media/"
+, lockDir ? "/var/lock/pmount"
+, whiteList ? "/etc/pmount.allow"
+}:
+
+# constraint mention in the configure.ac
+assert lib.hasSuffix "/" mediaDir;
+
+stdenv.mkDerivation rec {
+  pname = "pmount";
+  version = "0.9.23";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/p/pmount/pmount_${version}.orig.tar.bz2";
+    sha256 = "db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036";
+  };
+
+  nativeBuildInputs = [ intltool util-linux ];
+  buildInputs = [ util-linux ];
+
+  configureFlags = [
+    "--with-media-dir=${mediaDir}"
+    "--with-lock-dir=${lockDir}"
+    "--with-whitelist=${whiteList}"
+    "--with-mount-prog=${util-linux}/bin/mount"
+    "--with-umount-prog=${util-linux}/bin/umount"
+    "--with-mount-ntfs3g=${ntfs3g}/sbin/mount.ntfs-3g"
+  ];
+
+  postConfigure = ''
+    # etc/Mafile.am is hardcoded and it does not respect the --prefix option.
+    substituteInPlace ./etc/Makefile --replace DESTDIR prefix
+    # Do not change ownership & Do not add the set user ID bit
+    substituteInPlace ./src/Makefile --replace '-o root -g root -m 4755 ' '-m 755 '
+  '';
+
+  doCheck = false; # fails 1 out of 1 tests with "Error: could not open fstab-type file: No such file or directory"
+
+  meta = {
+    homepage = "https://bazaar.launchpad.net/~fourmond/pmount/main/files";
+    description = "Mount removable devices as normal user";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix b/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix
new file mode 100644
index 000000000000..33875049747d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage, libxcrypt }:
+
+stdenv.mkDerivation rec {
+  pname = "policycoreutils";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/policycoreutils-${version}.tar.gz";
+    sha256 = "0y0hl32b2ks7r0fhbx3k2j1gqqms5aplyasjs3fz50caxl6096a1";
+  };
+
+  postPatch = ''
+    # Fix install references
+    substituteInPlace po/Makefile \
+       --replace /usr/bin/install install --replace /usr/share /share
+    substituteInPlace newrole/Makefile --replace /usr/share /share
+
+    sed -i -e '39i#include <crypt.h>' run_init/run_init.c
+  '';
+
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ libsepol libselinux libsemanage libxcrypt ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/bin"
+    "ETCDIR=$(out)/etc"
+    "BASHCOMPLETIONDIR=$out/share/bash-completion/completions"
+    "LOCALEDIR=$(out)/share/locale"
+    "MAN5DIR=$(out)/share/man/man5"
+  ];
+
+  meta = with lib; {
+    description = "SELinux policy core utilities";
+    license = licenses.gpl2;
+    inherit (libsepol.meta) homepage platforms maintainers;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix b/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix
new file mode 100644
index 000000000000..113cedfab2e9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix
@@ -0,0 +1,75 @@
+{ lib, stdenv
+, fetchFromGitHub
+, fetchpatch
+, pciutils
+, libconfuse
+, alsa-lib
+, audiofile
+, pkg-config
+, zlib
+, eject
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pommed-light";
+  version = "1.51lw";
+
+  src = fetchFromGitHub {
+    owner = "bytbox";
+    repo = "pommed-light";
+    rev = "v${version}";
+    sha256 = "18fvdwwhcl6s4bpf2f2i389s71c8k4g0yb81am9rdddqmzaw27iy";
+  };
+
+  patches = [
+    # Pull fix pending upstream inclusion for -fno-common toolchain support:
+    #   https://github.com/bytbox/pommed-light/pull/38
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/bytbox/pommed-light/commit/5848b49b45a9c3ab047ebd17deb2162daab1e0b8.patch";
+      sha256 = "15rsq2i4rqp4ssab20486a1wgxi2cp87b7nxyk9h23gdwld713vf";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace pommed.conf.mactel --replace /usr $out
+    substituteInPlace pommed.conf.pmac --replace /usr $out
+    substituteInPlace pommed/beep.h --replace /usr $out
+    substituteInPlace pommed/cd_eject.c --replace /usr/bin/eject ${eject}/bin/eject
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    pciutils
+    libconfuse
+    alsa-lib
+    audiofile
+    zlib
+    eject
+  ];
+
+  installPhase = ''
+    install -Dm755 pommed/pommed $out/bin/pommed
+    install -Dm644 pommed.conf.mactel $out/etc/pommed.conf.mactel
+    install -Dm644 pommed.conf.pmac $out/etc/pommed.conf.pmac
+
+    # Man page
+    install -Dm644 pommed.1 $out/share/man/man1/pommed.1
+
+    # Sounds
+    install -Dm644 pommed/data/goutte.wav $out/share/pommed/goutte.wav
+    install -Dm644 pommed/data/click.wav $out/share/pommed/click.wav
+  '';
+
+  meta = {
+    description = "A trimmed version of the pommed hotkey handler for MacBooks";
+    longDescription = ''
+      This is a stripped-down version of pommed with client, dbus, and
+      ambient light sensor support removed, optimized for use with dwm
+      and the like.
+    '';
+    homepage = "https://github.com/bytbox/pommed-light";
+    platforms = [ "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix b/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix
new file mode 100644
index 000000000000..884b2d0e01cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "power-calibrate";
+  version = "0.01.34";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-T2fCTE+snNt1ylOpVR0JfT2x0lWrgItpfjtUx/zjaQw=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Tool to calibrate power consumption";
+    homepage = "https://github.com/ColinIanKing/power-calibrate";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix
new file mode 100644
index 000000000000..e81f42b65a23
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -0,0 +1,133 @@
+{ stdenv
+, lib
+, pkg-config
+, meson
+, mesonEmulatorHook
+, ninja
+, fetchFromGitLab
+, fetchpatch
+, libgudev
+, glib
+, polkit
+, dbus
+, gobject-introspection
+, gettext
+, gtk-doc
+, docbook-xsl-nons
+, docbook_xml_dtd_412
+, libxml2
+, libxslt
+, upower
+, umockdev
+, systemd
+, python3
+, wrapGAppsNoGuiHook
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "power-profiles-daemon";
+  version = "0.13";
+
+  outputs = [ "out" "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = "power-profiles-daemon";
+    rev = version;
+    sha256 = "sha256-ErHy+shxZQ/aCryGhovmJ6KmAMt9OZeQGDbHIkC0vUE=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    gettext
+    gtk-doc
+    docbook-xsl-nons
+    docbook_xml_dtd_412
+    libxml2 # for xmllint for stripping GResources
+    libxslt # for xsltproc for building docs
+    gobject-introspection
+    wrapGAppsNoGuiHook
+    python3.pkgs.wrapPython
+    # checkInput but cheked for during the configuring
+    (python3.pythonOnBuildForHost.withPackages (ps: with ps; [
+      pygobject3
+      dbus-python
+      python-dbusmock
+    ]))
+  ] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
+    mesonEmulatorHook
+  ];
+
+  buildInputs = [
+    libgudev
+    systemd
+    upower
+    glib
+    polkit
+    python3 # for cli tool
+    # Duplicate from nativeCheckInputs until https://github.com/NixOS/nixpkgs/issues/161570 is solved
+    umockdev
+  ];
+
+  strictDeps = true;
+
+  # for cli tool
+  pythonPath = [
+    python3.pkgs.pygobject3
+  ];
+
+  nativeCheckInputs = [
+    umockdev
+    dbus
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    "-Dgtk_doc=true"
+    "-Dtests=${lib.boolToString (stdenv.buildPlatform.canExecute stdenv.hostPlatform)}"
+  ];
+
+  doCheck = true;
+
+  PKG_CONFIG_POLKIT_GOBJECT_1_POLICYDIR = "${placeholder "out"}/share/polkit-1/actions";
+
+  # Avoid double wrapping
+  dontWrapGApps = true;
+
+  postPatch = ''
+    patchShebangs --build \
+      tests/integration-test.py \
+      tests/unittest_inspector.py
+  '';
+
+  postCheck = ''
+    # Do not contaminate the wrapper with test dependencies.
+    unset GI_TYPELIB_PATH
+    unset XDG_DATA_DIRS
+  '';
+
+  postFixup = ''
+    # Avoid double wrapping
+    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
+    # Make Python libraries available
+    wrapPythonProgramsIn "$out/bin" "$pythonPath"
+  '';
+
+  passthru = {
+    tests = {
+      nixos = nixosTests.power-profiles-daemon;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://gitlab.freedesktop.org/hadess/power-profiles-daemon";
+    description = "Makes user-selected power profiles handling available over D-Bus";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ mvnetbiz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powercap/default.nix b/nixpkgs/pkgs/os-specific/linux/powercap/default.nix
new file mode 100644
index 000000000000..e705b6a34857
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powercap/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "powercap";
+  version = "0.6.0";
+
+  src = fetchFromGitHub {
+    owner = "powercap";
+    repo = "powercap";
+    rev = "v${version}";
+    sha256 = "sha256-l+IpFqBnCYUU825++sUPySD/Ku0TEIX2kt+S0Wml6iA=";
+  };
+
+  # in master post 0.6.0, see https://github.com/powercap/powercap/issues/8
+  patches = [
+    (fetchpatch {
+      name = "fix-pkg-config.patch";
+      url = "https://github.com/powercap/powercap/commit/278dceb51635686e343edfc357b6020533fff299.patch";
+      sha256 = "0h62j63xdn0iqyx4xbia6hlmdjn45camb82z4vv6sb37x9sph7rg";
+    })
+  ];
+
+  nativeBuildInputs = [ cmake ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=On"
+  ];
+
+  meta = with lib; {
+    description = "Tools and library to read/write to the Linux power capping framework (sysfs interface)";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ rowanG077 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix b/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix
new file mode 100644
index 000000000000..901a522fe8fa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "powerstat";
+  version = "0.03.03";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-D8VwczXHUHQ8p03IgYW3t8hOIGHKp0n1c7FpAUWua74=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Laptop power measuring tool";
+    homepage = "https://github.com/ColinIanKing/powerstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powertop/default.nix b/nixpkgs/pkgs/os-specific/linux/powertop/default.nix
new file mode 100644
index 000000000000..481cf1cd3bb5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powertop/default.nix
@@ -0,0 +1,57 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, gettext
+, libnl
+, ncurses
+, pciutils
+, pkg-config
+, zlib
+, autoreconfHook
+, autoconf-archive
+, nix-update-script
+, testers
+, powertop
+, xorg
+}:
+
+stdenv.mkDerivation rec {
+  pname = "powertop";
+  version = "2.15";
+
+  src = fetchFromGitHub {
+    owner = "fenrus75";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-53jfqt0dtMqMj3W3m6ravUTzApLQcljDHfdXejeZa4M=";
+  };
+
+  outputs = [ "out" "man" ];
+
+  nativeBuildInputs = [ pkg-config autoreconfHook autoconf-archive ];
+  buildInputs = [ gettext libnl ncurses pciutils zlib ];
+
+  postPatch = ''
+    substituteInPlace src/main.cpp --replace "/sbin/modprobe" "modprobe"
+    substituteInPlace src/calibrate/calibrate.cpp --replace "/usr/bin/xset" "${lib.getExe xorg.xset}"
+    substituteInPlace src/tuning/bluetooth.cpp --replace "/usr/bin/hcitool" "hcitool"
+  '';
+
+  passthru = {
+    updateScript = nix-update-script { };
+    tests.version = testers.testVersion {
+      package = powertop;
+      command = "powertop --version";
+      inherit version;
+    };
+  };
+
+  meta = with lib; {
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/fenrus75/powertop/releases/tag/v${version}";
+    description = "Analyze power consumption on Intel-based laptops";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fpletz anthonyroussel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix
new file mode 100644
index 000000000000..66754e5148ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pps-tools";
+  version = "1.0.3";
+
+  src = fetchFromGitHub {
+    owner = "redlab-i";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-eLLFHrCgOQzOtVxlAsZ5X91KK+vZiKMGL7zbQFiIZtI=";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $dev/include
+    mkdir -p $out/{usr/bin,usr/include/sys}
+    make install DESTDIR=$out
+    mv $out/usr/bin/* $out/bin
+    mv $out/usr/include/* $dev/include/
+    rm -rf $out/usr/
+  '';
+
+  meta = with lib; {
+    description = "User-space tools for LinuxPPS";
+    homepage = "http://linuxpps.org/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ sorki ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop b/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop
new file mode 100644
index 000000000000..b8eb27fdd992
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop
@@ -0,0 +1,8 @@
+[Desktop Entry]
+Version=@version@
+Encoding=UTF-8
+Name=@description@
+Type=Application
+Exec=@exec@
+X-KDE-autostart-phase=1
+GenericName[en_US]=
diff --git a/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix
new file mode 100644
index 000000000000..314a95bd5548
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix
@@ -0,0 +1,176 @@
+{ lib
+, stdenv
+, fetchurl
+, autoPatchelfHook
+, bbe
+, makeWrapper
+, p7zip
+, perl
+, undmg
+, dbus-glib
+, glib
+, xorg
+, zlib
+, kernel
+, bash
+, cups
+, gawk
+, netcat
+, timetrap
+, util-linux
+}:
+
+let
+  kernelVersion = kernel.modDirVersion;
+  kernelDir = "${kernel.dev}/lib/modules/${kernelVersion}";
+
+  libPath = lib.concatStringsSep ":" [ "${glib.out}/lib" "${xorg.libXrandr}/lib" ];
+  scriptPath = lib.concatStringsSep ":" [
+    "${bash}/bin"
+    "${cups}/sbin"
+    "${gawk}/bin"
+    "${netcat}/bin"
+    "${timetrap}/bin"
+    "${util-linux}/bin"
+  ];
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "prl-tools";
+  version = "19.1.1-54734";
+
+  # We download the full distribution to extract prl-tools-lin.iso from
+  # => ${dmg}/Parallels\ Desktop.app/Contents/Resources/Tools/prl-tools-lin.iso
+  src = fetchurl {
+    url = "https://download.parallels.com/desktop/v${lib.versions.major finalAttrs.version}/${finalAttrs.version}/ParallelsDesktop-${finalAttrs.version}.dmg";
+    hash = "sha256-02YxBkV9pZGfXuK6GvUDTgE9U5H2MOMk24h9qGJdFTM=";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+    bbe
+    makeWrapper
+    p7zip
+    perl
+    undmg
+  ] ++ kernel.moduleBuildDependencies;
+
+  buildInputs = [
+    dbus-glib
+    glib
+    xorg.libX11
+    xorg.libXcomposite
+    xorg.libXext
+    xorg.libXrandr
+    xorg.libXi
+    xorg.libXinerama
+    zlib
+  ];
+
+  runtimeDependencies = [
+    glib
+    xorg.libXrandr
+  ];
+
+  unpackPhase = ''
+    runHook preUnpack
+
+    undmg $src
+    export sourceRoot=prl-tools-build
+    7z x "Parallels Desktop.app/Contents/Resources/Tools/prl-tools-lin${lib.optionalString stdenv.isAarch64 "-arm"}.iso" -o$sourceRoot
+    ( cd $sourceRoot/kmods; tar -xaf prl_mod.tar.gz )
+
+    runHook postUnpack
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    ( # kernel modules
+      cd kmods
+      make -f Makefile.kmods \
+        KSRC=${kernelDir}/source \
+        HEADERS_CHECK_DIR=${kernelDir}/source \
+        KERNEL_DIR=${kernelDir}/build \
+        SRC=${kernelDir}/build \
+        KVER=${kernelVersion}
+    )
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    ( # kernel modules
+      cd kmods
+      mkdir -p $out/lib/modules/${kernelVersion}/extra
+      cp prl_fs/SharedFolders/Guest/Linux/prl_fs/prl_fs.ko $out/lib/modules/${kernelVersion}/extra
+      cp prl_fs_freeze/Snapshot/Guest/Linux/prl_freeze/prl_fs_freeze.ko $out/lib/modules/${kernelVersion}/extra
+      cp prl_tg/Toolgate/Guest/Linux/prl_tg/prl_tg.ko $out/lib/modules/${kernelVersion}/extra
+      ${lib.optionalString stdenv.isAarch64
+      "cp prl_notifier/Installation/lnx/prl_notifier/prl_notifier.ko $out/lib/modules/${kernelVersion}/extra"}
+    )
+
+    ( # tools
+      cd tools/tools${if stdenv.isAarch64 then "-arm64" else if stdenv.isx86_64 then "64" else "32"}
+      mkdir -p $out/lib
+
+      # prltoolsd contains hardcoded /bin/bash path
+      # we're lucky because it uses only -c command
+      # => replace to /bin/sh
+      bbe -e "s:/bin/bash:/bin/sh\x00\x00:" -o bin/prltoolsd.tmp bin/prltoolsd
+      rm -f bin/prltoolsd
+      mv bin/prltoolsd.tmp bin/prltoolsd
+
+      # install binaries
+      for i in bin/* sbin/prl_nettool sbin/prl_snapshot; do
+        # also patch binaries to replace /usr/bin/XXX to XXX
+        # here a two possible cases:
+        # 1. it is uses as null terminated string and should be truncated by null;
+        # 2. it is uses inside shell script and should be truncated by space.
+        for p in bin/* sbin/prl_nettool sbin/prl_snapshot sbin/prlfsmountd; do
+          p=$(basename $p)
+          bbe -e "s:/usr/bin/$p\x00:./$p\x00\x00\x00\x00\x00\x00\x00\x00:" -o $i.tmp $i
+          bbe -e "s:/usr/sbin/$p\x00:./$p\x00\x00\x00\x00\x00\x00\x00\x00 :" -o $i $i.tmp
+          bbe -e "s:/usr/bin/$p:$p         :" -o $i.tmp $i
+          bbe -e "s:/usr/sbin/$p:$p          :" -o $i $i.tmp
+        done
+
+        install -Dm755 $i $out/$i
+      done
+
+      install -Dm755 ../../tools/prlfsmountd.sh $out/sbin/prlfsmountd
+      for f in $out/bin/* $out/sbin/*; do
+        wrapProgram $f \
+          --prefix LD_LIBRARY_PATH ':' "${libPath}" \
+          --prefix PATH ':' "${scriptPath}"
+      done
+
+      for i in lib/libPrl*.0.0; do
+        cp $i $out/lib
+        ln -s $out/$i $out/''${i%.0.0}
+      done
+
+      mkdir -p $out/share/man/man8
+      install -Dm644 ../mount.prl_fs.8 $out/share/man/man8
+
+      substituteInPlace ../99prltoolsd-hibernate \
+        --replace "/bin/bash" "${bash}/bin/bash"
+
+      mkdir -p $out/etc/pm/sleep.d
+      install -Dm644 ../99prltoolsd-hibernate $out/etc/pm/sleep.d
+    )
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Parallels Tools for Linux guests";
+    homepage = "https://parallels.com";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ catap wegank ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/procdump/default.nix b/nixpkgs/pkgs/os-specific/linux/procdump/default.nix
new file mode 100644
index 000000000000..05ec4b90ed70
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/procdump/default.nix
@@ -0,0 +1,61 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, bash, coreutils, gdb, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "procdump";
+  version = "1.2";
+
+  src = fetchFromGitHub {
+    owner = "Microsoft";
+    repo = "ProcDump-for-Linux";
+    rev = version;
+    sha256 = "sha256-gVswAezHl7E2cBTJEQhPFXhHkzhWVHSpPF8m0s8+ekc=";
+  };
+
+  patches = [
+    # Pull upstream patch to fix parallel builds:
+    #  https://github.com/Sysinternals/ProcDump-for-Linux/pull/133
+    (fetchpatch {
+      name = "parallel.patch";
+      url = "https://github.com/Sysinternals/ProcDump-for-Linux/commit/0d735836f11281cc6134be93eac8acb302f2055e.patch";
+      sha256 = "sha256-zsqllPHF8ZuXAIDSAPvbzdKa43uSSx9ilUKM1vFVW90=";
+    })
+  ];
+
+  nativeBuildInputs = [ zlib ];
+  buildInputs = [ bash coreutils gdb ];
+
+  postPatch = ''
+    substituteInPlace src/CoreDumpWriter.c \
+      --replace '"gcore ' '"${gdb}/bin/gcore ' \
+      --replace '"rm ' '"${coreutils}/bin/rm ' \
+      --replace '/bin/bash' '${bash}/bin/bash'
+  '';
+
+  makeFlags = [
+    "DESTDIR=${placeholder "out"}"
+    "INSTALLDIR=/bin"
+    "MANDIR=/share/man/man1"
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = false; # needs sudo root
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+    set +o pipefail
+    ($out/bin/procdump -h | grep "ProcDump v${version}") ||
+      (echo "ERROR: ProcDump is not the expected version or does not run properly" ; exit 1)
+    set -o pipefail
+    runHook postInstallCheck
+  '';
+
+  meta = with lib; {
+    description = "A Linux version of the ProcDump Sysinternals tool";
+    homepage = "https://github.com/Microsoft/ProcDump-for-Linux";
+    license = licenses.mit;
+    maintainers = with maintainers; [ c0bw3b ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix b/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix
new file mode 100644
index 000000000000..56a92ffa44ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix
@@ -0,0 +1,72 @@
+{ lib
+, stdenv
+, fetchurl
+, ncurses
+, pkg-config
+, fetchpatch
+
+  # `ps` with systemd support is able to properly report different
+  # attributes like unit name, so we want to have it on linux.
+, withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd
+, systemd
+
+  # procps is mostly Linux-only. Most commands require a running Linux
+  # system (or very similar like that found in Cygwin). The one
+  # exception is ‘watch’ which is portable enough to run on pretty much
+  # any UNIX-compatible system.
+, watchOnly ? !(stdenv.isLinux || stdenv.isCygwin)
+}:
+
+stdenv.mkDerivation rec {
+  pname = "procps";
+  version = "3.3.17";
+
+  # The project's releases are on SF, but git repo on gitlab.
+  src = fetchurl {
+    url = "mirror://sourceforge/procps-ng/procps-ng-${version}.tar.xz";
+    sha256 = "sha256-RRiz56r9NOwH0AY9JQ/UdJmbILIAIYw65W9dIRPxQbQ=";
+  };
+
+  patches = [
+    ./v3-CVE-2023-4016.patch
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    # NOTE: Starting from 4.x we will not need a patch anymore, but need to add
+    # "--disable-w" to configureFlags instead to prevent the utmp errors
+    (fetchpatch {
+      name = "musl-fix-includes.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/procps/musl-fixes.patch?id=37cb5b6ef194db66d9ed07c8ecab59bca3b91215";
+      sha256 = "sha256-DphAvESmVg1U3bJABU95R++QD34odStCl82EF0vmht0=";
+    })
+  ];
+
+  buildInputs = [ ncurses ]
+    ++ lib.optional withSystemd systemd;
+  nativeBuildInputs = [ pkg-config ];
+
+  makeFlags = [ "usrbin_execdir=$(out)/bin" ]
+    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS=" ];
+
+  enableParallelBuilding = true;
+
+  # Too red
+  configureFlags = [ "--disable-modern-top" ]
+    ++ lib.optional withSystemd "--with-systemd"
+    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
+
+  installPhase = lib.optionalString watchOnly ''
+    install -m 0755 -D watch $out/bin/watch
+    install -m 0644 -D watch.1 $out/share/man/man1/watch.1
+  '';
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/procps-ng/procps";
+    description = "Utilities that give information about processes using the /proc filesystem";
+    priority = 11; # less than coreutils, which also provides "kill" and "uptime"
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.typetetris ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch b/nixpkgs/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch
new file mode 100644
index 000000000000..2e260eaf7382
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch
@@ -0,0 +1,63 @@
+This is https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413.diff
+back-ported to procps 3.3.17.  That commit changes xmalloc to xcalloc.  This patch differs in two ways:
+
+* We modify it to change malloc (no x-) to xcalloc instead
+* We pull in procps-4's definition of xcalloc
+
+Alternative considered: Also pull in commits that changed malloc to xmalloc and defined xcalloc.
+This alternative is rejected because those commits contain many other unrelated changes.
+
+diff --git a/ps/parser.c b/ps/parser.c
+index 4263a1fb..ee9a57d9 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -36,6 +36,14 @@
+ #include "common.h"
+ #include "c.h"
+ 
++static void *xxcalloc(const size_t nelems, const size_t size)
++{
++  void *ret = calloc(nelems, size);
++  if (!ret && size && nelems)
++    xerrx(EXIT_FAILURE, "cannot allocate %zu bytes", nelems*size);
++  return ret;
++}
++
+ #define ARG_GNU  0
+ #define ARG_END  1
+ #define ARG_PGRP 2
+@@ -184,7 +192,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   const char *err;       /* error code that could or did happen */
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+-  node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
+   node->n = 0;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+@@ -205,6 +212,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   } while (*++walk);
+   if(need_item) goto parse_error;
+   node->n = items;
++  node->u = xxcalloc(items, sizeof(sel_union));
+   /*** actually parse the list ***/
+   walk = buf;
+   while(items--){
+@@ -1031,15 +1039,15 @@ static const char *parse_trailing_pids(void){
+   thisarg = ps_argc - 1;   /* we must be at the end now */
+ 
+   pidnode = malloc(sizeof(selection_node));
+-  pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  pidnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   pidnode->n = 0;
+ 
+   grpnode = malloc(sizeof(selection_node));
+-  grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  grpnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   grpnode->n = 0;
+ 
+   sidnode = malloc(sizeof(selection_node));
+-  sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  sidnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   sidnode->n = 0;
+ 
+   while(i--){
diff --git a/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix b/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix
new file mode 100644
index 000000000000..0477985cc196
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix
@@ -0,0 +1,52 @@
+{ lib
+, mkDerivation
+, fetchFromGitHub
+, cmake
+, pkg-config
+, qtbase
+, qtgraphicaleffects
+, wrapQtAppsHook
+}:
+
+mkDerivation rec {
+  pname = "projecteur";
+  version = "0.10";
+
+  src = fetchFromGitHub {
+    owner = "jahnf";
+    repo = "Projecteur";
+    rev = "v${version}";
+    fetchSubmodules = false;
+    hash = "sha256-F7o93rBjrDTmArTIz8RB/uGBOYE6ny/U7ppk+jEhM5A=";
+  };
+
+  postPatch = ''
+    sed '1i#include <array>' -i src/device.h # gcc12
+  '';
+
+  buildInputs = [
+    qtbase
+    qtgraphicaleffects
+  ];
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    wrapQtAppsHook
+  ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_PREFIX:PATH=${placeholder "out"}"
+    "-DPACKAGE_TARGETS=OFF"
+    "-DCMAKE_INSTALL_UDEVRULESDIR=${placeholder "out"}/lib/udev/rules.d"
+  ];
+
+  meta = {
+    description = "Linux/X11 application for the Logitech Spotlight device (and similar devices).";
+    homepage = "https://github.com/jahnf/Projecteur";
+    license = lib.licenses.mit;
+    mainProgram = "projecteur";
+    maintainers = with lib.maintainers; [ benneti drupol ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix b/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix
new file mode 100644
index 000000000000..a7ee92beb52b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitLab, meson, pkg-config, ninja, cairo }:
+
+stdenv.mkDerivation rec {
+  pname = "pscircle";
+  version = "1.4.0";
+
+  src = fetchFromGitLab {
+    owner = "mildlyparallel";
+    repo = "pscircle";
+    rev = "v${version}";
+    sha256 = "sha256-bqbQBNscNfoqXprhoFUnUQO88YQs9xDhD4d3KHamtG0=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    pkg-config
+    ninja
+  ];
+
+  buildInputs = [
+    cairo
+  ];
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/mildlyparallel/pscircle";
+    description = "Visualize Linux processes in a form of a radial tree";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.ldesgoui ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/psftools/default.nix b/nixpkgs/pkgs/os-specific/linux/psftools/default.nix
new file mode 100644
index 000000000000..5d8c39bb145c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/psftools/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+stdenv.mkDerivation rec {
+  pname = "psftools";
+  version = "1.1.1";
+  src = fetchurl {
+    url = "https://www.seasip.info/Unix/PSF/${pname}-${version}.tar.gz";
+    sha256 = "sha256-MecY4JsIXTgHdkrFkQ+C3fC6OEFRUgjUgf7qxfKeZtM=";
+  };
+  outputs = ["out" "man" "dev" "lib"];
+
+  meta = with lib; {
+    homepage = "https://www.seasip.info/Unix/PSF";
+    description = "Conversion tools for .PSF fonts";
+    longDescription = ''
+      The PSFTOOLS are designed to manipulate fixed-width bitmap fonts,
+      such as DOS or Linux console fonts. Both the PSF1 (8 pixels wide)
+      and PSF2 (any width) formats are supported; the default output
+      format is PSF2.
+    '';
+    platforms = platforms.unix;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ kaction ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix b/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix
new file mode 100644
index 000000000000..f269c9146df4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix
@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, autoconf
+, automake
+, gettext
+, ncurses
+}:
+
+stdenv.mkDerivation rec {
+  pname = "psmisc";
+  version = "23.6";
+
+  src = fetchFromGitLab {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-TjnOn8a7HAgt11zcM0i5DM5ERmsvLJHvo1e5FOsl6IA=";
+  };
+
+  nativeBuildInputs = [ autoconf automake gettext ];
+  buildInputs = [ ncurses ];
+
+  preConfigure = lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
+    # Goes past the rpl_malloc linking failure
+    export ac_cv_func_malloc_0_nonnull=yes
+    export ac_cv_func_realloc_0_nonnull=yes
+  '' + ''
+    echo $version > .tarball-version
+    ./autogen.sh
+  '';
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/psmisc/psmisc";
+    description = "A set of small useful utilities that use the proc filesystem (such as fuser, killall and pstree)";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ ryantm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix b/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix
new file mode 100644
index 000000000000..bb4bf20ad0f6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "qc71_laptop";
+  version = "unstable-2023-03-02";
+
+  src = fetchFromGitHub {
+    owner = "pobrn";
+    repo = "qc71_laptop";
+    rev = "8805dc5639f6659addf153a295ad4bbaa2483fa3";
+    hash = "sha256-wg7APGArjrl9DEAHTG6BknOBx+UbtNrzziwmLueKPfA=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D qc71_laptop.ko -t $out/lib/modules/${kernel.modDirVersion}/extra
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for QC71 laptop";
+    homepage = "https://github.com/pobrn/qc71_laptop/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix
new file mode 100644
index 000000000000..5b627ea9033b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+## Usage
+# In NixOS, simply add this package to services.udev.packages:
+#   services.udev.packages = [ pkgs.qmk-udev-rules ];
+
+stdenv.mkDerivation rec {
+  pname = "qmk-udev-rules";
+  version = "0.22.3";
+
+  src = fetchFromGitHub {
+    owner = "qmk";
+    repo = "qmk_firmware";
+    rev = version;
+    hash = "sha256-HLQxmBlzTdsOAMqfc4taoMM+V2G5novMsbc1drZlNGg=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -D util/udev/50-qmk.rules $out/lib/udev/rules.d/50-qmk.rules
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/qmk/qmk_firmware";
+    description = "Official QMK udev rules list";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ ekleog ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/qperf/default.nix b/nixpkgs/pkgs/os-specific/linux/qperf/default.nix
new file mode 100644
index 000000000000..a074cde448d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/qperf/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, lib
+, fetchFromGitHub, fetchpatch
+, autoconf, automake, perl, rdma-core }:
+
+stdenv.mkDerivation rec {
+  pname = "qperf";
+  version = "0.4.11";
+
+  src = fetchFromGitHub {
+    owner = "linux-rdma";
+    repo = "qperf";
+    rev = "v${version}";
+    hash = "sha256-x9l8xqwMDHlXRZpWt3XiqN5xyCTV5rk8jp/ClRPPECI=";
+  };
+
+  patches = [ (fetchpatch {
+    name = "version-bump.patch";
+    url = "https://github.com/linux-rdma/qperf/commit/34ec57ddb7e5ae1adfcfc8093065dff90b69a275.patch";
+    hash = "sha256-+7ckhUUB+7BG6qRKv0wgyIxkyvll2xjf3Wk1hpRsDo0=";
+  }) ];
+
+  nativeBuildInputs = [ autoconf automake perl rdma-core ];
+  buildInputs = [ rdma-core ];
+
+  postUnpack =  ''
+    patchShebangs .
+  '';
+
+  configurePhase = ''
+    runHook preConfigure
+    ./autogen.sh
+    ./configure --prefix=$out
+    runHook postConfigure
+  '';
+
+  meta = with lib; {
+    description = "Measure RDMA and IP performance";
+    homepage = "https://github.com/linux-rdma/qperf";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ edwtjo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/r8125/default.nix b/nixpkgs/pkgs/os-specific/linux/r8125/default.nix
new file mode 100644
index 000000000000..4517cb29e75a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/r8125/default.nix
@@ -0,0 +1,47 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "r8125";
+  # On update please verify (using `diff -r`) that the source matches the
+  # realtek version.
+  version = "9.011.01";
+
+  # This is a mirror. The original website[1] doesn't allow non-interactive
+  # downloads, instead emailing you a download link.
+  # [1] https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
+  src = fetchFromGitHub {
+    owner = "louistakepillz";
+    repo = "r8125";
+    rev = version;
+    sha256 = "sha256-QV1DKkWVtqcnuqgAdJnPpj6Z6ch+lw61zpouXKlyfqQ=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = ''
+    substituteInPlace src/Makefile --replace "BASEDIR :=" "BASEDIR ?="
+    substituteInPlace src/Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+  '';
+
+  makeFlags = [
+    "BASEDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+  ];
+
+  buildFlags = [ "modules" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/louistakepillz/r8125";
+    downloadPage = "https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software";
+    description = "Realtek r8125 driver";
+    longDescription = ''
+      A kernel module for Realtek 8125 2.5G network cards.
+    '';
+    # r8125 has been integrated into the kernel as of v5.9.1
+    broken = lib.versionAtLeast kernel.version "5.9.1";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ peelz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/r8168/default.nix b/nixpkgs/pkgs/os-specific/linux/r8168/default.nix
new file mode 100644
index 000000000000..69e779dfaa66
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/r8168/default.nix
@@ -0,0 +1,59 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+
+let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/r8168";
+
+in stdenv.mkDerivation rec {
+  name = "r8168-${kernel.version}-${version}";
+  # on update please verify that the source matches the realtek version
+  version = "8.048.03";
+
+  # This is a mirror. The original website[1] doesn't allow non-interactive
+  # downloads, instead emailing you a download link.
+  # [1] https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
+  # I've verified manually (`diff -r`) that the source code for version 8.046.00
+  # is the same as the one available on the realtek website.
+  src = fetchFromGitHub {
+    owner = "mtorromeo";
+    repo = "r8168";
+    rev = version;
+    sha256 = "1l8llpcnapcaafxp7wlyny2ywh7k6q5zygwwjl9h0l6p04cghss4";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  # avoid using the Makefile directly -- it doesn't understand
+  # any kernel but the current.
+  # based on the ArchLinux pkgbuild: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/r8168
+  makeFlags = kernel.makeFlags ++ [
+    "-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(PWD)/src"
+    "modules"
+  ];
+  preBuild = ''
+    makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8168_NAPI -DCONFIG_R8168_VLAN -DCONFIG_ASPM -DENABLE_S5WOL -DENABLE_EEE")
+  '';
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents '{}' ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f '{}' \;
+  '';
+
+  meta = with lib; {
+    description = "Realtek r8168 driver";
+    longDescription = ''
+      A kernel module for Realtek 8168 network cards.
+      If you want to use this driver, you might need to blacklist the r8169 driver
+      by adding "r8169" to boot.blacklistedKernelModules.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ timokau ];
+    broken = (lib.versions.majorMinor kernel.modDirVersion) != "5.15";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix b/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix
new file mode 100644
index 000000000000..01b83f879119
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl
+, autoreconfHook
+, pciutils
+, pkg-config
+, xorg
+}:
+
+stdenv.mkDerivation rec {
+  pname = "radeontool";
+  version = "1.6.3";
+
+  src = fetchurl {
+    url = "https://people.freedesktop.org/~airlied/radeontool/${pname}-${version}.tar.gz";
+    sha256 = "0mjk9wr9rsb17yy92j6yi16hfpa6v5r1dbyiy60zp4r125wr63za";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ xorg.libpciaccess ];
+
+  meta = with lib; {
+    description = "Lowlevel tools to tweak register and dump state on radeon GPUs";
+    homepage = "https://airlied.livejournal.com/";
+    license = licenses.zlib;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix b/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix
new file mode 100644
index 000000000000..9e9cb5845e4e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, gettext, makeWrapper
+, ncurses, libdrm, libpciaccess, libxcb }:
+
+stdenv.mkDerivation rec {
+  pname = "radeontop";
+  version = "1.4";
+
+  src = fetchFromGitHub {
+    sha256 = "0kwqddidr45s1blp0h8r8h1dd1p50l516yb6mb4s6zsc827xzgg3";
+    rev = "v${version}";
+    repo = "radeontop";
+    owner = "clbr";
+  };
+
+  buildInputs = [ ncurses libdrm libpciaccess libxcb ];
+  nativeBuildInputs = [ pkg-config gettext makeWrapper ];
+
+  enableParallelBuilding = true;
+
+  patchPhase = ''
+    substituteInPlace getver.sh --replace ver=unknown ver=${version}
+    substituteInPlace Makefile --replace pkg-config "$PKG_CONFIG"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  postInstall = ''
+    wrapProgram $out/bin/radeontop \
+      --prefix LD_LIBRARY_PATH : $out/lib
+  '';
+
+  meta = with lib; {
+    description = "Top-like tool for viewing AMD Radeon GPU utilization";
+    longDescription = ''
+      View GPU utilization, both for the total activity percent and individual
+      blocks. Supports R600 and later cards: even Southern Islands should work.
+      Works with both the open drivers and AMD Catalyst. Total GPU utilization
+      is also valid for OpenCL loads; the other blocks are only useful for GL
+      loads. Requires root rights or other permissions to read /dev/mem.
+    '';
+    homepage = "https://github.com/clbr/radeontop";
+    platforms = platforms.linux;
+    license = licenses.gpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix b/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix
new file mode 100644
index 000000000000..35201d49b7f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix
@@ -0,0 +1,111 @@
+{ lib, stdenv, fetchFromGitHub
+, autoreconfHook
+, glibcLocales, kmod, coreutils, perl
+, dmidecode, hwdata, sqlite
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rasdaemon";
+  version = "0.7.0";
+
+  src = fetchFromGitHub {
+    owner = "mchehab";
+    repo = "rasdaemon";
+    rev = "v${version}";
+    sha256 = "sha256-oLwR+bNgKceVgLTOLYiKHNUkRmLouaQshdp/8UJnfqg=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  buildInputs = [
+    coreutils
+    glibcLocales
+    hwdata
+    kmod
+    sqlite
+    (perl.withPackages (ps: with ps; [ DBI DBDSQLite ]))
+  ]
+  ++ lib.optionals (!stdenv.isAarch64) [ dmidecode ];
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--with-sysconfdefdir=${placeholder "out"}/etc/sysconfig"
+    "--enable-sqlite3"
+    "--enable-aer"
+    "--enable-mce"
+    "--enable-extlog"
+    "--enable-non-standard"
+    "--enable-abrt-report"
+    "--enable-hisi-ns-decode"
+    "--enable-devlink"
+    "--enable-diskerror"
+    "--enable-memory-failure"
+    "--enable-memory-ce-pfa"
+    "--enable-amp-ns-decode"
+  ]
+  ++ lib.optionals (stdenv.isAarch64) [ "--enable-arm" ];
+
+  # The installation attempts to create the following directories:
+  # /var/lib/rasdaemon
+  #   location of the RAS event log generated by rasdaemon -r
+  # /etc/ras/dimm_labels.d
+  #   location of the DIMM labels generated by ras-mc-ctl
+  # /etc/sysconfig/rasdaemon
+  #   location of rasdaemon config file, currently only used for CE PFA config
+
+  # these are optional (for logging, DIMM label storage and user config)
+  # /var/lib/rasdaemon should be created by the NixOS module
+  # /etc/ras/dimm_labels.d should probably be generated,
+  # from user supplied content, in the NixOS module
+  # /etc/sysconfig/rasdaemon should be generated if there is user supplied content
+  # and default to $out/etc/sysconfig/rasdaemon which should hold the supplied default
+
+  # therefore, stripping these from the generated Makefile
+  # (needed in the config flags because those set where the tools look for these)
+
+# easy way out, ends up installing /nix/store/...rasdaemon/bin in $out
+
+  postConfigure = ''
+    substituteInPlace Makefile \
+      --replace '"$(DESTDIR)/etc/ras/dimm_labels.d"' '"$(prefix)/etc/ras/dimm_labels.d"'
+  '';
+
+  outputs = [ "out" "dev" "man" "inject" ];
+
+  postInstall = ''
+    install -Dm 0755 contrib/edac-fake-inject $inject/bin/edac-fake-inject
+    install -Dm 0755 contrib/edac-tests $inject/bin/edac-tests
+  '';
+
+  postFixup = ''
+    # Fix dmidecode and modprobe paths
+    substituteInPlace $out/bin/ras-mc-ctl \
+      --replace 'find_prog ("modprobe")  or exit (1)' '"${kmod}/bin/modprobe"'
+  ''
+  + lib.optionalString (!stdenv.isAarch64) ''
+    substituteInPlace $out/bin/ras-mc-ctl \
+      --replace 'find_prog ("dmidecode")' '"${dmidecode}/bin/dmidecode"'
+  '';
+
+  passthru.tests = nixosTests.rasdaemon;
+
+  meta = with lib; {
+    description = ''
+      A Reliability, Availability and Serviceability (RAS) logging tool using EDAC kernel tracing events
+    '';
+    longDescription = ''
+      Rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+      tool. It records memory errors, using the EDAC tracing events. EDAC is a
+      Linux kernel subsystem with handles detection of ECC errors from memory
+      controllers for most chipsets on i386 and x86_64 architectures. EDAC
+      drivers for other architectures like arm also exists.
+    '';
+    homepage = "https://github.com/mchehab/rasdaemon";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    changelog = "https://github.com/mchehab/rasdaemon/blob/v${version}/ChangeLog";
+    maintainers = with maintainers; [ evils ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix b/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
new file mode 100644
index 000000000000..6a429a77c57b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
@@ -0,0 +1,59 @@
+{ stdenvNoCC, lib, fetchFromGitHub, makeWrapper
+, python3, binutils-unwrapped, findutils, gawk, kmod, pciutils, libraspberrypi
+}:
+stdenvNoCC.mkDerivation rec {
+  pname = "raspberrypi-eeprom";
+  version = "2023.01.11-138c0";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "rpi-eeprom";
+    rev = "v${version}";
+    hash = "sha256-z3VyqdSkvxAgVmtMI/Is9qYrOeDXlyVLwHSSC2+AxcA=";
+  };
+
+  buildInputs = [ python3 ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    # Don't try to verify md5 signatures from /var/lib/dpkg and
+    # fix path to the configuration.
+    substituteInPlace rpi-eeprom-update \
+      --replace 'IGNORE_DPKG_CHECKSUMS=''${LOCAL_MODE}' 'IGNORE_DPKG_CHECKSUMS=1' \
+      --replace '/etc/default' '/etc'
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/rpi-eeprom
+
+    cp rpi-eeprom-config rpi-eeprom-update rpi-eeprom-digest $out/bin
+    cp -r firmware/{beta,critical,old,stable} $out/share/rpi-eeprom
+    cp -P firmware/default firmware/latest $out/share/rpi-eeprom
+  '';
+
+  fixupPhase = ''
+    patchShebangs $out/bin
+    for i in rpi-eeprom-update rpi-eeprom-config; do
+      wrapProgram $out/bin/$i \
+        --set FIRMWARE_ROOT $out/share/rpi-eeprom \
+        ${lib.optionalString stdenvNoCC.isAarch64 "--set VCMAILBOX ${libraspberrypi}/bin/vcmailbox"} \
+        --prefix PATH : "${lib.makeBinPath ([
+          binutils-unwrapped
+          findutils
+          gawk
+          kmod
+          pciutils
+          (placeholder "out")
+        ] ++ lib.optionals stdenvNoCC.isAarch64 [
+          libraspberrypi
+        ])}"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Installation scripts and binaries for the closed sourced Raspberry Pi 4 EEPROMs";
+    homepage = "https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md";
+    license = with licenses; [ bsd3 unfreeRedistributableFirmware ];
+    maintainers = with maintainers; [ das_j ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix b/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix
new file mode 100644
index 000000000000..e400e5eba7d7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix
@@ -0,0 +1,78 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, pkg-config
+, docutils
+, pandoc
+, ethtool
+, iproute2
+, libnl
+, udev
+, python3
+, perl
+} :
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "rdma-core";
+  version = "48.0";
+
+  src = fetchFromGitHub {
+    owner = "linux-rdma";
+    repo = "rdma-core";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-/ltuZ9OiwJJ6CuAd6hqJwo+wETOgZ4UcW50BrjudF+k=";
+  };
+
+  strictDeps = true;
+
+  outputs = [ "out" "man" "dev" ];
+
+  nativeBuildInputs = [
+    cmake
+    docutils
+    pandoc
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    ethtool
+    iproute2
+    libnl
+    perl
+    udev
+  ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_RUNDIR=/run"
+    "-DCMAKE_INSTALL_SHAREDSTATEDIR=/var/lib"
+  ];
+
+  postPatch = ''
+    substituteInPlace srp_daemon/srp_daemon.sh.in \
+      --replace /bin/rm rm
+  '';
+
+  postInstall = ''
+    # cmake script is buggy, move file manually
+    mkdir -p $out/${perl.libPrefix}
+    mv $out/share/perl5/* $out/${perl.libPrefix}
+  '';
+
+  postFixup = ''
+    for pls in $out/bin/{ibfindnodesusing.pl,ibidsverify.pl}; do
+      echo "wrapping $pls"
+      substituteInPlace $pls --replace \
+        "${perl}/bin/perl" "${perl}/bin/perl -I $out/${perl.libPrefix}"
+    done
+  '';
+
+  meta = {
+    description = "RDMA Core Userspace Libraries and Daemons";
+    homepage = "https://github.com/linux-rdma/rdma-core";
+    license = lib.licenses.gpl2Only;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.markuskowa ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix b/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix
new file mode 100644
index 000000000000..6e040d3cbffb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchurl, cmake, libx86 }:
+
+stdenv.mkDerivation rec {
+  pname = "read-edid";
+  version = "3.0.2";
+
+  src = fetchurl {
+    url = "http://www.polypux.org/projects/read-edid/${pname}-${version}.tar.gz";
+    sha256 = "0vqqmwsgh2gchw7qmpqk6idgzcm5rqf2fab84y7gk42v1x2diin7";
+  };
+
+  patches = [ ./fno-common.patch ];
+
+  postPatch = ''
+    substituteInPlace CMakeLists.txt --replace 'COPYING' 'LICENSE'
+  '';
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = lib.optional stdenv.hostPlatform.isx86 libx86;
+
+  cmakeFlags = [ "-DCLASSICBUILD=${if stdenv.hostPlatform.isx86 then "ON" else "OFF"}" ];
+
+
+  meta = with lib; {
+    description = "Tool for reading and parsing EDID data from monitors";
+    homepage = "http://www.polypux.org/projects/read-edid/";
+    license = licenses.bsd2; # Quoted: "This is an unofficial license. Let's call it BSD-like."
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch b/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch
new file mode 100644
index 000000000000..336b48b66ad8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch
@@ -0,0 +1,22 @@
+--- a/get-edid/classic.c
++++ b/get-edid/classic.c
+@@ -26,7 +26,7 @@ typedef byte* real_ptr;
+ #define dosmemput(buffer,length,offset) memcpy(offset,buffer,length)
+ 
+ #define display(...) if (quiet == 0) { fprintf(stderr, __VA_ARGS__); }
+-int quiet;
++extern int quiet;
+ 
+ real_ptr far_ptr_to_real_ptr( uint32 farptr )
+ {
+--- a/get-edid/i2c.c
++++ b/get-edid/i2c.c
+@@ -15,7 +15,7 @@
+ 
+ //Ideas (but not too much actual code) taken from i2c-tools. Thanks guys.
+ 
+-int quiet;
++extern int quiet;
+ 
+ #define display(...) if (quiet == 0) { fprintf(stderr, __VA_ARGS__); }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/reap/default.nix b/nixpkgs/pkgs/os-specific/linux/reap/default.nix
new file mode 100644
index 000000000000..fbbabc96c781
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/reap/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "reap";
+  version = "0.3-unreleased";
+
+  src = fetchFromGitHub {
+    owner = "leahneukirchen";
+    repo = "reap";
+    rev = "0e68d09804fb9ec82af37045fb37c2ceefa391d5";
+    hash = "sha256-4Bv7stW5PKcODQanup37YbiUWrEGR6BuSFXibAHmwn0=";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
+    install -dm755 "$out/share/licenses/reap/"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/leahneukirchen/reap";
+    description = "run process until all its spawned processes are dead ";
+    license = with licenses; [ publicDomain ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.leahneukirchen ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/regionset/default.nix b/nixpkgs/pkgs/os-specific/linux/regionset/default.nix
new file mode 100644
index 000000000000..f685eec19488
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/regionset/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+let version = "0.2"; in
+stdenv.mkDerivation {
+  pname = "regionset";
+  inherit version;
+
+  src = fetchurl {
+    url = "http://linvdr.org/download/regionset/regionset-${version}.tar.gz";
+    sha256 = "1fgps85dmjvj41a5bkira43vs2aiivzhqwzdvvpw5dpvdrjqcp0d";
+  };
+
+  installPhase = ''
+    install -Dm755 {.,$out/bin}/regionset
+    install -Dm644 {.,$out/share/man/man8}/regionset.8
+  '';
+
+  meta = with lib; {
+    inherit version;
+    homepage = "http://linvdr.org/projects/regionset/";
+    description = "Tool for changing the region code setting of DVD players";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix b/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix
new file mode 100644
index 000000000000..35516fdf0e69
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, python3 }:
+
+let
+  python = python3.withPackages (p: [ p.pexpect ]);
+in stdenv.mkDerivation rec {
+  version = "0.10.0";
+  pname = "reptyr";
+
+  src = fetchFromGitHub {
+    owner = "nelhage";
+    repo = "reptyr";
+    rev = "reptyr-${version}";
+    sha256 = "sha256-jlO/ykrwGJkgKiPxfRQEX4TSksrbPQhkQs+QddwqaQ4=";
+  };
+
+  makeFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+
+  nativeCheckInputs = [ python ];
+
+  doCheck = true;
+
+  checkFlags = [
+    "PYTHON_CMD=${python.interpreter}"
+  ];
+
+  meta = {
+    platforms = [
+      "i686-linux"
+      "x86_64-linux"
+      "i686-freebsd"
+      "x86_64-freebsd"
+      "armv5tel-linux"
+      "armv6l-linux"
+      "armv7l-linux"
+      "aarch64-linux"
+      "riscv64-linux"
+    ];
+    maintainers = with lib.maintainers; [raskin];
+    license = lib.licenses.mit;
+    description = "Reparent a running program to a new terminal";
+    homepage = "https://github.com/nelhage/reptyr";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/restool/default.nix b/nixpkgs/pkgs/os-specific/linux/restool/default.nix
new file mode 100644
index 000000000000..853d9eeb7f3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/restool/default.nix
@@ -0,0 +1,52 @@
+{ stdenv, lib, fetchFromGitHub, bash, coreutils, dtc, file, gawk, gnugrep, gnused, pandoc, which }:
+
+stdenv.mkDerivation rec {
+  pname = "restool";
+  version = "2.4";
+
+  src = fetchFromGitHub {
+    owner = "nxp-qoriq";
+    repo = "restool";
+    rev = "abd2f5b7181db9d03db9e6ccda0194923b73e9a2";
+    sha256 = "sha256-ryTDyqSy39e8Omf7l8lK4mLWr8jccDhMVPldkVGSQVo=";
+  };
+
+  nativeBuildInputs = [ file pandoc ];
+  buildInputs = [ bash coreutils dtc gawk gnugrep gnused which ];
+
+  enableParallelBuilding = true;
+  makeFlags = [
+    "prefix="
+    "bindir_completion=/share/bash-completion/completions"
+    "DESTDIR=$(out)"
+    "VERSION=${version}"
+  ];
+
+  postPatch = ''
+    # -Werror makes this derivation fragile on compiler version upgrades, patch
+    # it out.
+    sed -i /-Werror/d Makefile
+  '';
+
+  preFixup = ''
+    # wrapProgram interacts badly with the ls-main tool, which relies on the
+    # shell's $0 argument to figure out which operation to run (busybox-style
+    # symlinks). Instead, inject the environment directly into the shell
+    # scripts we need to wrap.
+    for tool in ls-append-dpl ls-debug ls-main; do
+      sed -i "1 a export PATH=\"$out/bin:${lib.makeBinPath buildInputs}:\$PATH\"" $out/bin/$tool
+    done
+  '';
+
+  meta = with lib; {
+    description = "DPAA2 Resource Management Tool";
+    longDescription = ''
+      restool is a user space application providing the ability to dynamically
+      create and manage DPAA2 containers and objects from Linux.
+    '';
+    homepage = "https://github.com/nxp-qoriq/restool";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ delroth ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix b/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix
new file mode 100644
index 000000000000..e78d5f2d164c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, fuse3, pcre }:
+
+stdenv.mkDerivation {
+  pname = "rewritefs";
+  version = "unstable-2021-10-03";
+
+  src = fetchFromGitHub {
+    owner  = "sloonz";
+    repo   = "rewritefs";
+    rev    = "3a56de8b5a2d44968b8bc3885c7d661d46367306";
+    sha256 = "1w2rik0lhqm3wr68x51zs45gqfx79l7fi4p0sqznlfq7sz5s8xxn";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ fuse3 pcre ];
+
+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace Makefile --replace 6755 0755
+  '';
+
+  preConfigure = "substituteInPlace Makefile --replace /usr/local $out";
+
+  meta = with lib; {
+    description = ''A FUSE filesystem intended to be used
+      like Apache mod_rewrite'';
+    homepage    = "https://github.com/sloonz/rewritefs";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ rnhmjoj ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh b/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh
new file mode 100755
index 000000000000..75716e40daee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh
@@ -0,0 +1,19 @@
+#!@shell@
+
+# Executes a hook in case of a change to the
+# rfkill state. The hook can be passed as
+# environment variable, or present as executable
+# file.
+
+if [ -z "$RFKILL_STATE" ]; then
+  echo "rfkill-hook: error: RFKILL_STATE variable not set"
+  exit 1
+fi
+
+if [ -x /run/current-system/etc/rfkill.hook ]; then
+  exec /run/current-system/etc/rfkill.hook
+elif [ ! -z "$RFKILL_HOOK" ]; then
+  exec $RFKILL_HOOK
+else
+  echo "rfkill-hook: $RFKILL_STATE"
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix b/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix
new file mode 100644
index 000000000000..e1a14a80162c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, substituteAll }:
+
+# Provides a facility to hook into rfkill changes.
+#
+# Exemplary usage:
+#
+# Add this package to udev.packages, e.g.:
+#   udev.packages = [ pkgs.rfkill_udev ];
+#
+# Add a hook script in the managed etc directory, e.g.:
+#   etc."rfkill.hook" = {
+#     mode = "0755";
+#     text = ''
+#       #!${pkgs.runtimeShell}
+#
+#       if [ "$RFKILL_STATE" -eq "1" ]; then
+#         exec ${config.system.build.upstart}/sbin/initctl emit -n antenna-on
+#       else
+#         exec ${config.system.build.upstart}/sbin/initctl emit -n antenna-off
+#       fi
+#     '';
+#   }
+
+# Note: this package does not need the binaries
+# in the rfkill package.
+
+let
+  rfkillHook =
+    substituteAll {
+      inherit (stdenv) shell;
+      isExecutable = true;
+      src = ./rfkill-hook.sh;
+    };
+in stdenv.mkDerivation {
+  name = "rfkill-udev";
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p "$out/etc/udev/rules.d/";
+    cat > "$out/etc/udev/rules.d/90-rfkill.rules" << EOF
+      SUBSYSTEM=="rfkill", ATTR{type}=="wlan", RUN+="$out/bin/rfkill-hook.sh"
+    EOF
+
+    mkdir -p "$out/bin/";
+    cp ${rfkillHook} "$out/bin/rfkill-hook.sh"
+  '';
+
+  meta = with lib; {
+    homepage = "http://wireless.kernel.org/en/users/Documentation/rfkill";
+    description = "Rules+hook for udev to catch rfkill state changes";
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix
new file mode 100644
index 000000000000..389d5036b754
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, fetchurl, cmake, pkg-config, gettext
+, dbus, dbus-glib, libgaminggear, libgudev, lua
+, harfbuzz, runtimeShell, coreutils, kmod
+}:
+
+stdenv.mkDerivation rec {
+  pname = "roccat-tools";
+  version = "5.9.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/roccat/${pname}-${version}.tar.bz2";
+    sha256 = "12j02rzbz3iqxprz8cj4kcfcdgnqlva142ci177axqmckcq6crvg";
+  };
+
+  postPatch = ''
+    sed -i -re 's,/(etc/xdg),\1,' roccateventhandler/CMakeLists.txt
+
+    sed -i -e '/roccat_profile_dir(void).*{/,/}/ {
+      /return/c \
+        return g_build_path("/", g_get_user_data_dir(), "roccat", NULL);
+    }' libroccat/roccat_helper.c
+
+    substituteInPlace udev/90-roccat-kone.rules \
+      --replace "/bin/sh" "${runtimeShell}" \
+      --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \
+      --replace "/bin/echo" "${coreutils}/bin/echo"
+  '';
+
+  nativeBuildInputs = [ cmake pkg-config gettext ];
+  buildInputs = [ dbus dbus-glib libgaminggear libgudev lua ];
+
+  cmakeFlags = [
+    "-DUDEVDIR=\${out}/lib/udev/rules.d"
+    "-DCMAKE_MODULE_PATH=${libgaminggear.dev}/lib/cmake"
+    "-DWITH_LUA=${lua.luaversion}"
+    "-DLIBDIR=lib"
+  ];
+
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-I${harfbuzz.dev}/include/harfbuzz"
+
+    # Workaround build failure on -fno-common toolchains:
+    #   ld: ryos_talk.c.o:(.bss+0x0): multiple definition of `RyosWriteCheckWait';
+    #     ryos_custom_lights.c.o:(.bss+0x0): first defined here
+    "-fcommon"
+  ];
+
+  meta = {
+    description = "Tools to configure ROCCAT devices";
+    homepage = "https://roccat.sourceforge.net/";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix b/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix
new file mode 100644
index 000000000000..8e3a9b0ceb02
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix
@@ -0,0 +1,34 @@
+{ stdenv
+, lib
+, makeWrapper
+, fetchurl
+, numactl
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rt-tests";
+  version = "2.6";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git/snapshot/${pname}-${version}.tar.gz";
+    sha256 = "sha256-apRJwRqcyzfmyGCCv5BDN92pKP3Nafa9SkxlZ+Bxrm0=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ numactl python3 ];
+
+  makeFlags = [ "prefix=$(out)" "DESTDIR=" "PYLIB=$(out)/${python3.sitePackages}" ];
+
+  postInstall = ''
+    wrapProgram "$out/bin/determine_maximum_mpps.sh" --prefix PATH : $out/bin
+  '';
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git";
+    description = "Suite of real-time tests - cyclictest, hwlatdetect, pip_stress, pi_stress, pmqtest, ptsematest, rt-migrate-test, sendme, signaltest, sigwaittest, svsematest";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ poelzi ];
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix b/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix
new file mode 100644
index 000000000000..69d32079d5c7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, meson, ninja, pkg-config, unixtools
+, dbus, libcap, polkit, systemd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rtkit";
+  version = "0.13";
+
+  src = fetchFromGitHub {
+    owner = "heftig";
+    repo = "rtkit";
+    rev = "c295fa849f52b487be6433e69e08b46251950399";
+    sha256 = "0yfsgi3pvg6dkizrww1jxpkvcbhzyw9110n1dypmzq0c5hlzjxcd";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "meson-actual-use-systemd_systemunitdir.patch";
+      url = "https://github.com/heftig/rtkit/pull/19/commits/7d62095b94f8df3891c984a1535026d2658bb177.patch";
+      sha256 = "17acv549zqcgh7sgprfagbf6drqsr0zdwvf1dsqda7wlqc2h9zn7";
+    })
+
+    (fetchpatch {
+      name = "meson-fix-librt-find_library-check.patch";
+      url = "https://github.com/heftig/rtkit/pull/18/commits/98f70edd8f534c371cb4308b9720739c5178918d.patch";
+      sha256 = "18mnjjsdjfr184nkzi01xyphpdngi31ry4bmkv9ysjxf9wilv4nl";
+    })
+
+    (fetchpatch {
+      name = "rtkit-daemon-dont-log-debug-messages-by-default.patch";
+      url = "https://github.com/heftig/rtkit/pull/33/commits/ad649ee491ed1a41537774ad11564a208e598a09.patch";
+      sha256 = "sha256-p+MdJVMv58rFd1uc1UFKtq83RquDSFZ3M6YfaBU12UU=";
+    })
+  ];
+
+  nativeBuildInputs = [ meson ninja pkg-config unixtools.xxd ];
+  buildInputs = [ dbus libcap polkit systemd ];
+
+  mesonFlags = [
+    "-Dinstalled_tests=false"
+
+    "-Ddbus_systemservicedir=${placeholder "out"}/share/dbus-1/system-services"
+    "-Ddbus_interfacedir=${placeholder "out"}/share/dbus-1/interfaces"
+    "-Ddbus_rulesdir=${placeholder "out"}/etc/dbus-1/system.d"
+    "-Dpolkit_actiondir=${placeholder "out"}/share/polkit-1/actions"
+    "-Dsystemd_systemunitdir=${placeholder "out"}/etc/systemd/system"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/heftig/rtkit";
+    description = "A daemon that hands out real-time priority to processes";
+    license = with licenses; [ gpl3 bsd0 ]; # lib is bsd license
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
new file mode 100644
index 000000000000..a4fc11c8647c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation {
+  pname = "rtl8188eus-aircrack";
+  version = "${kernel.version}-unstable-2023-09-21";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8188eus";
+    rev = "3fae7237ba121f1169e9a2ea55040dc123697d3b";
+    sha256 = "sha256-ILSMEt9nMdg1ZbFeatWm8Yxf6a/E7Vm7KtKhN933KTc=";
+  };
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  hardeningDisable = [ "pic" ];
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  meta = with lib; {
+    description = "RealTek RTL8188eus WiFi driver with monitor mode & frame injection support";
+    homepage = "https://github.com/aircrack-ng/rtl8188eus";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = (lib.versionAtLeast kernel.version "6.6") || ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened);
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix
new file mode 100644
index 000000000000..e31a54f56c31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix
@@ -0,0 +1,45 @@
+{ stdenv, lib, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation rec {
+  name = "rtl8189es-${kernel.version}-${version}";
+  version = "2023-03-14";
+
+  src = fetchFromGitHub {
+    owner = "jwrdegoede";
+    repo = "rtl8189ES_linux";
+    rev = "ae7b31e55526ca0e01d2a3310118530bff4f1055";
+    sha256 = "sha256-l/xUxs63Y5LVT6ZafuRc+iaCXCSt2HwysYJLJ5hg3RM=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" "format" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
+    substituteInPlace ./Makefile --replace /sbin/depmod \#
+    substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    ("CONFIG_PLATFORM_I386_PC=" + (if (stdenv.hostPlatform.isi686 || stdenv.hostPlatform.isx86_64) then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek rtl8189es";
+    homepage = "https://github.com/jwrdegoede/rtl8189ES_linux";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ danielfullmer lheckemann ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix
new file mode 100644
index 000000000000..67642f11d322
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix
@@ -0,0 +1,22 @@
+{ lib, kernel, rtl8189es, fetchFromGitHub, fetchpatch }:
+
+# rtl8189fs is a branch of the rtl8189es driver
+rtl8189es.overrideAttrs (drv: rec {
+  name = "rtl8189fs-${kernel.version}-${version}";
+  version = "2023-03-27";
+
+  src = fetchFromGitHub {
+    owner = "jwrdegoede";
+    repo = "rtl8189ES_linux";
+    rev = "c223a25b1000d64432eca4201a8f012414dfc7ce";
+    sha256 = "sha256-5b5IshLbWxvmzcKy/xLsqKa3kZpwDQXTQtjqZLHyOCo=";
+  };
+
+  meta = with lib; {
+    description = "Driver for Realtek rtl8189fs";
+    homepage = "https://github.com/jwrdegoede/rtl8189ES_linux/tree/rtl8189fs";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ puffnfresh ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix
new file mode 100644
index 000000000000..32b97b59c52e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix
@@ -0,0 +1,44 @@
+{ stdenv, lib, fetchFromGitHub, kernel, bc }:
+
+with lib;
+
+let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtl8192eu";
+
+in stdenv.mkDerivation rec {
+  pname = "rtl8192eu";
+  version = "${kernel.version}-4.4.1.20230613";
+
+  src = fetchFromGitHub {
+    owner = "Mange";
+    repo = "rtl8192eu-linux-driver";
+    rev = "f2fc8af7ab58d2123eed1aa4428e713cdfc27976";
+    sha256 = "sha256-OgsxBcXoIP8h9Z0bLsG91/s/+r89Tdn2dPOt4p3sx8k=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies ++ [ bc ];
+
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Realtek rtl8192eu driver";
+    homepage = "https://github.com/Mange/rtl8192eu-linux-driver";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = stdenv.hostPlatform.isAarch64;
+    maintainers = with maintainers; [ troydm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8723ds/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8723ds/default.nix
new file mode 100644
index 000000000000..be4b954c1b61
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8723ds/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation {
+  pname = "rtl8723ds";
+  version = "${kernel.version}-unstable-2022-12-01";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtl8723ds";
+    rev = "a638cc8639015b8b9390af3350fab0366b6c87e7";
+    sha256 = "sha256-qfVE7k71NPzw3FwoOaUxH66PnDjbpMAF6CyOyUVdSMA=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  postPatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace "/sbin/depmod" "#" \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Linux driver for RTL8723DS.";
+    homepage = "https://github.com/lwfinger/rtl8723ds";
+    license = lib.licenses.gpl2Only;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ chuangzhu ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix
new file mode 100644
index 000000000000..9646886a6de1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -0,0 +1,49 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation {
+  pname = "rtl8812au";
+  version = "${kernel.version}-unstable-2023-07-22";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8812au-20210629";
+    rev = "b5f4e6e894eca8fea38661e2fc22a2570e0274ad";
+    hash = "sha256-3uPowesJVh/cnagMz/Uadb+U5rDUAWfU39tZaDNCoqg=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" "format" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod";
+    homepage = "https://github.com/morrownr/8812au-20210629";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix
new file mode 100644
index 000000000000..0b1522c96972
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation {
+  pname = "rtl8814au";
+  version = "${kernel.version}-unstable-2023-03-21";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8814au";
+    rev = "6f80699e68fd2a9f2bba3f1a56ca06d1b7992bd8";
+    hash = "sha256-7dv+8vNI1OLLA4SdZQPL87pTS9HR6mGijzWo9WL7vc0=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  hardeningDisable = [ "pic" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types";
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek 8814AU USB WiFi driver";
+    homepage = "https://github.com/morrownr/8814au";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.lassulus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix
new file mode 100644
index 000000000000..b89cddbfc73b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation {
+  pname = "rtl8821au";
+  version = "${kernel.version}-unstable-2023-07-23";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8821au-20210708";
+    rev = "0dc022287b0ab534efa885881eaa65c5503291be";
+    hash = "sha256-pLRBWdqlv9A39VbCS8dymTCJHcwJooqD8v6mTbOsBz0=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" "format" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types";
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if (stdenv.hostPlatform.isAarch32 || stdenv.hostPlatform.isAarch64) then "y" else "n"))
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "rtl8821AU and rtl8812AU chipset driver with firmware";
+    homepage = "https://github.com/morrownr/8821au";
+    license = licenses.gpl2Only;
+    platforms = lib.platforms.linux;
+    maintainers = with maintainers; [ plchldr ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix
new file mode 100644
index 000000000000..87670105b10b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix
@@ -0,0 +1,45 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+, bc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8821ce";
+  version = "${kernel.version}-unstable-2023-05-04";
+
+  src = fetchFromGitHub {
+    owner = "tomaspinho";
+    repo = "rtl8821ce";
+    rev = "a478095a45d8aa957b45be4f9173c414efcacc6f";
+    hash = "sha256-xqVxylKhL7vbC7m5Av6ven5i7OBkS2RHxrKzLOVBlgE=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl8821ce driver";
+    homepage = "https://github.com/tomaspinho/rtl8821ce";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ hhm ivar ];
+    broken = stdenv.isAarch64 || ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened);
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix
new file mode 100644
index 000000000000..806df9f6dd4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8821cu";
+  version = "${kernel.version}-unstable-2023-09-10";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8821cu-20210916";
+    rev = "f6d4598290c5e9c8e545130e8a31d130f6d135f4";
+    hash = "sha256-jpMf8K9diJ3mbEkP9Cp+VwairK+pwiEGU/AtUIouCqM=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl8821cu driver";
+    homepage = "https://github.com/morrownr/8821cu";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.contrun ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix
new file mode 100644
index 000000000000..73b098894b98
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation {
+  pname = "rtl88x2bu";
+  version = "${kernel.version}-unstable-2023-09-24";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "88x2bu-20210702";
+    rev = "888ba1b309e6258a736ef5c37a68836cd0ea5517";
+    sha256 = "sha256-oLRGRKUNTmIw+Zn23TArGumo24AIH2YEMpnStyXBNw8=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl88x2bu driver";
+    homepage = "https://github.com/morrownr/88x2bu-20210702";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ otavio ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
new file mode 100644
index 000000000000..78409b7bd14a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl88xxau-aircrack";
+  version = "${kernel.version}-unstable-02-05-2023";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8812au";
+    rev = "35308f4dd73e77fa572c48867cce737449dd8548";
+    hash = "sha256-0kHrNsTKRl/xTQpDkIOYqTtcHlytXhXX8h+6guvLmLI=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Aircrack-ng kernel module for Realtek 88XXau network cards\n(8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.";
+    homepage = "https://github.com/aircrack-ng/rtl8812au";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.jethro ];
+    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix b/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix
new file mode 100644
index 000000000000..a28a9f3d19e8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw88";
+in
+stdenv.mkDerivation {
+  pname = "rtw88";
+  version = "unstable-2023-07-23";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw88";
+    rev = "9b6fe04a741a6b0a1edc5ca134927784bff033a5";
+    hash = "sha256-OzaIy+WTrljwAhC73wEIRUXrkz1NrGNJAS3zofQyV6E=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Backport of the latest Realtek RTW88 driver from wireless-next for older kernels";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = with licenses; [ bsd3 gpl2Only ];
+    maintainers = with maintainers; [ tvorog atila ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.20";
+    priority = -1;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix b/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix
new file mode 100644
index 000000000000..1bb42860a8c7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw89";
+in
+stdenv.mkDerivation {
+  pname = "rtw89";
+  version = "unstable-2022-12-18";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw89";
+    rev = "e834edfe8bee6e27e31c2f783817a9c13ff45665";
+    sha256 = "19ApYiEvA0E6qgf5XQc03paZ+ghjZL8JoC3vSYYw3xU=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = " Driver for Realtek 8852AE, 8852BE, and 8853CE, 802.11ax devices";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.7";
+    priority = -1;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix b/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix
new file mode 100644
index 000000000000..0744ed2896ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, pciutils, cmake }:
+stdenv.mkDerivation rec {
+  pname = "ryzenadj";
+  version = "0.14.0";
+
+  src = fetchFromGitHub {
+    owner = "FlyGoat";
+    repo = "RyzenAdj";
+    rev = "v${version}";
+    sha256 = "sha256-Lqq4LNRmqQyeIJfr/+tYdKMEk+P54VnwZAQZcE0ev8Y=";
+  };
+
+  nativeBuildInputs = [ pciutils cmake ];
+
+  installPhase = ''
+    install -D libryzenadj.so $out/lib/libryzenadj.so
+    install -D ryzenadj $out/bin/ryzenadj
+  '';
+
+  meta = with lib; {
+    description = "Adjust power management settings for Ryzen Mobile Processors.";
+    homepage = "https://github.com/FlyGoat/RyzenAdj";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ rhendric ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix b/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix
new file mode 100644
index 000000000000..d30e7f608c77
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix
@@ -0,0 +1,28 @@
+{ lib, python3Packages, fetchFromGitHub, installShellFiles, sg3_utils }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "sasutils";
+  version = "0.4.0";
+
+  src = fetchFromGitHub {
+    owner = "stanford-rc";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-9JRw+UoxU0I5RHuimzYrM/3j8UWHuicVpoOdRRrj2Wc=";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  propagatedBuildInputs = [ sg3_utils ];
+
+  postInstall = ''
+    installManPage doc/man/man1/*.1
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/stanford-rc/sasutils";
+    description = "A set of command-line tools to ease the administration of Serial Attached SCSI (SAS) fabrics";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ aij ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix b/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix
new file mode 100644
index 000000000000..98d9248e3f42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "schedtool";
+  version = "1.3.0";
+
+  src = fetchFromGitHub {
+    owner = "freequaos";
+    repo = "schedtool";
+    rev = "${pname}-${version}";
+    sha256 = "1wdw6fnf9a01xfjhdah3mn8bp1bvahf2lfq74i6hk5b2cagkppyp";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)" "DESTPREFIX=" ];
+
+  meta = with lib; {
+    description = "Query or alter a process' scheduling policy under Linux";
+    homepage = "https://freequaos.host.sk/schedtool/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix b/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix
new file mode 100644
index 000000000000..b231f32d42a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix
@@ -0,0 +1,27 @@
+{ lib, fetchFromSourcehut, rustPlatform, pkg-config, dbus }:
+
+let version = "0.3.0";
+in rustPlatform.buildRustPackage {
+  pname = "sd-switch";
+  inherit version;
+
+  src = fetchFromSourcehut {
+    owner = "~rycee";
+    repo = "sd-switch";
+    rev = version;
+    hash = "sha256-mWrLbCUnoJ3hVtpSU/7dw91U5TLyw5kNchX5nmP9asA=";
+  };
+
+  cargoHash = "sha256-VK+kPX1pGhowbWKkUs1PL0DXIhDXJOFVoIHTtWQcWEs=";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus ];
+
+  meta = with lib; {
+    description = "A systemd unit switcher for Home Manager";
+    homepage = "https://gitlab.com/rycee/sd-switch";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ rycee ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix b/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix
new file mode 100644
index 000000000000..a9137b18f39d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix
@@ -0,0 +1,18 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "sdparm";
+  version = "1.12";
+
+  src = fetchurl {
+    url = "http://sg.danny.cz/sg/p/${pname}-${version}.tar.xz";
+    sha256 = "sha256-xMnvr9vrZi4vlxJwfsSQkyvU0BC7ESmueplSZUburb4=";
+  };
+
+  meta = with lib; {
+    homepage = "http://sg.danny.cz/sg/sdparm.html";
+    description = "A utility to access SCSI device parameters";
+    license = licenses.bsd3;
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix b/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix
new file mode 100644
index 000000000000..c50f4ffccd0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchurl, python3
+, libselinux, libsemanage, libsepol, setools }:
+
+# this is python3 only because setools only supports python3
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "selinux-python";
+  version = "3.3";
+
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/selinux-python-${version}.tar.gz";
+    sha256 = "1v244hpb45my303793xa4kcn7qnxjgxn4ja7rdn9k1q361hi1nca";
+  };
+
+  strictDeps = true;
+
+  nativeBuildInputs = [ python3 python3.pkgs.wrapPython ];
+  buildInputs = [ libsepol ];
+  propagatedBuildInputs = [ libselinux libsemanage setools python3.pkgs.ipy ];
+
+  postPatch = ''
+    substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
+    substituteInPlace sepolgen/src/share/Makefile --replace "/var/lib/sepolgen" \
+                                                            "\$PREFIX/var/lib/sepolgen"
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LOCALEDIR=$(out)/share/locale"
+    "BASHCOMPLETIONDIR=$(out)/share/bash-completion/completions"
+    "PYTHON=python"
+    "PYTHONLIBDIR=$(out)/${python3.sitePackages}"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux policy core utilities written in Python";
+    license = licenses.gpl2;
+    homepage = "https://selinuxproject.org";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix b/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix
new file mode 100644
index 000000000000..0d2843d216a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl, bash, coreutils, python3
+, libcap_ng, policycoreutils, selinux-python, dbus
+, xorgserver, openbox, xmodmap }:
+
+# this is python3 only as it depends on selinux-python
+
+with lib;
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  pname = "selinux-sandbox";
+  version = "3.3";
+  inherit (policycoreutils) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/selinux-sandbox-${version}.tar.gz";
+    sha256 = "0rw8pxfqhl6ww4w31fbf4hi3zilh1n3b1rfjm7ra76mm78wfyylj";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
+  propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+  postPatch = ''
+    # Fix setuid install
+    substituteInPlace Makefile --replace "-m 4755" "-m 755"
+    substituteInPlace sandboxX.sh \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
+      --replace "/usr/bin/cut" "${coreutils}/bin/cut" \
+      --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
+      --replace "secon" "${policycoreutils}/bin/secon"
+    substituteInPlace sandbox \
+      --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
+      --replace "/usr/share/sandbox" "$out/share/sandbox" \
+      --replace "/usr/share/locale" "${policycoreutils}/share/locale" \
+      --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "dbus-" "${dbus}/bin/dbus-" \
+      --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
+      --replace "/usr/bin/shred" "${coreutils}/bin/shred" \
+      --replace "/usr/bin/test" "${coreutils}/bin/test" \
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SYSCONFDIR=$(out)/etc/sysconfig"
+  ];
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux sandbox utility";
+    license = licenses.gpl2;
+    homepage = "https://selinuxproject.org";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix
new file mode 100644
index 000000000000..e6b8e778a77a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl, libsepol }:
+
+stdenv.mkDerivation rec {
+  pname = "semodule-utils";
+  version = "3.5";
+
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/${pname}-${version}.tar.gz";
+    sha256 = "sha256-yaVQpzcFHrrywQL2ZcfsL4XnIyhwmAqgBnmYRZtBQoM=";
+  };
+
+  buildInputs = [ libsepol ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+  meta = with lib; {
+    description = "SELinux policy core utilities (packaging additions)";
+    license = licenses.gpl2;
+    inherit (libsepol.meta) homepage platforms;
+    maintainers = [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix b/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix
new file mode 100644
index 000000000000..381f0699697a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, runCommand, substituteAll, coreutils }:
+
+let
+  name = "service-wrapper-${version}";
+  version = "19.04"; # Akin to Ubuntu Release
+in
+runCommand name {
+  script = substituteAll {
+    src = ./service-wrapper.sh;
+    isExecutable = true;
+    inherit (stdenv) shell;
+    inherit coreutils;
+  };
+
+  meta = with lib; {
+    description = "A convenient wrapper for the systemctl commands, borrow from Ubuntu";
+    license     = licenses.gpl2Plus;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ DerTim1 ];
+    # Shellscript has been modified but upstream source is: https://git.launchpad.net/ubuntu/+source/init-system-helpers
+  };
+}
+''
+  mkdir -p $out/bin
+  ln -s $out/bin $out/sbin
+  cp $script $out/bin/service
+  chmod a+x $out/bin/service
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh b/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh
new file mode 100755
index 000000000000..2889adc18686
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh
@@ -0,0 +1,224 @@
+#!@shell@
+
+###########################################################################
+# /usr/bin/service
+#
+# A convenient wrapper for the /etc/init.d init scripts.
+#
+# This script is a modified version of the /sbin/service utility found on
+# Red Hat/Fedora systems (licensed GPLv2+).
+#
+# Copyright (C) 2006 Red Hat, Inc. All rights reserved.
+# Copyright (C) 2008 Canonical Ltd.
+#   * August 2008 - Dustin Kirkland <kirkland@canonical.com>
+# Copyright (C) 2013 Michael Stapelberg <stapelberg@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# On Debian GNU/Linux systems, the complete text of the GNU General
+# Public License can be found in `/usr/share/common-licenses/GPL-2'.
+###########################################################################
+
+
+is_ignored_file() {
+    case "$1" in
+        skeleton | README | *.dpkg-dist | *.dpkg-old | rc | rcS | single | reboot | bootclean.sh)
+            return 0
+        ;;
+    esac
+    return 1
+}
+
+VERSION=$(@coreutils@/bin/basename $0)" ver. 19-04"
+USAGE="Usage: "$(@coreutils@/bin/basename $0)" < option > | --status-all | \
+[ service_name [ command | --full-restart ] ]"
+SERVICE=
+ACTION=
+SERVICEDIR="/etc/init.d"
+OPTIONS=
+is_systemd=
+
+
+if [ $# -eq 0 ]; then
+   echo "${USAGE}" >&2
+   exit 1
+fi
+
+if [ -d /run/systemd/system ]; then
+   is_systemd=1
+fi
+
+cd /
+while [ $# -gt 0 ]; do
+  case "${1}" in
+    --help | -h | --h* )
+       echo "${USAGE}" >&2
+       exit 0
+       ;;
+    --version | -V )
+       echo "${VERSION}" >&2
+       exit 0
+       ;;
+    *)
+       if [ -z "${SERVICE}" -a $# -eq 1 -a "${1}" = "--status-all" ]; then
+          if [ -d "${SERVICEDIR}" ]; then
+             cd ${SERVICEDIR}
+         for SERVICE in * ; do
+           case "${SERVICE}" in
+             functions | halt | killall | single| linuxconf| kudzu)
+                 ;;
+             *)
+               if ! is_ignored_file "${SERVICE}" \
+               && [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+                       out=$(env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status 2>&1)
+                       retval=$?
+                       if echo "$out" | egrep -iq "usage:"; then
+                         #printf " %s %-60s %s\n" "[?]" "$SERVICE:" "unknown" 1>&2
+                         echo " [ ? ]  $SERVICE" 1>&2
+                         continue
+                       else
+                         if [ "$retval" = "0" -a -n "$out" ]; then
+                           #printf " %s %-60s %s\n" "[+]" "$SERVICE:" "running"
+                           echo " [ + ]  $SERVICE"
+                           continue
+                         else
+                           #printf " %s %-60s %s\n" "[-]" "$SERVICE:" "NOT running"
+                           echo " [ - ]  $SERVICE"
+                           continue
+                         fi
+                       fi
+                 #env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status
+               fi
+               ;;
+           esac
+         done
+          else
+             systemctl $sctl_args list-units
+          fi
+          exit 0
+       elif [ $# -eq 2 -a "${2}" = "--full-restart" ]; then
+          SERVICE="${1}"
+          # On systems using systemd, we just perform a normal restart:
+          # A restart with systemd is already a full restart.
+          if [ -n "$is_systemd" ]; then
+             ACTION="restart"
+          else
+             if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+               env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" stop
+               env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" start
+               exit $?
+             fi
+          fi
+       elif [ -z "${SERVICE}" ]; then
+         SERVICE="${1}"
+       elif [ -z "${ACTION}" ]; then
+         ACTION="${1}"
+       else
+         OPTIONS="${OPTIONS} ${1}"
+       fi
+       shift
+       ;;
+   esac
+done
+
+run_via_sysvinit() {
+   # Otherwise, use the traditional sysvinit
+   if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+      exec env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" ${ACTION} ${OPTIONS}
+   else
+      echo "${SERVICE}: unrecognized service" >&2
+      exit 1
+   fi
+}
+
+update_openrc_started_symlinks() {
+   # maintain the symlinks of /run/openrc/started so that
+   # rc-status works with the service command as well
+   if [ -d /run/openrc/started ] ; then
+      case "${ACTION}" in
+      start)
+         if [ ! -h /run/openrc/started/$SERVICE ] ; then
+            ln -s $SERVICEDIR/$SERVICE /run/openrc/started/$SERVICE || true
+         fi
+      ;;
+      stop)
+         rm /run/openrc/started/$SERVICE || true
+      ;;
+      esac
+   fi
+}
+
+# When this machine is running systemd, standard service calls are turned into
+# systemctl calls.
+if [ -n "$is_systemd" ]
+then
+   UNIT="${SERVICE%.sh}.service"
+   # avoid deadlocks during bootup and shutdown from units/hooks
+   # which call "invoke-rc.d service reload" and similar, since
+   # the synchronous wait plus systemd's normal behaviour of
+   # transactionally processing all dependencies first easily
+   # causes dependency loops
+   if ! systemctl --quiet is-active multi-user.target; then
+       sctl_args="--job-mode=ignore-dependencies"
+   fi
+
+   case "${ACTION}" in
+      restart|status|try-restart)
+         exec systemctl $sctl_args ${ACTION} ${UNIT}
+      ;;
+      start|stop)
+         # Follow the principle of least surprise for SysV people:
+         # When running "service foo stop" and foo happens to be a service that
+         # has one or more .socket files, we also stop the .socket units.
+         # Users who need more control will use systemctl directly.
+         for unit in $(systemctl list-unit-files --full --type=socket 2>/dev/null | sed -ne 's/\.socket\s*[a-z]*\s*$/.socket/p'); do
+             if [ "$(systemctl -p Triggers show $unit)" = "Triggers=${UNIT}" ]; then
+                systemctl $sctl_args ${ACTION} $unit
+             fi
+         done
+         exec systemctl $sctl_args ${ACTION} ${UNIT}
+      ;;
+      reload)
+         _canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
+         if [ "$_canreload" = "CanReload=no" ]; then
+            # The reload action falls back to the sysv init script just in case
+            # the systemd service file does not (yet) support reload for a
+            # specific service.
+            run_via_sysvinit
+         else
+            exec systemctl $sctl_args reload "${UNIT}"
+         fi
+         ;;
+      force-stop)
+         exec systemctl --signal=KILL kill "${UNIT}"
+         ;;
+      force-reload)
+         _canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
+         if [ "$_canreload" = "CanReload=no" ]; then
+            exec systemctl $sctl_args restart "${UNIT}"
+         else
+            exec systemctl $sctl_args reload "${UNIT}"
+         fi
+         ;;
+      *)
+         # We try to run non-standard actions by running
+         # the init script directly.
+         run_via_sysvinit
+         ;;
+   esac
+fi
+
+update_openrc_started_symlinks
+run_via_sysvinit
diff --git a/nixpkgs/pkgs/os-specific/linux/setools/default.nix b/nixpkgs/pkgs/os-specific/linux/setools/default.nix
new file mode 100644
index 000000000000..2e554a0241b2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/setools/default.nix
@@ -0,0 +1,42 @@
+{ lib, fetchFromGitHub, python3
+, libsepol, libselinux, checkpolicy
+, withGraphics ? false
+}:
+
+with lib;
+with python3.pkgs;
+
+buildPythonApplication rec {
+  pname = "setools";
+  version = "4.4.1";
+
+  src = fetchFromGitHub {
+    owner = "SELinuxProject";
+    repo = pname;
+    rev = "refs/tags/${version}";
+    sha256 = "sha256-4T5FIdnKi35JSm+IoYA2gIBBRV0nN0YLEw9xvDqNcgo=";
+  };
+
+  nativeBuildInputs = [ cython ];
+  buildInputs = [ libsepol ];
+  propagatedBuildInputs = [ enum34 libselinux networkx ]
+    ++ optionals withGraphics [ pyqt5 ];
+
+  nativeCheckInputs = [ tox checkpolicy ];
+  preCheck = ''
+    export CHECKPOLICY=${checkpolicy}/bin/checkpolicy
+  '';
+
+  setupPyBuildFlags = [ "-i" ];
+
+  preBuild = ''
+    export SEPOL="${lib.getLib libsepol}/lib/libsepol.a"
+  '';
+
+  meta = {
+    description = "SELinux Policy Analysis Tools";
+    homepage = "https://github.com/SELinuxProject/setools";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix b/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix
new file mode 100644
index 000000000000..6d83e322ce8f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchgit, libX11, xorgproto }:
+
+stdenv.mkDerivation rec {
+  pname = "seturgent";
+  version = "1.5";
+
+  src = fetchgit {
+    url = "git://git.codemadness.org/seturgent";
+    rev = version;
+    sha256 = "sha256-XW7ms0BVCf1/fuL3PJ970t6sHkmMY1iLYXfS9R60JX0=";
+  };
+
+  buildInputs = [
+    libX11
+    xorgproto
+  ];
+
+  installPhase = ''
+    mkdir -pv $out/bin
+    mv seturgent $out/bin
+  '';
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    description = "Set an application's urgency hint (or not)";
+    maintainers = with maintainers; [ yarr ];
+    homepage = "https://codemadness.org/seturgent-set-urgency-hints-for-x-applications.html";
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
new file mode 100644
index 000000000000..eed99122cd64
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
@@ -0,0 +1,93 @@
+{ stdenv
+, fetchFromGitHub
+, fetchurl
+, lib
+, curl
+, nlohmann_json
+, openssl
+, pkg-config
+, linkFarmFromDrvs
+, callPackage
+}:
+
+let
+  # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions
+  filterSparse = list: ''
+    cp -r "$out"/. .
+    find "$out" -mindepth 1 -delete
+    cp ${lib.concatStringsSep " " list} "$out/"
+  '';
+  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+    (fetchFromGitHub rec {
+      name = "${repo}-headers";
+      owner = "intel";
+      repo = "SGXDataCenterAttestationPrimitives";
+      rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9";
+      sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ];
+      hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY=";
+      postFetch = filterSparse sparseCheckout;
+    })
+    (fetchFromGitHub rec {
+      name = "${repo}-headers";
+      owner = "intel";
+      repo = "linux-sgx";
+      rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";
+      hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";
+      sparseCheckout = [
+        "common/inc/sgx_report.h"
+        "common/inc/sgx_key.h"
+        "common/inc/sgx_attributes.h"
+      ];
+      postFetch = filterSparse sparseCheckout;
+    })
+  ];
+in
+stdenv.mkDerivation rec {
+  pname = "azure-dcap-client";
+  version = "1.11.2";
+
+  src = fetchFromGitHub {
+    owner = "microsoft";
+    repo = pname;
+    rev = version;
+    hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    curl
+    nlohmann_json
+    openssl
+  ];
+
+  postPatch = ''
+    mkdir -p src/Linux/ext/intel
+    find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \;
+
+    substitute src/Linux/Makefile{.in,} \
+      --replace '##CURLINC##' '${curl.dev}/include/curl/' \
+      --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'
+  '';
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
+
+  makeFlags = [
+    "-C src/Linux"
+    "prefix=$(out)"
+  ];
+
+  # Online test suite; run with
+  # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
+  passthru.tests.suite = callPackage ./test-suite.nix { };
+
+  meta = with lib; {
+    description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
+    homepage = "https://github.com/microsoft/azure-dcap-client";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = [ licenses.mit ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix b/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix
new file mode 100644
index 000000000000..71fdb2bab39c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix
@@ -0,0 +1,27 @@
+{ lib
+, sgx-azure-dcap-client
+, gtest
+, makeWrapper
+}:
+sgx-azure-dcap-client.overrideAttrs (oldAttrs: {
+  nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [
+    makeWrapper
+    gtest
+  ];
+
+  buildFlags = [
+    "tests"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D ./src/Linux/tests "$out/bin/tests"
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"
+  '';
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix
new file mode 100644
index 000000000000..fa4a7be01cf5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -0,0 +1,172 @@
+{ stdenv
+, lib
+, fetchurl
+, cmake
+, coreutils
+, curl
+, file
+, glibc
+, makeWrapper
+, nixosTests
+, protobuf
+, python3
+, sgx-sdk
+, shadow
+, systemd
+, util-linux
+, which
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  inherit (sgx-sdk) version versionTag src;
+  pname = "sgx-psw";
+
+  postUnpack =
+    let
+      ae.prebuilt = fetchurl {
+        url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
+        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
+      };
+      dcap = rec {
+        version = "1.13";
+        filename = "prebuilt_dcap_${version}.tar.gz";
+        prebuilt = fetchurl {
+          url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
+          hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
+        };
+      };
+    in
+    sgx-sdk.postUnpack + ''
+      # Make sure we use the correct version of prebuilt DCAP
+      grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
+        || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
+
+      tar -zxf ${ae.prebuilt}   -C $sourceRoot/
+      tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
+    '';
+
+  nativeBuildInputs = [
+    cmake
+    file
+    makeWrapper
+    python3
+    sgx-sdk
+    which
+  ];
+
+  buildInputs = [
+    curl
+    protobuf
+  ];
+
+  hardeningDisable = [
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ] ++ lib.optionals debug [
+    "fortify"
+  ];
+
+  postPatch = ''
+    patchShebangs \
+      linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/psw/createTarball.sh \
+      linux/installer/common/psw/install.sh
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  # Randomly fails if enabled
+  enableParallelBuilding = false;
+
+  buildFlags = [
+    "psw_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "-C linux/installer/common/psw/output"
+    "DESTDIR=$(TMPDIR)/install"
+  ];
+
+  postInstall = ''
+    installDir=$TMPDIR/install
+    sgxPswDir=$installDir/opt/intel/sgxpsw
+
+    mv $installDir/usr/lib64/ $out/lib/
+    ln -sr $out/lib $out/lib64
+
+    # Install udev rules to lib/udev/rules.d
+    mv $sgxPswDir/udev/ $out/lib/
+
+    # Install example AESM config
+    mkdir $out/etc/
+    mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
+    rmdir $sgxPswDir/aesm/conf/
+
+    # Delete init service
+    rm $sgxPswDir/aesm/aesmd.conf
+
+    # Move systemd services
+    mkdir -p $out/lib/systemd/system/
+    mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
+    mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
+
+    # Move misc files
+    mkdir $out/share/
+    mv $sgxPswDir/licenses $out/share/
+
+    # Remove unnecessary files
+    rm $sgxPswDir/{cleanup.sh,startup.sh}
+    rm -r $sgxPswDir/scripts
+
+    mv $sgxPswDir/aesm/ $out/
+
+    mkdir $out/bin
+    makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
+      --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
+      --chdir "$out/aesm"
+
+    # Make sure we didn't forget to handle any files
+    rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+  '';
+
+  # Most—if not all—of those fixups are not relevant for NixOS as we have our own
+  # NixOS module which is based on those files without relying on them. Still, it
+  # is helpful to have properly patched versions for non-NixOS distributions.
+  postFixup = ''
+    echo "Fixing aesmd.service"
+    substituteInPlace $out/lib/systemd/system/aesmd.service \
+      --replace '@aesm_folder@' \
+                "$out/aesm" \
+      --replace 'Type=forking' \
+                'Type=simple' \
+      --replace "ExecStart=$out/aesm/aesm_service" \
+                "ExecStart=$out/bin/aesm_service --no-daemon"\
+      --replace "/bin/mkdir" \
+                "${coreutils}/bin/mkdir" \
+      --replace "/bin/chown" \
+                "${coreutils}/bin/chown" \
+      --replace "/bin/chmod" \
+                "${coreutils}/bin/chmod" \
+      --replace "/bin/kill" \
+                "${coreutils}/bin/kill"
+
+    echo "Fixing remount-dev-exec.service"
+    substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
+      --replace '/bin/mount' \
+                "${util-linux}/bin/mount"
+  '';
+
+  passthru.tests = {
+    service = nixosTests.aesmd;
+  };
+
+  meta = with lib; {
+    description = "Intel SGX Architectural Enclave Service Manager";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ veehaitch citadelcore ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix
new file mode 100644
index 000000000000..2afd62de75d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix
@@ -0,0 +1,109 @@
+{ stdenv
+, lib
+, makeWrapper
+, sgx-sdk
+, sgx-psw
+, which
+  # "SIM" or "HW"
+, sgxMode
+}:
+let
+  isSimulation = sgxMode == "SIM";
+  buildSample = name: stdenv.mkDerivation {
+    pname = name;
+    version = sgxMode;
+
+    src = sgx-sdk.out;
+    sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
+
+    nativeBuildInputs = [
+      makeWrapper
+      which
+    ];
+
+    buildInputs = [
+      sgx-sdk
+    ];
+
+    # The samples don't have proper support for parallel building
+    # causing them to fail randomly.
+    enableParallelBuilding = false;
+
+    buildFlags = [
+      "SGX_MODE=${sgxMode}"
+    ];
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      install -m 755 app $out/bin
+      install *.so $out/lib
+
+      wrapProgram "$out/bin/app" \
+        --chdir "$out/lib" \
+        ${lib.optionalString (!isSimulation)
+        ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
+
+      runHook postInstall
+    '';
+
+    # Breaks the signature of the enclaves
+    dontFixup = true;
+
+    # We don't have access to real SGX hardware during the build
+    doInstallCheck = isSimulation;
+    installCheckPhase = ''
+      runHook preInstallCheck
+
+      pushd /
+      echo a | $out/bin/app
+      popd
+
+      runHook preInstallCheck
+    '';
+  };
+in
+{
+  cxx11SGXDemo = buildSample "Cxx11SGXDemo";
+  localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      install -m 755 bin/app* $out/bin
+      install bin/*.so $out/lib
+
+      for bin in $out/bin/*; do
+        wrapProgram $bin \
+          --chdir "$out/lib" \
+          ${lib.optionalString (!isSimulation)
+          ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
+      done
+
+      runHook postInstall
+    '';
+  });
+  powerTransition = buildSample "PowerTransition";
+  protobufSGXDemo = buildSample "ProtobufSGXDemo";
+  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
+    # Makefile sets rpath to point to $TMPDIR
+    preFixup = ''
+      patchelf --remove-rpath $out/bin/app
+    '';
+
+    postInstall = ''
+      install sample_libcrypto/*.so $out/lib
+    '';
+  });
+  sampleEnclave = buildSample "SampleEnclave";
+  sampleEnclavePCL = buildSample "SampleEnclavePCL";
+  sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
+  sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
+    prePatch = ''
+      substituteInPlace App/App.cpp \
+        --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
+    '';
+  });
+  switchless = buildSample "Switchless";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix
new file mode 100644
index 000000000000..053aaecbcbb7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -0,0 +1,285 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchzip
+, autoconf
+, automake
+, binutils
+, callPackage
+, cmake
+, file
+, gdb
+, git
+, libtool
+, linkFarmFromDrvs
+, nasm
+, ocaml
+, ocamlPackages
+, openssl_1_1
+, perl
+, python3
+, texinfo
+, validatePkgConfig
+, writeShellApplication
+, writeShellScript
+, writeText
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  pname = "sgx-sdk";
+  # Version as given in se_version.h
+  version = "2.16.100.4";
+  # Version as used in the Git tag
+  versionTag = "2.16";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx";
+    rev = "sgx_${versionTag}";
+    hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY=";
+    fetchSubmodules = true;
+  };
+
+  postUnpack = ''
+    # Make sure this is the right version of linux-sgx
+    grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
+      || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  '';
+
+  patches = [
+    # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
+      sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
+    })
+  ];
+
+  postPatch = ''
+    patchShebangs linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/sdk/createTarball.sh \
+      linux/installer/common/sdk/install.sh
+  '';
+
+  # We need `cmake` as a build input but don't use it to kick off the build phase
+  dontUseCmakeConfigure = true;
+
+  # SDK built with stackprotector produces broken enclaves which crash at runtime.
+  # Disable all to be safe, SDK build configures compiler mitigations manually.
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    cmake
+    file
+    git
+    ocaml
+    ocamlPackages.ocamlbuild
+    perl
+    python3
+    texinfo
+    validatePkgConfig
+  ];
+
+  buildInputs = [
+    libtool
+    openssl_1_1
+  ];
+
+  BINUTILS_DIR = "${binutils}/bin";
+
+  # Build external/ippcp_internal first. The Makefile is rewritten to make the
+  # build faster by splitting different versions of ipp-crypto builds and to
+  # avoid patching the Makefile for reproducibility issues.
+  preBuild =
+    let
+      ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
+
+      sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
+
+      nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
+      ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
+      };
+
+      nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
+      ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
+      };
+    in
+    ''
+      echo "Setting up IPP crypto build artifacts"
+
+      pushd 'external/ippcp_internal'
+
+      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
+
+      install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
+        lib/linux/intel64/no_mitigation/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_load/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_cf/libippcp.a
+
+      rm inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
+
+      install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
+
+      popd
+    '';
+
+  buildFlags = [
+    "sdk_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  enableParallelBuilding = true;
+
+  postBuild = ''
+    patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    installDir=$TMPDIR
+    ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
+    installDir=$installDir/sgxsdk
+
+    echo "Move files created by installer"
+
+    mkdir -p $out/bin
+    pushd $out
+
+    mv $installDir/bin/sgx-gdb $out/bin
+    mkdir $out/bin/x64
+    for file in $installDir/bin/x64/*; do
+      mv $file bin/
+      ln -sr bin/$(basename $file) bin/x64/
+    done
+    rmdir $installDir/bin/{x64,}
+
+    # Move `lib64` to `lib` and symlink `lib64`
+    mv $installDir/lib64 lib
+    ln -s lib/ lib64
+
+    mv $installDir/include/ .
+
+    mkdir -p share/
+    mv $installDir/{SampleCode,licenses} share/
+
+    mkdir -p share/bin
+    mv $installDir/{environment,buildenv.mk} share/bin/
+    ln -s share/bin/{environment,buildenv.mk} .
+
+    # pkgconfig should go to lib/
+    mv $installDir/pkgconfig lib/
+    ln -s lib/pkgconfig/ .
+
+    # Also create the `sdk_libs` for compat. All the files
+    # link to libraries in `lib64/`, we shouldn't link the entire
+    # directory, however, as there seems to be some ambiguity between
+    # SDK and PSW libraries.
+    mkdir sdk_libs/
+    for file in $installDir/sdk_libs/*; do
+      ln -sr lib/$(basename $file) sdk_libs/
+      rm $file
+    done
+    rmdir $installDir/sdk_libs
+
+    # No uninstall script required
+    rm $installDir/uninstall.sh
+
+    # Create an `sgxsdk` symlink which points to `$out` for compat
+    ln -sr . sgxsdk
+
+    # Make sure we didn't forget any files
+    rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+
+    popd
+
+    runHook postInstall
+  '';
+
+
+  preFixup = ''
+    echo "Strip sgxsdk prefix"
+    for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
+      substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
+    done
+
+    echo "Fixing pkg-config files"
+    sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
+
+    echo "Fixing SGX_SDK default in samples"
+    substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
+      --replace '/opt/intel/sgxsdk' "$out"
+    for file in $out/share/SampleCode/*/Makefile; do
+      substituteInPlace $file \
+        --replace '/opt/intel/sgxsdk' "$out"
+    done
+
+    echo "Fixing BINUTILS_DIR in buildenv.mk"
+    substituteInPlace $out/share/bin/buildenv.mk \
+      --replace 'BINUTILS_DIR ?= /usr/local/bin' \
+                'BINUTILS_DIR ?= ${BINUTILS_DIR}'
+
+    echo "Fixing GDB path in bin/sgx-gdb"
+    substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
+  '';
+
+  doInstallCheck = true;
+
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # Make sure all symlinks are valid
+    output=$(find "$out" -type l -exec test ! -e {} \; -print)
+    if [[ -n "$output" ]]; then
+      echo "Broken symlinks:"
+      echo "$output"
+      exit 1
+    fi
+
+    runHook postInstallCheck
+  '';
+
+  setupHook = writeText "setup-hook.sh" ''
+    sgxsdk() {
+        export SGX_SDK=@out@
+    }
+
+    postHooks+=(sgxsdk)
+  '';
+
+  passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
+
+  # Run tests in SGX hardware mode on an SGX-enabled machine
+  # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
+  passthru.runTestsHW =
+    let
+      testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
+      testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
+    in
+    writeShellApplication {
+      name = "run-tests-hw";
+      text = ''
+        for test in ${testsHWLinked}/*; do
+          printf '*** Running test %s ***\n\n' "$(basename "$test")"
+          printf 'a\n' | "$test/bin/app"
+          printf '\n'
+        done
+      '';
+    };
+
+  meta = with lib; {
+    description = "Intel SGX SDK for Linux built with IPP Crypto Library";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
new file mode 100644
index 000000000000..b9f682f5319b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
@@ -0,0 +1,36 @@
+{ lib
+, gcc11Stdenv
+, fetchFromGitHub
+, cmake
+, nasm
+, openssl_1_1
+, python3
+, extraCmakeFlags ? [ ]
+}:
+
+gcc11Stdenv.mkDerivation rec {
+  pname = "ipp-crypto";
+  version = "2021.3";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipp-crypto";
+    rev = "ippcp_${version}";
+    hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
+  };
+
+  # Fix typo: https://github.com/intel/ipp-crypto/pull/33
+  postPatch = ''
+    substituteInPlace sources/cmake/ippcp-gen-config.cmake \
+      --replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
+  '';
+
+  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+
+  nativeBuildInputs = [
+    cmake
+    nasm
+    openssl_1_1
+    python3
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
new file mode 100644
index 000000000000..f3f6ce485063
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -0,0 +1,95 @@
+{ stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchurl
+, lib
+, perl
+, sgx-sdk
+, which
+, debug ? false
+}:
+let
+  sgxVersion = sgx-sdk.versionTag;
+  opensslVersion = "1.1.1l";
+in
+stdenv.mkDerivation rec {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = "lin_${sgxVersion}_${opensslVersion}";
+    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  patches = [
+    # https://github.com/intel/intel-sgx-ssl/pull/111
+    ./intel-sgx-ssl-pr-111.patch
+  ];
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    perl
+    sgx-sdk
+    stdenv.cc.libc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build the test app
+  #
+  # Running the test app is currently only supported on Intel CPUs
+  # and will fail on non-Intel CPUs even in SGX simulation mode.
+  # Therefore, we only build the test app without running it until
+  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
+  doInstallCheck = true;
+  installCheckTarget = "all";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-C sgx/test_app"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  preInstallCheck = ''
+    # Expects the enclave file in the current working dir
+    ln -s sgx/test_app/TestEnclave.signed.so .
+  '';
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 openssl ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
new file mode 100644
index 000000000000..6ef06d7e231b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
@@ -0,0 +1,99 @@
+From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:22:31 +0100
+Subject: [PATCH 1/3] Linux: fix Nix detection
+
+Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
+environment variable instead of `NIX_PATH`. The latter is only set in a
+`nix-shell` session but isn't when building a derivation through
+`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
+both cases.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/sgx/buildenv.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
+index cd8818e..dac23c7 100644
+--- a/Linux/sgx/buildenv.mk
++++ b/Linux/sgx/buildenv.mk
+@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
+ UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
+ ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
+ 	OS_ID=1
+-else ifeq ($(origin NIX_PATH),environment)
++else ifeq ($(origin NIX_STORE),environment)
+ 	OS_ID=3
+ else
+ 	OS_ID=2
+
+From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:33:22 +0100
+Subject: [PATCH 2/3] Linux: call binaries relative to PATH
+
+Using an absolute path to call binaries is incompatible with
+distributions which do not follow the Filesystem Hierachy Standard;
+Nix is an example. Also, it is inconsistent with the rest of the code
+base, let alone superfluous.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index 7d77b79..e8b59a1 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ echo $SGXSSL_ROOT
+ 
+ OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
+-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
++OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+ if [ "$OPENSSL_VERSION" == "" ] 
+ then
+ 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
+
+From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Tue, 11 Jan 2022 10:56:39 +0100
+Subject: [PATCH 3/3] Linux: properly extract GCC major version
+
+Calling `gcc -dumpversion` yields the full version string, e.g.,
+`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
+comparison operator to check if the returned version is at least
+8. This results in an error if the returned GCC version includes a patch
+version; "10.3.0" isn't a valid number.
+
+This commit fixes the version detection by only extracting the relevant
+major version of GCC.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index e8b59a1..6e4046f 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -82,6 +82,7 @@ fi
+ MITIGATION_OPT=""
+ MITIGATION_FLAGS=""
+ CC_VERSION=`gcc -dumpversion`
++CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
+ for arg in "$@"
+ do
+     case $arg in
+@@ -99,7 +100,7 @@ do
+         ;;
+     -mfunction-return=thunk-extern)
+         MITIGATION_FLAGS+=" $arg"
+-        if [[ $CC_VERSION -ge 8 ]] ; then
++        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
+             MITIGATION_FLAGS+=" -fcf-protection=none"
+         fi
+         shift
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/default.nix b/nixpkgs/pkgs/os-specific/linux/shadow/default.nix
new file mode 100644
index 000000000000..38fec65b3334
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/default.nix
@@ -0,0 +1,101 @@
+{ lib, stdenv, fetchFromGitHub
+, runtimeShell, nixosTests
+, autoreconfHook, bison, flex
+, docbook_xml_dtd_45, docbook_xsl
+, itstool, libbsd, libxml2, libxslt
+, libxcrypt, pkg-config
+, glibcCross ? null
+, pam ? null
+, withTcb ? lib.meta.availableOn stdenv.hostPlatform tcb, tcb
+}:
+let
+  glibc =
+    if stdenv.hostPlatform != stdenv.buildPlatform then glibcCross
+    else assert stdenv.hostPlatform.libc == "glibc"; stdenv.cc.libc;
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "shadow";
+  version = "4.14.1";
+
+  src = fetchFromGitHub {
+    owner = "shadow-maint";
+    repo = pname;
+    rev = version;
+    hash = "sha256-DzPPnttnJSOMQwXWyFcz6fEtjwBC3p2PpZpBAQ/Ew18=";
+  };
+
+  outputs = [ "out" "su" "dev" "man" ];
+
+  RUNTIME_SHELL = runtimeShell;
+
+  nativeBuildInputs = [
+    autoreconfHook bison flex
+    docbook_xml_dtd_45 docbook_xsl
+    itstool libxml2 libxslt
+    pkg-config
+  ];
+
+  buildInputs = [ libbsd libxcrypt ]
+    ++ lib.optional (pam != null && stdenv.isLinux) pam
+    ++ lib.optional withTcb tcb;
+
+  patches = [
+    ./keep-path.patch
+    # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
+    ./respect-xml-catalog-files-var.patch
+    ./runtime-shell.patch
+    ./fix-install-with-tcb.patch
+  ];
+
+  # The nix daemon often forbids even creating set[ug]id files.
+  postPatch = ''
+    sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
+  '';
+
+  # Assume System V `setpgrp (void)', which is the default on GNU variants
+  # (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
+  preConfigure = ''
+    export ac_cv_func_setpgrp_void=yes
+    export shadow_cv_logdir=/var/log
+  '';
+
+  configureFlags = [
+    "--enable-man"
+    "--with-group-name-max-length=32"
+    "--with-bcrypt"
+    "--with-yescrypt"
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"
+    ++ lib.optional withTcb "--with-tcb";
+
+  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") ''
+    substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
+  '';
+
+  postInstall = ''
+    # Don't install ‘groups’, since coreutils already provides it.
+    rm $out/bin/groups
+    rm $man/share/man/man1/groups.*
+
+    # Move the su binary into the su package
+    mkdir -p $su/bin
+    mv $out/bin/su $su/bin
+  '';
+
+  enableParallelBuilding = true;
+
+  disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;
+
+  meta = with lib; {
+    homepage = "https://github.com/shadow-maint";
+    description = "Suite containing authentication-related tools such as passwd and su";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+
+  passthru = {
+    shellPath = "/bin/nologin";
+    tests = { inherit (nixosTests) shadow; };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch b/nixpkgs/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
new file mode 100644
index 000000000000..ff6166b92f1d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
@@ -0,0 +1,28 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index a1a2e4e..fa17f9d 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -74,10 +74,6 @@ suidubins += newgidmap newuidmap
+ endif
+ endif
+ 
+-if WITH_TCB
+-shadowsgidubins = passwd
+-endif
+-
+ LDADD          = $(INTLLIBS) \
+ 		 $(top_builddir)/libmisc/libmisc.la \
+ 		 $(top_builddir)/lib/libshadow.la \
+@@ -146,12 +142,6 @@ install-am: all-am
+ 	set -e; for i in $(suidusbins); do \
+ 		chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
+ 	done
+-if WITH_TCB
+-	set -e; for i in $(shadowsgidubins); do \
+-		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
+-		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+-	done
+-endif
+ if ENABLE_SUBIDS
+ if FCAPS
+ 	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch b/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch
new file mode 100644
index 000000000000..99fd17c27bc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch
@@ -0,0 +1,19 @@
+diff -ru shadow-4.1.5.1-orig/src/su.c shadow-4.1.5.1/src/su.c
+--- shadow-4.1.5.1-orig/src/su.c	2012-05-25 07:51:55.000000000 -0400
++++ shadow-4.1.5.1/src/su.c	2012-07-25 17:22:57.013547930 -0400
+@@ -879,6 +879,7 @@
+ 		}
+ 	}
+ 
++#if 0
+ 	cp = getdef_str ((pw->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
+ 	if (NULL == cp) {
+ 		addenv ((pw->pw_uid == 0) ? "PATH=/sbin:/bin:/usr/sbin:/usr/bin" : "PATH=/bin:/usr/bin", NULL);
+@@ -887,6 +888,7 @@
+ 	} else {
+ 		addenv ("PATH", cp);
+ 	}
++#endif
+ 
+ 	if (getenv ("IFS") != NULL) {	/* don't export user IFS ... */
+ 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch b/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch
new file mode 100644
index 000000000000..7d922eae71fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch
@@ -0,0 +1,30 @@
+diff --git a/acinclude.m4 b/acinclude.m4
+index dd01f165..e23160ee 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -46,9 +46,21 @@ AC_DEFUN([JH_CHECK_XML_CATALOG],
+     ifelse([$3],,,[$3
+ ])dnl
+   else
+-    AC_MSG_RESULT([not found])
+-    ifelse([$4],,
+-       [AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],
+-       [$4])
++    jh_check_xml_catalog_saved_ifs="$IFS"
++    IFS=' '
++    for f in $XML_CATALOG_FILES; do
++      if [[ -f "$f" ]] && \
++        AC_RUN_LOG([$XMLCATALOG --noout "$f" "$1" >&2]); then
++        jh_found_xmlcatalog=true
++        AC_MSG_RESULT([found])
++        ifelse([$3],,,[$3])
++        break
++      fi
++    done
++    IFS="$jh_check_xml_catalog_saved_ifs"
++    if ! $jh_found_xmlcatalog; then
++      AC_MSG_RESULT([not found])
++      ifelse([$4],,[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],[$4])
++    fi
+   fi
+ ])
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch b/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch
new file mode 100644
index 000000000000..0b2e68e330e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index e4c6aaec..03883ad7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -682,7 +682,7 @@ if test "$enable_utmpx" = "yes"; then
+ 	          [Define if utmpx should be used])
+ fi
+ 
+-AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
++AC_DEFINE_UNQUOTED(SHELL, ["$RUNTIME_SHELL"], [The runtime shell.])
+ 
+ AM_GNU_GETTEXT_VERSION(0.16)
+ AM_GNU_GETTEXT([external], [need-ngettext])
diff --git a/nixpkgs/pkgs/os-specific/linux/sinit/default.nix b/nixpkgs/pkgs/os-specific/linux/sinit/default.nix
new file mode 100644
index 000000000000..a412461bfd51
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sinit/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchgit, rcinit ? null, rcshutdown ? null, rcreboot ? null }:
+
+stdenv.mkDerivation rec {
+  pname = "sinit";
+  version = "1.1";
+
+  src = fetchgit {
+    url = "https://git.suckless.org/sinit/";
+    sha256 = "sha256-VtXkgixgElKKOT26uKN9feXDVjjtSgTWvcgk5o5MLmw=";
+    rev = "refs/tags/v${version}";
+  };
+  buildInputs = [
+    (lib.getOutput "static" stdenv.cc.libc)
+  ];
+  makeFlags = [ "PREFIX=$(out)" ];
+  preConfigure = ""
+    + (lib.optionalString (rcinit != null) ''sed -re 's@(rcinitcmd[^"]*")[^"]*"@\1${rcinit}"@' -i config.def.h; '')
+    + (lib.optionalString (rcshutdown != null) ''sed -re 's@(rc(reboot|poweroff)cmd[^"]*")[^"]*"@\1${rcshutdown}"@' -i config.def.h; '')
+    + (lib.optionalString (rcreboot != null) ''sed -re 's@(rc(reboot)cmd[^"]*")[^"]*"@\1${rcreboot}"@' -i config.def.h; '')
+  ;
+
+  meta = with lib; {
+    description = "A very minimal Linux init implementation from suckless.org";
+    license = licenses.mit;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+    homepage = "https://tools.suckless.org/sinit";
+    downloadPage = "https://git.suckless.org/sinit";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/smem/default.nix b/nixpkgs/pkgs/os-specific/linux/smem/default.nix
new file mode 100644
index 000000000000..6308b83b600a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/smem/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "smem";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "https://selenic.com/repo/smem/archive/${version}.tar.bz2";
+    sha256 = "19ibv1byxf2b68186ysrgrhy5shkc5mc69abark1h18yigp3j34m";
+  };
+
+  buildInputs = [ python3 ];
+
+  makeFlags = [ "smemcap" ];
+
+  installPhase =
+    ''
+      install -Dm555 -t $out/bin/ smem smemcap
+      install -Dm444 -t $out/share/man/man8/ smem.8
+    '';
+
+  meta = {
+    homepage = "https://www.selenic.com/smem/";
+    description = "A memory usage reporting tool that takes shared memory into account";
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix b/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix
new file mode 100644
index 000000000000..d8f8c1bc025f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "smemstat";
+  version = "0.02.12";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-5gO26F80nZvZ6RIqX8o7bDSNo38EL8XywR8wMPFqHA8=";
+  };
+
+  buildInputs = [ ncurses ];
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Memory usage monitoring tool";
+    homepage = "https://github.com/ColinIanKing/smemstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sssd/default.nix b/nixpkgs/pkgs/os-specific/linux/sssd/default.nix
new file mode 100644
index 000000000000..62db758c7aa7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sssd/default.nix
@@ -0,0 +1,118 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, makeWrapper, glibc, augeas, dnsutils, c-ares, curl,
+  cyrus_sasl, ding-libs, libnl, libunistring, nss, samba, nfs-utils, doxygen,
+  python3, pam, popt, talloc, tdb, tevent, pkg-config, ldb, openldap,
+  pcre2, libkrb5, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
+  libuuid, systemd, nspr, check, cmocka, uid_wrapper, p11-kit,
+  nss_wrapper, ncurses, Po4a, http-parser, jansson, jose,
+  docbook_xsl, docbook_xml_dtd_44,
+  testers, nix-update-script, nixosTests,
+  withSudo ? false }:
+
+let
+  docbookFiles = "${docbook_xsl}/share/xml/docbook-xsl/catalog.xml:${docbook_xml_dtd_44}/xml/dtd/docbook/catalog.xml";
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "sssd";
+  version = "2.9.3";
+
+  src = fetchFromGitHub {
+    owner = "SSSD";
+    repo = "sssd";
+    rev = "refs/tags/${finalAttrs.version}";
+    hash = "sha256-WTVOt2TpTCyMmFYzWJMBQdwgmov7m1Sd8CwyL4ywPUY=";
+  };
+
+  postPatch = ''
+    patchShebangs ./sbus_generate.sh.in
+  '';
+
+  # Something is looking for <libxml/foo.h> instead of <libxml2/libxml/foo.h>
+  env.NIX_CFLAGS_COMPILE = "-I${libxml2.dev}/include/libxml2";
+
+  preConfigure = ''
+    export SGML_CATALOG_FILES="${docbookFiles}"
+    export PYTHONPATH=$(find ${python3.pkgs.python-ldap} -type d -name site-packages)
+    export PATH=$PATH:${openldap}/libexec
+
+    configureFlagsArray=(
+      --prefix=$out
+      --sysconfdir=/etc
+      --localstatedir=/var
+      --enable-pammoddir=$out/lib/security
+      --with-os=fedora
+      --with-pid-path=/run
+      --with-python3-bindings
+      --with-syslog=journald
+      --without-selinux
+      --without-semanage
+      --with-xml-catalog-path=''${SGML_CATALOG_FILES%%:*}
+      --with-ldb-lib-dir=$out/modules/ldb
+      --with-nscd=${glibc.bin}/sbin/nscd
+    )
+  '' + lib.optionalString withSudo ''
+    configureFlagsArray+=("--with-sudo")
+  '';
+
+  enableParallelBuilding = true;
+  # Disable parallel install due to missing depends:
+  #   libtool:   error: error: relink '_py3sss.la' with the above command before installing i
+  enableParallelInstalling = false;
+  nativeBuildInputs = [ autoreconfHook makeWrapper pkg-config doxygen ];
+  buildInputs = [ augeas dnsutils c-ares curl cyrus_sasl ding-libs libnl libunistring nss
+                  samba nfs-utils p11-kit python3 popt
+                  talloc tdb tevent ldb pam openldap pcre2 libkrb5
+                  cifs-utils glib keyutils dbus fakeroot libxslt libxml2
+                  libuuid python3.pkgs.python-ldap systemd nspr check cmocka uid_wrapper
+                  nss_wrapper ncurses Po4a http-parser jansson jose ];
+
+  makeFlags = [
+    "SGML_CATALOG_FILES=${docbookFiles}"
+  ];
+
+  installFlags = [
+     "sysconfdir=$(out)/etc"
+     "localstatedir=$(out)/var"
+     "pidpath=$(out)/run"
+     "sss_statedir=$(out)/var/lib/sss"
+     "logpath=$(out)/var/log/sssd"
+     "pubconfpath=$(out)/var/lib/sss/pubconf"
+     "dbpath=$(out)/var/lib/sss/db"
+     "mcpath=$(out)/var/lib/sss/mc"
+     "pipepath=$(out)/var/lib/sss/pipes"
+     "gpocachepath=$(out)/var/lib/sss/gpo_cache"
+     "secdbpath=$(out)/var/lib/sss/secrets"
+     "initdir=$(out)/rc.d/init"
+  ];
+
+  postInstall = ''
+    rm -rf "$out"/run
+    rm -rf "$out"/rc.d
+    rm -f "$out"/modules/ldb/memberof.la
+    find "$out" -depth -type d -exec rmdir --ignore-fail-on-non-empty {} \;
+  '';
+  postFixup = ''
+    for f in $out/bin/sss{ctl,_cache,_debuglevel,_override,_seed}; do
+      wrapProgram $f --prefix LDB_MODULES_PATH : $out/modules/ldb
+    done
+  '';
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) sssd sssd-ldap;
+      version = testers.testVersion {
+        package = finalAttrs.finalPackage;
+        command = "sssd --version";
+      };
+    };
+    updateScript = nix-update-script { };
+  };
+
+  meta = with lib; {
+    description = "System Security Services Daemon";
+    homepage = "https://sssd.io/";
+    changelog = "https://sssd.io/release-notes/sssd-${finalAttrs.version}.html";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ illustris ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/statifier/default.nix b/nixpkgs/pkgs/os-specific/linux/statifier/default.nix
new file mode 100644
index 000000000000..eefd95d1153a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/statifier/default.nix
@@ -0,0 +1,24 @@
+{ lib, multiStdenv, fetchurl }:
+
+multiStdenv.mkDerivation rec {
+  pname = "statifier";
+  version = "1.7.4";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/statifier/statifier-${version}.tar.gz";
+    sha256 = "03lzkla6knjhh186b43cac410x2fmhi28pkmzb3d211n3zp5i9y8";
+  };
+
+  phaseNames = [ "patchPhase" "installPhase" ];
+
+  postPatch = ''
+    sed -e s@/usr/@"$out/"@g -i */Makefile src/statifier
+    sed -e s@/bin/bash@"${multiStdenv.shell}"@g -i src/*.sh
+  '';
+
+  meta = with lib; {
+    description = "Tool for creating static Linux binaries";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/swapview/default.nix b/nixpkgs/pkgs/os-specific/linux/swapview/default.nix
new file mode 100644
index 000000000000..8eb455501052
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/swapview/default.nix
@@ -0,0 +1,23 @@
+{ lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "swapview";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "lilydjwg";
+    repo = "swapview";
+    rev = "v${version}";
+    sha256 = "0339biydk997j5r72vzp7djwkscsz89xr3936nshv23fmxjh2rzj";
+  };
+
+  cargoSha256 = "03yi6bsjjnl8hznxr1nrnxx5lrqb574625j2lkxqbl9vrg9mswdz";
+
+  meta = with lib; {
+    description = "A simple program to view processes' swap usage on Linux";
+    homepage = "https://github.com/lilydjwg/swapview";
+    platforms = platforms.linux;
+    license = with licenses; [ bsd3 ];
+    maintainers = with maintainers; [ oxalica ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix b/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix
new file mode 100644
index 000000000000..bb0f262a2b1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, ninja
+, meson
+, fetchFromGitLab
+, systemd
+, libgudev
+, pkg-config
+, glib
+, python3
+, gobject-introspection
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "switcheroo-control";
+  version = "2.6";
+
+  format = "other";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = pname;
+    rev = version;
+    hash = "sha256-F+5HhMxM8pcnAGmVBARKWNCL0rIEzHW/jsGHHqYZJug=";
+  };
+
+  nativeBuildInputs = [
+    ninja
+    meson
+    pkg-config
+
+    # needed for glib-compile-resources
+    glib
+  ];
+
+  buildInputs = [
+    systemd
+    libgudev
+  ];
+
+  propagatedBuildInputs = [
+    python3.pkgs.pygobject3
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dhwdbdir=${placeholder "out"}/etc/udev/hwdb.d"
+  ];
+
+  meta = with lib; {
+    description = "D-Bus service to check the availability of dual-GPU";
+    homepage = "https://gitlab.freedesktop.org/hadess/switcheroo-control/";
+    changelog = "https://gitlab.freedesktop.org/hadess/switcheroo-control/-/blob/${version}/NEWS";
+    license = licenses.gpl3Plus;
+    maintainers = [ ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix b/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix
new file mode 100644
index 000000000000..bdaf77147f2e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix
@@ -0,0 +1,77 @@
+{ lib
+, stdenv
+, fetchurl
+, pkg-config
+, autoreconfHook
+, python3
+, perl
+, libxslt
+, docbook_xsl
+, docbook_xml_dtd_42
+, libseccomp
+, installTests ? true, gnumake, which
+, debugBuild ? false, libunwind
+}:
+
+stdenv.mkDerivation rec {
+  pname = "sydbox-1";
+  version = "2.2.0";
+
+  outputs = [ "out" "dev" "man" "doc" ]
+    ++ lib.optional installTests "installedTests";
+
+  src = fetchurl {
+    url = "https://git.exherbo.org/${pname}.git/snapshot/${pname}-${version}.tar.xz";
+    sha256 = "0664myrrzbvsw73q5b7cqwgv4hl9a7vkm642s1r96gaxm16jk0z7";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+    python3
+    perl
+    libxslt.bin
+    docbook_xsl
+    docbook_xml_dtd_42
+  ];
+
+  buildInputs = [
+    libseccomp
+  ] ++ lib.optional debugBuild libunwind
+    ++ lib.optionals installTests [
+      gnumake
+      python3
+      perl
+      which
+    ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [ ]
+    ++ lib.optionals installTests [ "--enable-installed-tests"
+      "--libexecdir=${placeholder "installedTests"}/libexec" ]
+    ++ lib.optional debugBuild "--enable-debug";
+
+  makeFlags = [ "SYD_INCLUDEDIR=${stdenv.cc.libc.dev}/include" ];
+
+  doCheck = true;
+  checkPhase = ''
+    # Many of the regular test cases in t/ do not work inside the build sandbox
+    make -C syd check
+  '';
+
+  postInstall = if installTests then ''
+    moveToOutput bin/syd-test $installedTests
+  '' else ''
+    # Tests are installed despite --disable-installed-tests
+    rm -r $out/bin/syd-test $out/libexec
+  '';
+
+  meta = with lib; {
+    homepage = "https://sydbox.exherbo.org/";
+    description = "seccomp-based application sandbox";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mvs ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix b/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix
new file mode 100644
index 000000000000..329ec522c422
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv
+, fetchFromGitHub
+, libseccomp
+, perl
+, which
+}:
+
+stdenv.mkDerivation {
+  pname = "syscall_limiter";
+  version = "2017-01-23";
+
+  src = fetchFromGitHub {
+    owner  = "vi";
+    repo   = "syscall_limiter";
+    rev    = "481c8c883f2e1260ebc83b352b63bf61a930a341";
+    sha256 = "0z5arj1kq1xczgrbw1b8m9kicbv3vs9bd32wvgfr4r6ndingsp5m";
+  };
+
+  buildInputs = [ libseccomp ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -v limit_syscalls $out/bin
+    cp -v monitor.sh $out/bin/limit_syscalls_monitor.sh
+    substituteInPlace $out/bin/limit_syscalls_monitor.sh \
+      --replace perl ${perl}/bin/perl \
+      --replace which ${which}/bin/which
+  '';
+
+  meta = with lib; {
+    description = "Start Linux programs with only selected syscalls enabled";
+    homepage    = "https://github.com/vi/syscall_limiter";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ obadz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix b/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix
new file mode 100644
index 000000000000..3e63a4a54d8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix
@@ -0,0 +1,149 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, kernel, installShellFiles, pkg-config
+, luajit, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, protobuf, grpc
+, yaml-cpp, nlohmann_json, re2, zstd
+}:
+
+let
+  # Compare with https://github.com/draios/sysdig/blob/dev/cmake/modules/falcosecurity-libs.cmake
+  libsRev = "59fb313475b82f842e9e9bbc1e0e629428c0a4cf";
+  libsSha256 = "sha256-IjzLbCOpB6EgPDgkGIyg1dNxHfYgU10OLgXrDOPmoTs=";
+
+  # Compare with https://github.com/falcosecurity/libs/blob/master/cmake/modules/valijson.cmake#L17
+  valijson = fetchFromGitHub {
+    owner = "tristanpenman";
+    repo = "valijson";
+    rev = "v0.6";
+    sha256 = "sha256-ZD19Q2MxMQd3yEKbY90GFCrerie5/jzgO8do4JQDoKM=";
+  };
+
+  # https://github.com/draios/sysdig/blob/0.31.5/cmake/modules/driver.cmake
+  driver = fetchFromGitHub {
+    owner = "falcosecurity";
+    repo = "libs";
+    rev = libsRev;
+    sha256 = libsSha256;
+  };
+
+in
+stdenv.mkDerivation rec {
+  pname = "sysdig";
+  version = "0.33.1";
+
+  src = fetchFromGitHub {
+    owner = "draios";
+    repo = "sysdig";
+    rev = version;
+    sha256 = "sha256-qcJ9EcePrsKic+wgsck+pTrRdQic0xhzguH4EYVP0gk=";
+  };
+
+  patches = [
+    # https://github.com/draios/sysdig/pull/2024
+    (fetchpatch {
+      url = "https://github.com/draios/sysdig/commit/d9515aad2be660b2ba7ec8c0b4fb2467a10434af.patch";
+      sha256 = "sha256-3m+Rn8BZS8U8QTBDJ6x7kQbH6BE3HKgt1iNnRjPEr8k=";
+    })
+  ];
+
+  nativeBuildInputs = [ cmake perl installShellFiles pkg-config ];
+  buildInputs = [
+    luajit
+    ncurses
+    libb64
+    openssl
+    curl
+    jq
+    gcc
+    elfutils
+    tbb
+    libb64
+    re2
+    protobuf
+    grpc
+    yaml-cpp
+    jsoncpp
+    nlohmann_json
+    zstd
+  ] ++ lib.optionals (kernel != null) kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  postUnpack = ''
+    cp -r ${fetchFromGitHub {
+      owner = "falcosecurity";
+      repo = "libs";
+      rev = libsRev;
+      sha256 = libsSha256;
+    }} libs
+    chmod -R +w libs
+    cp -r ${driver} driver-src
+    chmod -R +w driver-src
+    cmakeFlagsArray+=(
+      "-DFALCOSECURITY_LIBS_SOURCE_DIR=$(pwd)/libs"
+      "-DVALIJSON_INCLUDE=${valijson}/include"
+      "-DDRIVER_SOURCE_DIR=$(pwd)/driver-src/driver"
+    )
+  '';
+
+  cmakeFlags = [
+    "-DUSE_BUNDLED_DEPS=OFF"
+    "-DSYSDIG_VERSION=${version}"
+    "-DUSE_BUNDLED_B64=OFF"
+    "-DUSE_BUNDLED_TBB=OFF"
+    "-DUSE_BUNDLED_RE2=OFF"
+    "-DCREATE_TEST_TARGETS=OFF"
+  ] ++ lib.optional (kernel == null) "-DBUILD_DRIVER=OFF";
+
+  env.NIX_CFLAGS_COMPILE =
+   # needed since luajit-2.1.0-beta3
+   "-DluaL_reg=luaL_Reg -DluaL_getn(L,i)=((int)lua_objlen(L,i)) " +
+   # fix compiler warnings been treated as errors
+   "-Wno-error";
+
+  preConfigure = ''
+    if ! grep -q "${libsRev}" cmake/modules/falcosecurity-libs.cmake; then
+      echo "falcosecurity-libs checksum needs to be updated!"
+      exit 1
+    fi
+    cmakeFlagsArray+=(-DCMAKE_EXE_LINKER_FLAGS="-ltbb -lcurl -lzstd -labsl_synchronization")
+  '' + lib.optionalString (kernel != null) ''
+    export INSTALL_MOD_PATH="$out"
+    export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  '';
+
+  postInstall =
+    ''
+      # Fix the bash completion location
+      installShellCompletion --bash $out/etc/bash_completion.d/sysdig
+      rm $out/etc/bash_completion.d/sysdig
+      rmdir $out/etc/bash_completion.d
+      rmdir $out/etc
+    ''
+    + lib.optionalString (kernel != null) ''
+      make install_driver
+      kernel_dev=${kernel.dev}
+      kernel_dev=''${kernel_dev#${builtins.storeDir}/}
+      kernel_dev=''${kernel_dev%%-linux*dev*}
+      if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/scap.ko"; then
+          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
+      else
+          for i in $out/lib/modules/${kernel.modDirVersion}/{extra,updates}/scap.ko.xz; do
+            if test -f "$i"; then
+              xz -d $i
+              sed -i "s#$kernel_dev#................................#g" ''${i%.xz}
+              xz -9 ''${i%.xz}
+            fi
+          done
+      fi
+    '';
+
+
+  meta = with lib; {
+    description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
+    license = with licenses; [ asl20 gpl2 mit ];
+    maintainers = [maintainers.raskin];
+    platforms = ["x86_64-linux"] ++ platforms.darwin;
+    broken = kernel != null && versionOlder kernel.version "4.14";
+    homepage = "https://sysdig.com/opensource/";
+    downloadPage = "https://github.com/draios/sysdig/releases";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix b/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix
new file mode 100644
index 000000000000..113ba7939a65
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "sysfsutils";
+  version = "2.1.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linux-diag/sysfsutils-${version}.tar.gz";
+    sha256 = "e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a";
+  };
+
+  meta = {
+    homepage = "https://linux-diag.sourceforge.net/Sysfsutils.html";
+    longDescription =
+      ''
+        These are a set of utilites built upon sysfs, a new virtual
+        filesystem in Linux kernel versions 2.5+ that exposes a system's
+        device tree.
+      '';
+    license = with lib.licenses; [ gpl2 lgpl21 ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix b/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix
new file mode 100644
index 000000000000..048d82b5a530
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix
@@ -0,0 +1,41 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "sysklogd";
+  version = "1.5.1";
+
+  src = fetchurl {
+    url = "http://www.infodrom.org/projects/sysklogd/download/sysklogd-${version}.tar.gz";
+    sha256 = "00f2wy6f0qng7qzga4iicyzl9j8b7mp6mrpfky5jxj93ms2w2rji";
+  };
+
+  patches = [ ./systemd.patch ./union-wait.patch ./fix-includes-for-musl.patch ];
+
+  env.NIX_CFLAGS_COMPILE = "-DSYSV";
+
+  installFlags = [ "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man" "INSTALL=install" ];
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  postPatch = ''
+    # Disable stripping during installation, stripping will be done anyway.
+    # Fixes cross-compilation.
+    substituteInPlace Makefile \
+      --replace "-m 500 -s" "-m 500"
+  '';
+
+  preConfigure =
+    ''
+      sed -e 's@-o \''${MAN_USER} -g \''${MAN_GROUP} -m \''${MAN_PERMS} @@' -i Makefile
+    '';
+
+  preInstall = "mkdir -p $out/share/man/man5/ $out/share/man/man8/ $out/sbin";
+
+  meta = with lib; {
+    description = "A system logging daemon";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
new file mode 100644
index 000000000000..87e56a10db8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
@@ -0,0 +1,120 @@
+# this patch both fixes some include paths as well as removes glibc
+# gates around defines that musl-libc also depends on.
+diff -u sysklogd-1.5.1.orig/klogd.c sysklogd-1.5.1/klogd.c
+--- sysklogd-1.5.1.orig/klogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/klogd.c	2021-01-18 23:09:23.000000000 -0500
+@@ -260,11 +260,8 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <stdlib.h>
+@@ -277,13 +274,8 @@
+ 
+ #define __LIBRARY__
+ #include <linux/unistd.h>
+-#if !defined(__GLIBC__)
+-# define __NR_ksyslog __NR_syslog
+-_syscall3(int,ksyslog,int, type, char *, buf, int, len);
+-#else
+ #include <sys/klog.h>
+ #define ksyslog klogctl
+-#endif
+ 
+ #define LOG_BUFFER_SIZE 4096
+ #define LOG_LINE_LENGTH 1000
+diff -u sysklogd-1.5.1.orig/ksym_mod.c sysklogd-1.5.1/ksym_mod.c
+--- sysklogd-1.5.1.orig/ksym_mod.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/ksym_mod.c	2021-01-18 23:09:57.000000000 -0500
+@@ -113,12 +113,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include "module.h"
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <linux/version.h>
+diff -u sysklogd-1.5.1.orig/pidfile.c sysklogd-1.5.1/pidfile.c
+--- sysklogd-1.5.1.orig/pidfile.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/pidfile.c	2021-01-18 23:23:55.000000000 -0500
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/file.h>
+diff -u sysklogd-1.5.1.orig/syslog.c sysklogd-1.5.1/syslog.c
+--- sysklogd-1.5.1.orig/syslog.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslog.c	2021-01-18 23:11:45.000000000 -0500
+@@ -55,7 +55,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/file.h>
+-#include <sys/signal.h>
+ #include <sys/syslog.h>
+ #if 0
+ #include "syslog.h"
+@@ -64,6 +63,8 @@
+ 
+ #include <sys/uio.h>
+ #include <sys/wait.h>
++#include <signal.h>
++#include <fcntl.h>
+ #include <netdb.h>
+ #include <string.h>
+ #include <time.h>
+diff -u sysklogd-1.5.1.orig/syslogd.c sysklogd-1.5.1/syslogd.c
+--- sysklogd-1.5.1.orig/syslogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslogd.c	2021-01-18 23:13:25.000000000 -0500
+@@ -519,9 +519,9 @@
+ #include <time.h>
+ 
+ #define SYSLOG_NAMES
++#include <errno.h>
+ #include <sys/syslog.h>
+ #include <sys/param.h>
+-#include <sys/errno.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+@@ -818,9 +818,7 @@
+ void init();
+ void cfline(char *line, register struct filed *f);
+ int decode(char *name, struct code *codetab);
+-#if defined(__GLIBC__)
+ #define dprintf mydprintf
+-#endif /* __GLIBC__ */
+ static void dprintf(char *, ...);
+ static void allocate_log(void);
+ void sighup_handler();
+@@ -840,15 +838,9 @@
+ 	register char *p;
+ #ifndef TESTING
+ 	ssize_t msglen;
+-#endif
+-#if !defined(__GLIBC__)
+-	int len, num_fds;
+-#else /* __GLIBC__ */
+-#ifndef TESTING
+ 	socklen_t len;
+ #endif
+ 	int num_fds;
+-#endif /* __GLIBC__ */
+ 	/*
+ 	 * It took me quite some time to figure out how this is
+ 	 * supposed to work so I guess I should better write it down.
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch
new file mode 100644
index 000000000000..a170f67cadbb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch
@@ -0,0 +1,845 @@
+Based on http://ftp.free.org/mirrors/rsync.frugalware.org/frugalware-testing/source/apps-extra/sysklogd/sysklogd-1.5-systemd.diff
+
+diff -ruN -x '*~' sysklogd-1.5-old/Makefile sysklogd-1.5/Makefile
+--- sysklogd-1.5-old/Makefile	2007-05-30 17:28:48.000000000 +0200
++++ sysklogd-1.5/Makefile	2013-05-09 16:01:14.428638113 +0200
+@@ -20,7 +20,7 @@
+ CC= gcc
+ #SKFLAGS= -g -DSYSV -Wall
+ #LDFLAGS= -g
+-SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce
++SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce -I.
+ # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
+ # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE
+ # $(shell getconf LFS_SKFLAGS)
+@@ -79,8 +79,8 @@
+ 
+ install: install_man install_exec
+ 
+-syslogd: syslogd.o pidfile.o
+-	${CC} ${LDFLAGS} -o syslogd syslogd.o pidfile.o ${LIBS}
++syslogd: syslogd.o pidfile.o sd-daemon.o
++	${CC} ${LDFLAGS} -o syslogd syslogd.o pidfile.o sd-daemon.o ${LIBS}
+ 
+ klogd:	klogd.o syslog.o pidfile.o ksym.o ksym_mod.o
+ 	${CC} ${LDFLAGS} -o klogd klogd.o syslog.o pidfile.o ksym.o \
+@@ -101,6 +101,9 @@
+ syslog.o: syslog.c
+ 	${CC} ${SKFLAGS} ${SYSLOG_FLAGS} -c syslog.c
+ 
++sd-daemon.o: sd-daemon.c sd-daemon.h
++	${CC} ${SKFLAGS} ${SYSLOG_FLAGS} -c sd-daemon.c
++
+ klogd.o: klogd.c klogd.h version.h
+ 	${CC} ${SKFLAGS} ${KLOGD_FLAGS} $(DEB) -c klogd.c
+ 
+diff -ruN -x '*~' sysklogd-1.5-old/sd-daemon.c sysklogd-1.5/sd-daemon.c
+--- sysklogd-1.5-old/sd-daemon.c	1970-01-01 01:00:00.000000000 +0100
++++ sysklogd-1.5/sd-daemon.c	2013-05-09 16:01:14.429638107 +0200
+@@ -0,0 +1,436 @@
++/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
++
++/***
++  Copyright 2010 Lennart Poettering
++
++  Permission is hereby granted, free of charge, to any person
++  obtaining a copy of this software and associated documentation files
++  (the "Software"), to deal in the Software without restriction,
++  including without limitation the rights to use, copy, modify, merge,
++  publish, distribute, sublicense, and/or sell copies of the Software,
++  and to permit persons to whom the Software is furnished to do so,
++  subject to the following conditions:
++
++  The above copyright notice and this permission notice shall be
++  included in all copies or substantial portions of the Software.
++
++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++  NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++  BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++  SOFTWARE.
++***/
++
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <netinet/in.h>
++#include <stdlib.h>
++#include <fcntl.h>
++#include <errno.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <stddef.h>
++
++#include "sd-daemon.h"
++
++int sd_listen_fds(int unset_environment) {
++
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++        int r, fd;
++        const char *e;
++        char *p = NULL;
++        unsigned long l;
++
++        if (!(e = getenv("LISTEN_PID"))) {
++                r = 0;
++                goto finish;
++        }
++
++        errno = 0;
++        l = strtoul(e, &p, 10);
++
++        if (errno != 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        if (!p || *p || l <= 0) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        /* Is this for us? */
++        if (getpid() != (pid_t) l) {
++                r = 0;
++                goto finish;
++        }
++
++        if (!(e = getenv("LISTEN_FDS"))) {
++                r = 0;
++                goto finish;
++        }
++
++        errno = 0;
++        l = strtoul(e, &p, 10);
++
++        if (errno != 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        if (!p || *p) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) {
++                int flags;
++
++                if ((flags = fcntl(fd, F_GETFD)) < 0) {
++                        r = -errno;
++                        goto finish;
++                }
++
++                if (flags & FD_CLOEXEC)
++                        continue;
++
++                if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) < 0) {
++                        r = -errno;
++                        goto finish;
++                }
++        }
++
++        r = (int) l;
++
++finish:
++        if (unset_environment) {
++                unsetenv("LISTEN_PID");
++                unsetenv("LISTEN_FDS");
++        }
++
++        return r;
++#endif
++}
++
++int sd_is_fifo(int fd, const char *path) {
++        struct stat st_fd;
++
++        if (fd < 0)
++                return -EINVAL;
++
++        memset(&st_fd, 0, sizeof(st_fd));
++        if (fstat(fd, &st_fd) < 0)
++                return -errno;
++
++        if (!S_ISFIFO(st_fd.st_mode))
++                return 0;
++
++        if (path) {
++                struct stat st_path;
++
++                memset(&st_path, 0, sizeof(st_path));
++                if (stat(path, &st_path) < 0) {
++
++                        if (errno == ENOENT || errno == ENOTDIR)
++                                return 0;
++
++                        return -errno;
++                }
++
++                return
++                        st_path.st_dev == st_fd.st_dev &&
++                        st_path.st_ino == st_fd.st_ino;
++        }
++
++        return 1;
++}
++
++static int sd_is_socket_internal(int fd, int type, int listening) {
++        struct stat st_fd;
++
++        if (fd < 0 || type < 0)
++                return -EINVAL;
++
++        if (fstat(fd, &st_fd) < 0)
++                return -errno;
++
++        if (!S_ISSOCK(st_fd.st_mode))
++                return 0;
++
++        if (type != 0) {
++                int other_type = 0;
++                socklen_t l = sizeof(other_type);
++
++                if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &other_type, &l) < 0)
++                        return -errno;
++
++                if (l != sizeof(other_type))
++                        return -EINVAL;
++
++                if (other_type != type)
++                        return 0;
++        }
++
++        if (listening >= 0) {
++                int accepting = 0;
++                socklen_t l = sizeof(accepting);
++
++                if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &accepting, &l) < 0)
++                        return -errno;
++
++                if (l != sizeof(accepting))
++                        return -EINVAL;
++
++                if (!accepting != !listening)
++                        return 0;
++        }
++
++        return 1;
++}
++
++union sockaddr_union {
++        struct sockaddr sa;
++        struct sockaddr_in in4;
++        struct sockaddr_in6 in6;
++        struct sockaddr_un un;
++        struct sockaddr_storage storage;
++};
++
++int sd_is_socket(int fd, int family, int type, int listening) {
++        int r;
++
++        if (family < 0)
++                return -EINVAL;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        if (family > 0) {
++                union sockaddr_union sockaddr;
++                socklen_t l;
++
++                memset(&sockaddr, 0, sizeof(sockaddr));
++                l = sizeof(sockaddr);
++
++                if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                        return -errno;
++
++                if (l < sizeof(sa_family_t))
++                        return -EINVAL;
++
++                return sockaddr.sa.sa_family == family;
++        }
++
++        return 1;
++}
++
++int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) {
++        union sockaddr_union sockaddr;
++        socklen_t l;
++        int r;
++
++        if (family != 0 && family != AF_INET && family != AF_INET6)
++                return -EINVAL;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        l = sizeof(sockaddr);
++
++        if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                return -errno;
++
++        if (l < sizeof(sa_family_t))
++                return -EINVAL;
++
++        if (sockaddr.sa.sa_family != AF_INET &&
++            sockaddr.sa.sa_family != AF_INET6)
++                return 0;
++
++        if (family > 0)
++                if (sockaddr.sa.sa_family != family)
++                        return 0;
++
++        if (port > 0) {
++                if (sockaddr.sa.sa_family == AF_INET) {
++                        if (l < sizeof(struct sockaddr_in))
++                                return -EINVAL;
++
++                        return htons(port) == sockaddr.in4.sin_port;
++                } else {
++                        if (l < sizeof(struct sockaddr_in6))
++                                return -EINVAL;
++
++                        return htons(port) == sockaddr.in6.sin6_port;
++                }
++        }
++
++        return 1;
++}
++
++int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) {
++        union sockaddr_union sockaddr;
++        socklen_t l;
++        int r;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        l = sizeof(sockaddr);
++
++        if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                return -errno;
++
++        if (l < sizeof(sa_family_t))
++                return -EINVAL;
++
++        if (sockaddr.sa.sa_family != AF_UNIX)
++                return 0;
++
++        if (path) {
++                if (length <= 0)
++                        length = strlen(path);
++
++                if (length <= 0)
++                        /* Unnamed socket */
++                        return l == offsetof(struct sockaddr_un, sun_path);
++
++                if (path[0])
++                        /* Normal path socket */
++                        return
++                                (l >= offsetof(struct sockaddr_un, sun_path) + length + 1) &&
++                                memcmp(path, sockaddr.un.sun_path, length+1) == 0;
++                else
++                        /* Abstract namespace socket */
++                        return
++                                (l == offsetof(struct sockaddr_un, sun_path) + length) &&
++                                memcmp(path, sockaddr.un.sun_path, length) == 0;
++        }
++
++        return 1;
++}
++
++int sd_notify(int unset_environment, const char *state) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__) || !defined(SOCK_CLOEXEC)
++        return 0;
++#else
++        int fd = -1, r;
++        struct msghdr msghdr;
++        struct iovec iovec;
++        union sockaddr_union sockaddr;
++        const char *e;
++
++        if (!state) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        if (!(e = getenv("NOTIFY_SOCKET")))
++                return 0;
++
++        /* Must be an abstract socket, or an absolute path */
++        if ((e[0] != '@' && e[0] != '/') || e[1] == 0) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        if ((fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        sockaddr.sa.sa_family = AF_UNIX;
++        strncpy(sockaddr.un.sun_path, e, sizeof(sockaddr.un.sun_path));
++
++        if (sockaddr.un.sun_path[0] == '@')
++                sockaddr.un.sun_path[0] = 0;
++
++        memset(&iovec, 0, sizeof(iovec));
++        iovec.iov_base = (char*) state;
++        iovec.iov_len = strlen(state);
++
++        memset(&msghdr, 0, sizeof(msghdr));
++        msghdr.msg_name = &sockaddr;
++        msghdr.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(e);
++
++        if (msghdr.msg_namelen > sizeof(struct sockaddr_un))
++                msghdr.msg_namelen = sizeof(struct sockaddr_un);
++
++        msghdr.msg_iov = &iovec;
++        msghdr.msg_iovlen = 1;
++
++        if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) < 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        r = 1;
++
++finish:
++        if (unset_environment)
++                unsetenv("NOTIFY_SOCKET");
++
++        if (fd >= 0)
++                close(fd);
++
++        return r;
++#endif
++}
++
++int sd_notifyf(int unset_environment, const char *format, ...) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++        va_list ap;
++        char *p = NULL;
++        int r;
++
++        va_start(ap, format);
++        r = vasprintf(&p, format, ap);
++        va_end(ap);
++
++        if (r < 0 || !p)
++                return -ENOMEM;
++
++        r = sd_notify(unset_environment, p);
++        free(p);
++
++        return r;
++#endif
++}
++
++int sd_booted(void) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++
++        struct stat a, b;
++
++        /* We simply test whether the systemd cgroup hierarchy is
++         * mounted */
++
++        if (lstat("/sys/fs/cgroup", &a) < 0)
++                return 0;
++
++        if (lstat("/sys/fs/cgroup/systemd", &b) < 0)
++                return 0;
++
++        return a.st_dev != b.st_dev;
++#endif
++}
+diff -ruN -x '*~' sysklogd-1.5-old/sd-daemon.h sysklogd-1.5/sd-daemon.h
+--- sysklogd-1.5-old/sd-daemon.h	1970-01-01 01:00:00.000000000 +0100
++++ sysklogd-1.5/sd-daemon.h	2013-05-09 16:01:14.429638107 +0200
+@@ -0,0 +1,265 @@
++/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
++
++#ifndef foosddaemonhfoo
++#define foosddaemonhfoo
++
++/***
++  Copyright 2010 Lennart Poettering
++
++  Permission is hereby granted, free of charge, to any person
++  obtaining a copy of this software and associated documentation files
++  (the "Software"), to deal in the Software without restriction,
++  including without limitation the rights to use, copy, modify, merge,
++  publish, distribute, sublicense, and/or sell copies of the Software,
++  and to permit persons to whom the Software is furnished to do so,
++  subject to the following conditions:
++
++  The above copyright notice and this permission notice shall be
++  included in all copies or substantial portions of the Software.
++
++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++  NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++  BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++  SOFTWARE.
++***/
++
++#include <sys/types.h>
++#include <inttypes.h>
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/*
++  Reference implementation of a few systemd related interfaces for
++  writing daemons. These interfaces are trivial to implement. To
++  simplify porting we provide this reference implementation.
++  Applications are welcome to reimplement the algorithms described
++  here if they do not want to include these two source files.
++
++  The following functionality is provided:
++
++  - Support for logging with log levels on stderr
++  - File descriptor passing for socket-based activation
++  - Daemon startup and status notification
++  - Detection of systemd boots
++
++  You may compile this with -DDISABLE_SYSTEMD to disable systemd
++  support. This makes all those calls NOPs that are directly related to
++  systemd (i.e. only sd_is_xxx() will stay useful).
++
++  Since this is drop-in code we don't want any of our symbols to be
++  exported in any case. Hence we declare hidden visibility for all of
++  them.
++
++  You may find an up-to-date version of these source files online:
++
++  http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.h
++  http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.c
++
++  This should compile on non-Linux systems, too, but with the
++  exception of the sd_is_xxx() calls all functions will become NOPs.
++
++  See sd-daemon(7) for more information.
++*/
++
++#ifndef _sd_printf_attr_
++#if __GNUC__ >= 4
++#define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b)))
++#else
++#define _sd_printf_attr_(a,b)
++#endif
++#endif
++
++#ifndef _sd_hidden_
++#if (__GNUC__ >= 4) && !defined(SD_EXPORT_SYMBOLS)
++#define _sd_hidden_ __attribute__ ((visibility("hidden")))
++#else
++#define _sd_hidden_
++#endif
++#endif
++
++/*
++  Log levels for usage on stderr:
++
++          fprintf(stderr, SD_NOTICE "Hello World!\n");
++
++  This is similar to printk() usage in the kernel.
++*/
++#define SD_EMERG   "<0>"  /* system is unusable */
++#define SD_ALERT   "<1>"  /* action must be taken immediately */
++#define SD_CRIT    "<2>"  /* critical conditions */
++#define SD_ERR     "<3>"  /* error conditions */
++#define SD_WARNING "<4>"  /* warning conditions */
++#define SD_NOTICE  "<5>"  /* normal but significant condition */
++#define SD_INFO    "<6>"  /* informational */
++#define SD_DEBUG   "<7>"  /* debug-level messages */
++
++/* The first passed file descriptor is fd 3 */
++#define SD_LISTEN_FDS_START 3
++
++/*
++  Returns how many file descriptors have been passed, or a negative
++  errno code on failure. Optionally, removes the $LISTEN_FDS and
++  $LISTEN_PID file descriptors from the environment (recommended, but
++  problematic in threaded environments). If r is the return value of
++  this function you'll find the file descriptors passed as fds
++  SD_LISTEN_FDS_START to SD_LISTEN_FDS_START+r-1. Returns a negative
++  errno style error code on failure. This function call ensures that
++  the FD_CLOEXEC flag is set for the passed file descriptors, to make
++  sure they are not passed on to child processes. If FD_CLOEXEC shall
++  not be set, the caller needs to unset it after this call for all file
++  descriptors that are used.
++
++  See sd_listen_fds(3) for more information.
++*/
++int sd_listen_fds(int unset_environment) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is a FIFO in the file system stored under the
++  specified path, 0 otherwise. If path is NULL a path name check will
++  not be done and the call only verifies if the file descriptor
++  refers to a FIFO. Returns a negative errno style error code on
++  failure.
++
++  See sd_is_fifo(3) for more information.
++*/
++int sd_is_fifo(int fd, const char *path) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is a socket of the specified family (AF_INET,
++  ...) and type (SOCK_DGRAM, SOCK_STREAM, ...), 0 otherwise. If
++  family is 0 a socket family check will not be done. If type is 0 a
++  socket type check will not be done and the call only verifies if
++  the file descriptor refers to a socket. If listening is > 0 it is
++  verified that the socket is in listening mode. (i.e. listen() has
++  been called) If listening is == 0 it is verified that the socket is
++  not in listening mode. If listening is < 0 no listening mode check
++  is done. Returns a negative errno style error code on failure.
++
++  See sd_is_socket(3) for more information.
++*/
++int sd_is_socket(int fd, int family, int type, int listening) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is an Internet socket, of the specified family
++  (either AF_INET or AF_INET6) and the specified type (SOCK_DGRAM,
++  SOCK_STREAM, ...), 0 otherwise. If version is 0 a protocol version
++  check is not done. If type is 0 a socket type check will not be
++  done. If port is 0 a socket port check will not be done. The
++  listening flag is used the same way as in sd_is_socket(). Returns a
++  negative errno style error code on failure.
++
++  See sd_is_socket_inet(3) for more information.
++*/
++int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is an AF_UNIX socket of the specified type
++  (SOCK_DGRAM, SOCK_STREAM, ...) and path, 0 otherwise. If type is 0
++  a socket type check will not be done. If path is NULL a socket path
++  check will not be done. For normal AF_UNIX sockets set length to
++  0. For abstract namespace sockets set length to the length of the
++  socket name (including the initial 0 byte), and pass the full
++  socket path in path (including the initial 0 byte). The listening
++  flag is used the same way as in sd_is_socket(). Returns a negative
++  errno style error code on failure.
++
++  See sd_is_socket_unix(3) for more information.
++*/
++int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) _sd_hidden_;
++
++/*
++  Informs systemd about changed daemon state. This takes a number of
++  newline separated environment-style variable assignments in a
++  string. The following variables are known:
++
++     READY=1      Tells systemd that daemon startup is finished (only
++                  relevant for services of Type=notify). The passed
++                  argument is a boolean "1" or "0". Since there is
++                  little value in signalling non-readiness the only
++                  value daemons should send is "READY=1".
++
++     STATUS=...   Passes a single-line status string back to systemd
++                  that describes the daemon state. This is free-from
++                  and can be used for various purposes: general state
++                  feedback, fsck-like programs could pass completion
++                  percentages and failing programs could pass a human
++                  readable error message. Example: "STATUS=Completed
++                  66% of file system check..."
++
++     ERRNO=...    If a daemon fails, the errno-style error code,
++                  formatted as string. Example: "ERRNO=2" for ENOENT.
++
++     BUSERROR=... If a daemon fails, the D-Bus error-style error
++                  code. Example: "BUSERROR=org.freedesktop.DBus.Error.TimedOut"
++
++     MAINPID=...  The main pid of a daemon, in case systemd did not
++                  fork off the process itself. Example: "MAINPID=4711"
++
++  Daemons can choose to send additional variables. However, it is
++  recommened to prefix variable names not listed above with X_.
++
++  Returns a negative errno-style error code on failure. Returns > 0
++  if systemd could be notified, 0 if it couldn't possibly because
++  systemd is not running.
++
++  Example: When a daemon finished starting up, it could issue this
++  call to notify systemd about it:
++
++     sd_notify(0, "READY=1");
++
++  See sd_notifyf() for more complete examples.
++
++  See sd_notify(3) for more information.
++*/
++int sd_notify(int unset_environment, const char *state) _sd_hidden_;
++
++/*
++  Similar to sd_notify() but takes a format string.
++
++  Example 1: A daemon could send the following after initialization:
++
++     sd_notifyf(0, "READY=1\n"
++                   "STATUS=Processing requests...\n"
++                   "MAINPID=%lu",
++                   (unsigned long) getpid());
++
++  Example 2: A daemon could send the following shortly before
++  exiting, on failure:
++
++     sd_notifyf(0, "STATUS=Failed to start up: %s\n"
++                   "ERRNO=%i",
++                   strerror(errno),
++                   errno);
++
++  See sd_notifyf(3) for more information.
++*/
++int sd_notifyf(int unset_environment, const char *format, ...) _sd_printf_attr_(2,3) _sd_hidden_;
++
++/*
++  Returns > 0 if the system was booted with systemd. Returns < 0 on
++  error. Returns 0 if the system was not booted with systemd. Note
++  that all of the functions above handle non-systemd boots just
++  fine. You should NOT protect them with a call to this function. Also
++  note that this function checks whether the system, not the user
++  session is controlled by systemd. However the functions above work
++  for both user and system services.
++
++  See sd_booted(3) for more information.
++*/
++int sd_booted(void) _sd_hidden_;
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif
+diff -ruN -x '*~' sysklogd-1.5-old/syslogd.c sysklogd-1.5/syslogd.c
+--- sysklogd-1.5-old/syslogd.c	2007-07-04 21:04:01.000000000 +0200
++++ sysklogd-1.5/syslogd.c	2013-05-09 16:04:32.106602589 +0200
+@@ -551,6 +551,7 @@
+ 
+ #if defined(__linux__)
+ #include <paths.h>
++#include <sd-daemon.h>
+ #endif
+ 
+ #ifndef UTMP_FILE
+@@ -965,8 +966,11 @@
+ 			}
+ 			signal (SIGTERM, SIG_DFL);
+ 			num_fds = getdtablesize();
+-			for (i= 0; i < num_fds; i++)
+-				(void) close(i);
++#if defined(__linux__)
++			if (sd_listen_fds(0) <= 0)
++#endif
++				for (i = 0; i < num_fds; i++)
++					(void) close(i);
+ 			untty();
+ 		}
+ 		else
+@@ -1253,6 +1257,60 @@
+ 	if (path[0] == '\0')
+ 		return -1;
+ 
++#if defined(__linux__)
++	if (strcmp(path, _PATH_LOG) == 0) {
++		int r;
++ 
++		/* Check whether an FD was passed in from systemd. If
++		 * so, it's the /dev/log socket, so use it. */
++ 
++		r = sd_listen_fds(0);
++		if (r < 0) {
++			logerror("Failed to acquire systemd socket");
++#ifndef SYSV
++			dienow();
++#else
++			return -1;
++#endif
++		}
++
++ 
++		if (r > 1) {
++			logerror("Wrong number of systemd sockets passed");
++#ifndef SYSV
++			dienow();
++#else
++			return -1;
++#endif
++		}
++ 
++		if (r == 1) {
++			fd = SD_LISTEN_FDS_START;
++			r = sd_is_socket_unix(fd, SOCK_DGRAM, -1, "/run/systemd/journal/syslog", 0);
++			if (r < 0) {
++				logerror("Failed to verify systemd socket type");
++#ifndef SYSV
++				dienow();
++#else
++				return -1;
++#endif
++			}
++ 
++			if (!r) {
++				logerror("Passed systemd socket of wrong type");
++#ifndef SYSV
++				dienow();
++#else
++				return -1;
++#endif
++			}
++ 
++		        dprintf("Using systemd socket (%d).\n", fd);
++			return fd;
++		}
++	}
++#endif
++
+ 	(void) unlink(path);
+ 
+ 	memset(&sunx, 0, sizeof(sunx));
+@@ -2254,9 +2312,11 @@
+ 	if (InetInuse) close(inetm);
+ 
+ 	/* Clean-up files. */
+-        for (i = 0; i < nfunix; i++)
+-		if (funixn[i] && funix[i] != -1)
+-			(void)unlink(funixn[i]);
++	i = 0;
++#if defined(__linux__)
++	if (sd_listen_fds(0) > 0)
++		i = 1;
++#endif
+ #ifndef TESTING
+ 	(void) remove_pid(PidFile);
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch
new file mode 100644
index 000000000000..e4bffa5d6953
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch
@@ -0,0 +1,11 @@
+--- sysklogd-1.5-old/syslogd.c	2016-08-30 22:50:59.812926945 +0100
++++ sysklogd-1.5/syslogd.c	2016-08-30 22:51:12.008842890 +0100
+@@ -2094,7 +2094,7 @@
+ 	(void) signal(SIGCHLD, reapchild);	/* reset signal handler -ASP */
+ 	wait ((int *)0);
+ #else
+-	union wait status;
++	int status;
+ 
+ 	while (wait3(&status, WNOHANG, (struct rusage *) NULL) > 0)
+ 		;
diff --git a/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix b/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix
new file mode 100644
index 000000000000..f5153eb5abc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix
@@ -0,0 +1,135 @@
+{ lib
+, stdenv
+, fetchgit
+, fetchurl
+, libuuid
+, makeWrapper
+, mtools
+, nasm
+, perl
+, python3
+}:
+
+stdenv.mkDerivation {
+  pname = "syslinux";
+  version = "unstable-2019-02-07";
+
+  # This is syslinux-6.04-pre3^1; syslinux-6.04-pre3 fails to run.
+  # Same issue here https://www.syslinux.org/archives/2019-February/026330.html
+  src = fetchgit {
+    url = "https://repo.or.cz/syslinux";
+    rev = "b40487005223a78c3bb4c300ef6c436b3f6ec1f7";
+    sha256 = "sha256-GqvRTr9mA2yRD0G0CF11x1X0jCgqV4Mh+tvE0/0yjqk=";
+    fetchSubmodules = true;
+  };
+
+  patches = let
+    fetchDebianPatch = name: commit: hash:
+      fetchurl {
+        url = "https://salsa.debian.org/images-team/syslinux/raw/"
+              + commit + "/debian/patches/" + name;
+        inherit name hash;
+      };
+    fetchArchlinuxPatch = name: commit: hash:
+      fetchurl {
+        url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/"
+              + commit + "/trunk/" + name;
+        inherit name hash;
+      };
+  in [
+    ./gcc10.patch
+    (fetchDebianPatch
+      "0002-gfxboot-menu-label.patch"
+      "fa1349f1"
+      "sha256-0f6QhM4lJmGflLige4n7AZTodL7vnyAvi5dIedd/Lho=")
+    (fetchArchlinuxPatch
+      "0005-gnu-efi-version-compatibility.patch"
+      "821c3da473d1399d930d5b4a086e46a4179eaa45"
+      "sha256-hhCVnfbAFWj/R4yh60qsMB87ofW9RznarsByhl6L4tc=")
+    (fetchArchlinuxPatch
+      "0025-reproducible-build.patch"
+      "821c3da473d1399d930d5b4a086e46a4179eaa45"
+      "sha256-mnb291pCSFvDNxY7o4BosJ94ib3BpOGRQIiY8Q3jZmI=")
+    (fetchDebianPatch
+      # mbr.bin: too big (452 > 440)
+      # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906414
+      "0016-strip-gnu-property.patch"
+      "7468ef0e38c43"
+      "sha256-lW+E6THuXlTGvhly0f/D9NwYHhkiKHot2l+bz9Eaxp4=")
+    (fetchDebianPatch
+      # mbr.bin: too big (452 > 440)
+      "0017-single-load-segment.patch"
+      "012e1dd312eb"
+      "sha256-C6VmdlTs1blMGUHH3OfOlFBZsfpwRn9vWodwqVn8+Cs=")
+    (fetchDebianPatch
+      "0018-prevent-pow-optimization.patch"
+      "26f0e7b2"
+      "sha256-dVzXBi/oSV9vYgU85mRFHBKuZdup+1x1BipJX74ED7E=")
+  ];
+
+  postPatch = ''
+    substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)
+    substituteInPlace utils/ppmtolss16 --replace /usr/bin/perl $(type -P perl)
+
+    # fix tests
+    substituteInPlace tests/unittest/include/unittest/unittest.h \
+      --replace /usr/include/ ""
+
+    # Hack to get `gcc -m32' to work without having 32-bit Glibc headers.
+    mkdir gnu-efi/inc/ia32/gnu
+    touch gnu-efi/inc/ia32/gnu/stubs-32.h
+  '';
+
+  nativeBuildInputs = [
+    nasm
+    perl
+    python3
+    makeWrapper
+  ];
+
+  buildInputs = [
+    libuuid
+  ];
+
+  # Fails very rarely with 'No rule to make target: ...'
+  enableParallelBuilding = false;
+
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
+
+  stripDebugList = [ "bin" "sbin" "share/syslinux/com32" ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: acpi/xsdt.o:/build/syslinux-b404870/com32/gpllib/../gplinclude/memory.h:40: multiple definition of
+  #     `e820_types'; memory.o:/build/syslinux-b404870/com32/gpllib/../gplinclude/memory.h:40: first defined here
+  env.NIX_CFLAGS_COMPILE = "-fcommon";
+
+  makeFlags = [
+    "BINDIR=$(out)/bin"
+    "SBINDIR=$(out)/sbin"
+    "DATADIR=$(out)/share"
+    "MANDIR=$(out)/share/man"
+    "PERL=perl"
+    "HEXDATE=0x00000000"
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isi686 [ "bios" "efi32" ];
+
+  # Some tests require qemu, some others fail in a sandboxed environment
+  doCheck = false;
+
+  postInstall = ''
+    wrapProgram $out/bin/syslinux \
+      --prefix PATH : "${mtools}/bin"
+
+    # Delete com32 headers to save space, nobody seems to be using them
+    rm -rf $out/share/syslinux/com32
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.syslinux.org/";
+    description = "A lightweight bootloader";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.samueldr ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch b/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch
new file mode 100644
index 000000000000..f4893a912313
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch
@@ -0,0 +1,33 @@
+diff --git a/dos/string.h b/dos/string.h
+index f648de2..a502132 100644
+--- a/dos/string.h
++++ b/dos/string.h
+@@ -5,12 +5,13 @@
+ #ifndef _STRING_H
+ #define _STRING_H
+ 
++#include <stddef.h>
++
+ /* Standard routines */
+ #define memcpy(a,b,c)	__builtin_memcpy(a,b,c)
+ #define memmove(a,b,c)	__builtin_memmove(a,b,c)
+ #define memset(a,b,c)	__builtin_memset(a,b,c)
+ #define strcpy(a,b)	__builtin_strcpy(a,b)
+-#define strlen(a)	__builtin_strlen(a)
+ 
+ /* This only returns true or false */
+ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+@@ -21,6 +22,13 @@ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+     return rv;
+ }
+ 
++static inline size_t strlen(const char *s)
++{
++    size_t len = 0;
++    while (*s++) len++;
++    return len;
++}
++
+ extern char *strchr(const char *s, int c);
+ 
+ #endif /* _STRING_H */
diff --git a/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix b/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix
new file mode 100644
index 000000000000..303935d8adb4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, gettext
+, bzip2
+}:
+
+stdenv.mkDerivation rec {
+  pname = "sysstat";
+  version = "12.7.4";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    hash = "sha256-ELmSzWnJ8vGwGPwY/5MFp/2gQhMXMjNG4bHtCplfQSc=";
+  };
+
+  buildInputs = [ gettext ];
+
+  preConfigure = ''
+    export PATH_CP=$(type -tp cp)
+    export PATH_CHKCONFIG=/no-such-program
+    export BZIP=${bzip2.bin}/bin/bzip2
+    export SYSTEMCTL=systemctl
+    export COMPRESS_MANPG=n
+  '';
+
+  makeFlags = [ "SYSCONFIG_DIR=$(out)/etc" "IGNORE_FILE_ATTRIBUTES=y" "CHOWN=true" ];
+  installTargets = [ "install_base" "install_nls" "install_man" ];
+
+  patches = [ ./install.patch ];
+
+  meta = {
+    homepage = "http://sebastien.godard.pagesperso-orange.fr/";
+    description = "A collection of performance monitoring tools for Linux (such as sar, iostat and pidstat)";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch b/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch
new file mode 100644
index 000000000000..473fa30b98b4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch
@@ -0,0 +1,13 @@
+diff -rc sysstat-11.0.1/Makefile.in sysstat-11.0.1-new/Makefile.in
+*** sysstat-11.0.1/Makefile.in	2014-08-30 15:38:39.000000000 +0200
+--- sysstat-11.0.1-new/Makefile.in	2014-12-18 14:40:45.466349009 +0100
+***************
+*** 331,337 ****
+  install_base: all sa1 sa2 sysstat.sysconfig install_man install_nls \
+  	contrib/isag/isag
+  	mkdir -p $(DESTDIR)$(SA_LIB_DIR)
+- 	mkdir -p $(DESTDIR)$(SA_DIR)
+  ifeq ($(CLEAN_SA_DIR),y)
+  	find $(DESTDIR)$(SA_DIR) \( -name 'sar??' -o -name 'sa??' -o -name 'sar??.gz' -o -name 'sa??.gz' \) \
+  		-exec rm -f {} \;
+--- 331,336 ----
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix
new file mode 100644
index 000000000000..b384cf639487
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.2";
+  sha256 = "1i7zjn5cdv9h00fgjg46b8yrz4d3dqvfr25g3f13967ycy58m48h";
+in
+stdenv.mkDerivation {
+  name = "system76-acpi-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_acpi";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-acpi-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76_acpi.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76_acpi.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Only ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = kernel.kernelOlder "5.2";
+    description = "System76 ACPI Driver (DKMS)";
+    homepage = "https://github.com/pop-os/system76-acpi-dkms";
+    longDescription = ''
+      This provides the system76_acpi in-tree driver for systems missing it.
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix
new file mode 100644
index 000000000000..54af222bc7d8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.2";
+  sha256 = "sha256-DWUjQmoojkzFv1p4Xyt0kOwwqQ216ocO5yR/ujhhMPA=";
+in
+stdenv.mkDerivation {
+  name = "system76-io-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_io";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-io-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76-io.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76-io.ko
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "DKMS module for controlling System76 I/O board";
+    homepage = "https://github.com/pop-os/system76-io-dkms";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix
new file mode 100644
index 000000000000..f1a4c9b7bb3b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix
@@ -0,0 +1,32 @@
+{ pkg-config, libusb1, dbus, lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "system76-power";
+  version = "1.1.23";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-power";
+    rev = version;
+    sha256 = "sha256-RuYDG4eZE599oa04xUR+W5B3/IPOpQUss1x7hzoydUQ=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libusb1 ];
+
+  cargoSha256 = "sha256-Vps02ZRVmeOQ8jDFZJYAUb502MhqY+2YV2W1/9XGY+0=";
+
+  postInstall = ''
+    install -D -m 0644 data/com.system76.PowerDaemon.conf $out/etc/dbus-1/system.d/com.system76.PowerDaemon.conf
+    install -D -m 0644 data/com.system76.PowerDaemon.policy $out/share/polkit-1/actions/com.system76.PowerDaemon.policy
+    install -D -m 0644 data/com.system76.PowerDaemon.xml $out/share/dbus-1/interfaces/com.system76.PowerDaemon.xml
+  '';
+
+  meta = with lib; {
+    description = "System76 Power Management";
+    homepage = "https://github.com/pop-os/system76-power";
+    license = licenses.gpl3Plus;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.jwoudenberg ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-scheduler/01-fix-pipewire-paths.kdl b/nixpkgs/pkgs/os-specific/linux/system76-scheduler/01-fix-pipewire-paths.kdl
new file mode 100644
index 000000000000..1ce08e2d3436
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-scheduler/01-fix-pipewire-paths.kdl
@@ -0,0 +1,8 @@
+assignments {
+  sound-server {
+    // original config matches on /usr/bin/..., but this is NixOS
+    pipewire
+    pipewire-pulse
+    jackd
+  }
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-scheduler/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-scheduler/default.nix
new file mode 100644
index 000000000000..99c54900cf71
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-scheduler/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, fetchFromGitHub
+, rustPlatform
+, pipewire
+, pkg-config
+, bcc
+, dbus }:
+
+let
+  version = "2.0.1";
+in rustPlatform.buildRustPackage {
+  pname = "system76-scheduler";
+  inherit version;
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-scheduler";
+    rev = version;
+    hash = "sha256-o4noaLBXHDe7pMBHfQ85uzKJzwbBE5mkWq8h9l6iIZs=";
+  };
+  cargoSha256 = "sha256-hpFDAhOzm4v3lBWwAl/10pS5xvKCScdKsp5wpCeQ+FE=";
+
+  nativeBuildInputs = [ pkg-config rustPlatform.bindgenHook ];
+  buildInputs = [ dbus pipewire ];
+
+  EXECSNOOP_PATH = "${bcc}/bin/execsnoop";
+
+  # tests don't build
+  doCheck = false;
+
+  postInstall = ''
+    mkdir -p $out/data
+    install -D -m 0644 data/com.system76.Scheduler.conf $out/etc/dbus-1/system.d/com.system76.Scheduler.conf
+    install -D -m 0644 data/*.kdl $out/data/
+  '';
+
+  meta = with lib; {
+    description = "System76 Scheduler";
+    homepage = "https://github.com/pop-os/system76-scheduler";
+    license = licenses.mpl20;
+    platforms = [ "x86_64-linux" "x86-linux" "aarch64-linux" ];
+    maintainers = [ maintainers.cmm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76/default.nix b/nixpkgs/pkgs/os-specific/linux/system76/default.nix
new file mode 100644
index 000000000000..7d9cd9bde024
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.13";
+  sha256 = "162hhmnww8z9k0795ffs8v3f61hlfm375law156sk5l08if19a4r";
+in
+stdenv.mkDerivation {
+  name = "system76-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "System76 DKMS driver";
+    homepage = "https://github.com/pop-os/system76-dkms";
+    longDescription = ''
+      The System76 DKMS driver. On newer System76 laptops, this driver controls
+      some of the hotkeys and allows for custom fan control.
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix b/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix
new file mode 100644
index 000000000000..348549a1bc64
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix
@@ -0,0 +1,25 @@
+{ python3Packages, fetchFromGitHub, lib }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "systemd-wait";
+  version = "0.1+2018-10-05";
+
+  src = fetchFromGitHub {
+    owner = "Stebalien";
+    repo = pname;
+    rev = "bbb58dd4584cc08ad20c3888edb7628f28aee3c7";
+    sha256 = "1l8rd0wzf3m7fk0g1c8wc0csdisdfac0filhixpgp0ck9ignayq5";
+  };
+
+  propagatedBuildInputs = with python3Packages; [
+    dbus-python pygobject3
+  ];
+
+  meta = {
+    homepage = "https://github.com/Stebalien/systemd-wait";
+    license = lib.licenses.gpl3;
+    description = "Wait for a systemd unit to enter a specific state";
+    maintainers = [ lib.maintainers.benley ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
new file mode 100644
index 000000000000..104a9dad959a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Tue, 8 Jan 2013 15:46:30 +0100
+Subject: [PATCH] Start device units for uninitialised encrypted devices
+
+This is necessary because the NixOS service that initialises the
+filesystem depends on the appearance of the device unit.  Also, this
+makes more sense to me: the device is ready; it's the filesystem
+that's not, but taking care of that is the responsibility of the mount
+unit.  (However, this ignores the fsck unit, so it's not perfect...)
+---
+ rules.d/99-systemd.rules.in | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
+index c0defc31de..8f80235731 100644
+--- a/rules.d/99-systemd.rules.in
++++ b/rules.d/99-systemd.rules.in
+@@ -20,10 +20,6 @@ SUBSYSTEM=="block", TAG+="systemd"
+ SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", IMPORT{db}="SYSTEMD_READY", GOTO="systemd_end"
+ SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
+ 
+-# Ignore encrypted devices with no identified superblock on it, since
+-# we are probably still calling mke2fs or mkswap on it.
+-SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
+-
+ # Explicitly set SYSTEMD_READY=1 for DM devices that don't have it set yet, so that we always have something to import above
+ SUBSYSTEM=="block", ENV{DM_UUID}=="?*", ENV{SYSTEMD_READY}=="", ENV{SYSTEMD_READY}="1"
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
new file mode 100644
index 000000000000..dda8524c498d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raito Bezarius <masterancpp@gmail.com>
+Date: Mon, 19 Jun 2023 02:11:35 +0200
+Subject: [PATCH] Don't try to unmount /nix or /nix/store
+
+They'll still be remounted read-only.
+
+https://github.com/NixOS/nixos/issues/126
+
+Original-Author: Eelco Dolstra <eelco.dolstra@logicblox.com>
+---
+ src/shared/fstab-util.c | 2 ++
+ src/shutdown/umount.c   | 6 ++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
+index 4ffec25c75..b99031c54e 100644
+--- a/src/shared/fstab-util.c
++++ b/src/shared/fstab-util.c
+@@ -43,6 +43,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
+         /* Don't bother with the OS data itself */
+         if (PATH_IN_SET(mount,
+                         "/",
++                        "/nix",
++                        "/nix/store",
+                         "/usr",
+                         "/etc"))
+                 return true;
+diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c
+index 1586c2e214..fcae95f824 100644
+--- a/src/shutdown/umount.c
++++ b/src/shutdown/umount.c
+@@ -170,8 +170,10 @@ int mount_points_list_get(const char *mountinfo, MountPoint **head) {
+ static bool nonunmountable_path(const char *path) {
+         assert(path);
+ 
+-        return PATH_IN_SET(path, "/", "/usr") ||
+-                path_startswith(path, "/run/initramfs");
++        return PATH_IN_SET(path, "/", "/usr")
++                || path_equal(path, "/nix")
++                || path_equal(path, "/nix/store")
++                || path_startswith(path, "/run/initramfs");
+ }
+ 
+ static void log_umount_blockers(const char *mnt) {
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
new file mode 100644
index 000000000000..2d86d1e6957a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Wed, 16 Apr 2014 10:59:28 +0200
+Subject: [PATCH] Fix NixOS containers
+
+In NixOS containers, the init script is bind-mounted into the
+container, so checking early whether it exists will fail.
+---
+ src/nspawn/nspawn.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index e170958fc5..898a674631 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -5648,6 +5648,7 @@ static int run(int argc, char *argv[]) {
+                                 goto finish;
+                         }
+                 } else {
++#if 0
+                         _cleanup_free_ char *p = NULL;
+ 
+                         if (arg_pivot_root_new)
+@@ -5662,6 +5663,7 @@ static int run(int argc, char *argv[]) {
+                                                     "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory);
+                                 goto finish;
+                         }
++#endif
+                 }
+ 
+         } else {
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch
new file mode 100644
index 000000000000..c905a4d812af
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch
@@ -0,0 +1,127 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raito Bezarius <masterancpp@gmail.com>
+Date: Mon, 19 Jun 2023 02:13:42 +0200
+Subject: [PATCH] Add some NixOS-specific unit directories
+
+Look in `/nix/var/nix/profiles/default/lib/systemd/{system,user}` for
+units provided by packages installed into the default profile via
+`nix-env -iA nixos.$package`.
+
+Also, remove /usr and /lib as these don't exist on NixOS.
+
+Original-Author: Eelco Dolstra <eelco.dolstra@logicblox.com>
+---
+ src/basic/path-lookup.c | 17 ++---------------
+ src/core/systemd.pc.in  |  8 ++++----
+ 2 files changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
+index 7d158a8295..f9bd62b631 100644
+--- a/src/basic/path-lookup.c
++++ b/src/basic/path-lookup.c
+@@ -92,11 +92,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
+ }
+ 
+ static const char* const user_data_unit_paths[] = {
+-        "/usr/local/lib/systemd/user",
+-        "/usr/local/share/systemd/user",
+         USER_DATA_UNIT_DIR,
+-        "/usr/lib/systemd/user",
+-        "/usr/share/systemd/user",
+         NULL
+ };
+ 
+@@ -617,15 +613,13 @@ int lookup_paths_init(
+                                         persistent_config,
+                                         SYSTEM_CONFIG_UNIT_DIR,
+                                         "/etc/systemd/system",
++                                        "/nix/var/nix/profiles/default/lib/systemd/system",
+                                         STRV_IFNOTNULL(persistent_attached),
+                                         runtime_config,
+                                         "/run/systemd/system",
+                                         STRV_IFNOTNULL(runtime_attached),
+                                         STRV_IFNOTNULL(generator),
+-                                        "/usr/local/lib/systemd/system",
+                                         SYSTEM_DATA_UNIT_DIR,
+-                                        "/usr/lib/systemd/system",
+-                                        STRV_IFNOTNULL(flags & LOOKUP_PATHS_SPLIT_USR ? "/lib/systemd/system" : NULL),
+                                         STRV_IFNOTNULL(generator_late));
+                         break;
+ 
+@@ -641,14 +635,11 @@ int lookup_paths_init(
+                                         persistent_config,
+                                         USER_CONFIG_UNIT_DIR,
+                                         "/etc/systemd/user",
++                                        "/nix/var/nix/profiles/default/lib/systemd/user",
+                                         runtime_config,
+                                         "/run/systemd/user",
+                                         STRV_IFNOTNULL(generator),
+-                                        "/usr/local/share/systemd/user",
+-                                        "/usr/share/systemd/user",
+-                                        "/usr/local/lib/systemd/user",
+                                         USER_DATA_UNIT_DIR,
+-                                        "/usr/lib/systemd/user",
+                                         STRV_IFNOTNULL(generator_late));
+                         break;
+ 
+@@ -808,7 +799,6 @@ char **generator_binary_paths(RuntimeScope scope) {
+                 case RUNTIME_SCOPE_SYSTEM:
+                         add = strv_new("/run/systemd/system-generators",
+                                        "/etc/systemd/system-generators",
+-                                       "/usr/local/lib/systemd/system-generators",
+                                        SYSTEM_GENERATOR_DIR);
+                         break;
+ 
+@@ -816,7 +806,6 @@ char **generator_binary_paths(RuntimeScope scope) {
+                 case RUNTIME_SCOPE_USER:
+                         add = strv_new("/run/systemd/user-generators",
+                                        "/etc/systemd/user-generators",
+-                                       "/usr/local/lib/systemd/user-generators",
+                                        USER_GENERATOR_DIR);
+                         break;
+ 
+@@ -855,14 +844,12 @@ char **env_generator_binary_paths(RuntimeScope runtime_scope) {
+                 case RUNTIME_SCOPE_SYSTEM:
+                         add = strv_new("/run/systemd/system-environment-generators",
+                                         "/etc/systemd/system-environment-generators",
+-                                        "/usr/local/lib/systemd/system-environment-generators",
+                                         SYSTEM_ENV_GENERATOR_DIR);
+                         break;
+ 
+                 case RUNTIME_SCOPE_USER:
+                         add = strv_new("/run/systemd/user-environment-generators",
+                                        "/etc/systemd/user-environment-generators",
+-                                       "/usr/local/lib/systemd/user-environment-generators",
+                                        USER_ENV_GENERATOR_DIR);
+                         break;
+ 
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index 693433b34b..5932a21b5b 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -38,10 +38,10 @@ systemdsystemconfdir=${systemd_system_conf_dir}
+ systemd_user_conf_dir=${sysconfdir}/systemd/user
+ systemduserconfdir=${systemd_user_conf_dir}
+ 
+-systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
++systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
+ systemdsystemunitpath=${systemd_system_unit_path}
+ 
+-systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
++systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
+ systemduserunitpath=${systemd_user_unit_path}
+ 
+ systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
+@@ -50,10 +50,10 @@ systemdsystemgeneratordir=${systemd_system_generator_dir}
+ systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
+ systemdusergeneratordir=${systemd_user_generator_dir}
+ 
+-systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir}
++systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:${systemd_system_generator_dir}
+ systemdsystemgeneratorpath=${systemd_system_generator_path}
+ 
+-systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir}
++systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:${systemd_user_generator_dir}
+ systemdusergeneratorpath=${systemd_user_generator_path}
+ 
+ systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch
new file mode 100644
index 000000000000..0a80d5ac4e83
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Mon, 11 May 2015 15:39:38 +0200
+Subject: [PATCH] Get rid of a useless message in user sessions
+
+Namely lots of variants of
+
+  Unit nix-var-nix-db.mount is bound to inactive unit dev-disk-by\x2dlabel-nixos.device. Stopping, too.
+
+in containers.
+---
+ src/core/manager.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 22ec6e79b1..771e8e7f16 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -1559,7 +1559,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) {
+                 if (!unit_is_bound_by_inactive(u, &culprit))
+                         continue;
+ 
+-                log_unit_debug(u, "Unit is stopped because bound to inactive unit %s.", culprit->id);
++                if (u->type != UNIT_MOUNT || detect_container() <= 0)
++                        log_unit_debug(u, "Unit is stopped because bound to inactive unit %s.", culprit->id);
+ 
+                 /* If stopping a unit fails continuously we might enter a stop loop here, hence stop acting on the
+                  * service being unnecessary after a while. */
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch
new file mode 100644
index 000000000000..abc6c24dbf51
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gabriel Ebner <gebner@gebner.org>
+Date: Sun, 6 Dec 2015 14:26:36 +0100
+Subject: [PATCH] hostnamed, localed, timedated: disable methods that change
+ system settings.
+
+---
+ src/hostname/hostnamed.c |  6 ++++++
+ src/locale/localed.c     |  9 +++++++++
+ src/timedate/timedated.c | 10 ++++++++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index 9ef45f8e75..99b1ec2e36 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -1053,6 +1053,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_etc_hostname(c);
+@@ -1116,6 +1119,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_machine_info(c);
+diff --git a/src/locale/localed.c b/src/locale/localed.c
+index f544a73580..ce00c262cc 100644
+--- a/src/locale/localed.c
++++ b/src/locale/localed.c
+@@ -229,6 +229,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
+ 
+         use_localegen = locale_gen_check_available();
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         /* If single locale without variable name is provided, then we assume it is LANG=. */
+         if (strv_length(l) == 1 && !strchr(l[0], '=')) {
+                 if (!locale_is_valid(l[0]))
+@@ -347,6 +350,9 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
+         if (r < 0)
+                 return bus_log_parse_error(r);
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         vc_context_empty_to_null(&in);
+ 
+         r = vc_context_verify_and_warn(&in, LOG_ERR, error);
+@@ -465,6 +471,9 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
+         if (r < 0)
+                 return bus_log_parse_error(r);
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         x11_context_empty_to_null(&in);
+ 
+         r = x11_context_verify_and_warn(&in, LOG_ERR, error);
+diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
+index ad1d492d6b..331af34505 100644
+--- a/src/timedate/timedated.c
++++ b/src/timedate/timedated.c
+@@ -665,6 +665,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
+         if (r < 0)
+                 return r;
+ 
++        if (getenv("NIXOS_STATIC_TIMEZONE"))
++                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++                    "Changing timezone via systemd is not supported when it is set in NixOS configuration.");
++
+         if (!timezone_is_valid(z, LOG_DEBUG))
+                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid or not installed time zone '%s'", z);
+ 
+@@ -743,6 +747,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         if (lrtc == c->local_rtc && !fix_system)
+                 return sd_bus_reply_method_return(m, NULL);
+ 
+@@ -923,6 +930,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         r = context_update_ntp_status(c, bus, m);
+         if (r < 0)
+                 return r;
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch
new file mode 100644
index 000000000000..7777ba7e4259
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 7 Jul 2016 02:47:13 +0300
+Subject: [PATCH] Fix hwdb paths
+
+Patch by vcunat.
+---
+ src/libsystemd/sd-hwdb/hwdb-internal.h | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/libsystemd/sd-hwdb/hwdb-internal.h b/src/libsystemd/sd-hwdb/hwdb-internal.h
+index 5302679a62..39e59a527f 100644
+--- a/src/libsystemd/sd-hwdb/hwdb-internal.h
++++ b/src/libsystemd/sd-hwdb/hwdb-internal.h
+@@ -83,8 +83,4 @@ struct trie_value_entry2_f {
+ } _packed_;
+ 
+ #define hwdb_bin_paths                          \
+-        "/etc/systemd/hwdb/hwdb.bin\0"          \
+-        "/etc/udev/hwdb.bin\0"                  \
+-        "/usr/lib/systemd/hwdb/hwdb.bin\0"      \
+-        _CONF_PATHS_SPLIT_USR_NULSTR("systemd/hwdb/hwdb.bin") \
+-        UDEVLIBEXECDIR "/hwdb.bin\0"
++        "/etc/udev/hwdb.bin\0"
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
new file mode 100644
index 000000000000..3150d97be2e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Tue, 11 Oct 2016 13:12:08 +0300
+Subject: [PATCH] Change /usr/share/zoneinfo to /etc/zoneinfo
+
+NixOS uses this path.
+---
+ man/localtime.xml         | 4 ++--
+ src/basic/time-util.c     | 8 ++++----
+ src/firstboot/firstboot.c | 2 +-
+ src/nspawn/nspawn.c       | 4 ++--
+ src/timedate/timedated.c  | 8 ++++----
+ 5 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/man/localtime.xml b/man/localtime.xml
+index e486474c44..5f373d0723 100644
+--- a/man/localtime.xml
++++ b/man/localtime.xml
+@@ -20,7 +20,7 @@
+   </refnamediv>
+ 
+   <refsynopsisdiv>
+-    <para><filename>/etc/localtime</filename> -&gt; <filename>../usr/share/zoneinfo/…</filename></para>
++    <para><filename>/etc/localtime</filename> -&gt; <filename>zoneinfo/…</filename></para>
+   </refsynopsisdiv>
+ 
+   <refsect1>
+@@ -30,7 +30,7 @@
+     system-wide timezone of the local system that is used by
+     applications for presentation to the user. It should be an
+     absolute or relative symbolic link pointing to
+-    <filename>/usr/share/zoneinfo/</filename>, followed by a timezone
++    <filename>/etc/zoneinfo/</filename>, followed by a timezone
+     identifier such as <literal>Europe/Berlin</literal> or
+     <literal>Etc/UTC</literal>. The resulting link should lead to the
+     corresponding binary
+diff --git a/src/basic/time-util.c b/src/basic/time-util.c
+index 1db630003a..31744c3e68 100644
+--- a/src/basic/time-util.c
++++ b/src/basic/time-util.c
+@@ -1350,7 +1350,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
+ 
+         assert(ret);
+ 
+-        f = fopen("/usr/share/zoneinfo/zone1970.tab", "re");
++        f = fopen("/etc/zoneinfo/zone1970.tab", "re");
+         if (!f)
+                 return -errno;
+ 
+@@ -1391,7 +1391,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
+ 
+         assert(ret);
+ 
+-        f = fopen("/usr/share/zoneinfo/tzdata.zi", "re");
++        f = fopen("/etc/zoneinfo/tzdata.zi", "re");
+         if (!f)
+                 return -errno;
+ 
+@@ -1503,7 +1503,7 @@ int verify_timezone(const char *name, int log_level) {
+         if (p - name >= PATH_MAX)
+                 return -ENAMETOOLONG;
+ 
+-        t = strjoina("/usr/share/zoneinfo/", name);
++        t = strjoina("/etc/zoneinfo/", name);
+ 
+         fd = open(t, O_RDONLY|O_CLOEXEC);
+         if (fd < 0)
+@@ -1563,7 +1563,7 @@ int get_timezone(char **ret) {
+         if (r < 0)
+                 return r; /* returns EINVAL if not a symlink */
+ 
+-        e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
++        e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/");
+         if (!e)
+                 return -EINVAL;
+ 
+diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
+index 1956ab3b13..9ef356f8af 100644
+--- a/src/firstboot/firstboot.c
++++ b/src/firstboot/firstboot.c
+@@ -630,7 +630,7 @@ static int process_timezone(int rfd) {
+         if (isempty(arg_timezone))
+                 return 0;
+ 
+-        e = strjoina("../usr/share/zoneinfo/", arg_timezone);
++        e = strjoina("zoneinfo/", arg_timezone);
+ 
+         r = symlinkat_atomic_full(e, pfd, f, /* make_relative= */ false);
+         if (r < 0)
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 898a674631..c41a416e04 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -1924,8 +1924,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid
+ static const char *timezone_from_path(const char *path) {
+         return PATH_STARTSWITH_SET(
+                         path,
+-                        "../usr/share/zoneinfo/",
+-                        "/usr/share/zoneinfo/");
++                        "../etc/zoneinfo/",
++                        "/etc/zoneinfo/");
+ }
+ 
+ static bool etc_writable(void) {
+diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
+index 331af34505..722c4b5b4f 100644
+--- a/src/timedate/timedated.c
++++ b/src/timedate/timedated.c
+@@ -282,7 +282,7 @@ static int context_read_data(Context *c) {
+ 
+         r = get_timezone(&t);
+         if (r == -EINVAL)
+-                log_warning_errno(r, "/etc/localtime should be a symbolic link to a time zone data file in /usr/share/zoneinfo/.");
++                log_warning_errno(r, "/etc/localtime should be a symbolic link to a time zone data file in /etc/zoneinfo/.");
+         else if (r < 0)
+                 log_warning_errno(r, "Failed to get target of /etc/localtime: %m");
+ 
+@@ -306,7 +306,7 @@ static int context_write_data_timezone(Context *c) {
+ 
+         if (isempty(c->zone) || streq(c->zone, "UTC")) {
+ 
+-                if (access("/usr/share/zoneinfo/UTC", F_OK) < 0) {
++                if (access("/etc/zoneinfo/UTC", F_OK) < 0) {
+ 
+                         if (unlink("/etc/localtime") < 0 && errno != ENOENT)
+                                 return -errno;
+@@ -314,9 +314,9 @@ static int context_write_data_timezone(Context *c) {
+                         return 0;
+                 }
+ 
+-                source = "../usr/share/zoneinfo/UTC";
++                source = "../etc/zoneinfo/UTC";
+         } else {
+-                p = path_join("../usr/share/zoneinfo", c->zone);
++                p = path_join("../etc/zoneinfo", c->zone);
+                 if (!p)
+                         return -ENOMEM;
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch
new file mode 100644
index 000000000000..c0f6afd7fc7b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Imuli <i@imu.li>
+Date: Wed, 19 Oct 2016 08:46:47 -0400
+Subject: [PATCH] localectl: use /etc/X11/xkb for list-x11-*
+
+NixOS has an option to link the xkb data files to /etc/X11, but not to
+/usr/share/X11.
+---
+ src/locale/localectl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/localectl.c b/src/locale/localectl.c
+index d8db9d9d22..4601bb5431 100644
+--- a/src/locale/localectl.c
++++ b/src/locale/localectl.c
+@@ -297,7 +297,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
+         } state = NONE, look_for;
+         int r;
+ 
+-        f = fopen("/usr/share/X11/xkb/rules/base.lst", "re");
++        f = fopen("/etc/X11/xkb/rules/base.lst", "re");
+         if (!f)
+                 return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
new file mode 100644
index 000000000000..b8f97308acfb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Franz Pletz <fpletz@fnordicwalking.de>
+Date: Sun, 11 Feb 2018 04:37:44 +0100
+Subject: [PATCH] build: don't create statedir and don't touch prefixdir
+
+---
+ meson.build | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 395eca1943..082cd748bb 100644
+--- a/meson.build
++++ b/meson.build
+@@ -4707,9 +4707,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+                install_dir : docdir)
+ 
+-meson.add_install_script('sh', '-c', mkdir_p.format(systemdstatedir))
+-meson.add_install_script('sh', '-c', 'touch $DESTDIR@0@'.format(prefixdir))
+-
+ ############################################################
+ 
+ # Ensure that changes to the docs/ directory do not break the
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch
new file mode 100644
index 000000000000..fa201126ae27
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andreas Rammhold <andreas@rammhold.de>
+Date: Thu, 9 May 2019 11:15:22 +0200
+Subject: [PATCH] add rootprefix to lookup dir paths
+
+systemd does not longer use the UDEVLIBEXEC directory as root for
+discovery default udev rules. By adding `$out/lib` to the lookup paths
+we should again be able to discover the udev rules amongst other default
+files that I might have missed.
+---
+ src/basic/constants.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/constants.h b/src/basic/constants.h
+index 3f96786da9..6e8fb40c08 100644
+--- a/src/basic/constants.h
++++ b/src/basic/constants.h
+@@ -74,13 +74,15 @@
+         "/run/" n "\0"                          \
+         "/usr/local/lib/" n "\0"                \
+         "/usr/lib/" n "\0"                      \
+-        _CONF_PATHS_SPLIT_USR_NULSTR(n)
++        _CONF_PATHS_SPLIT_USR_NULSTR(n)         \
++        ROOTPREFIX "/lib/" n "\0"
+ 
+ #define CONF_PATHS_USR(n)                       \
+         "/etc/" n,                              \
+         "/run/" n,                              \
+         "/usr/local/lib/" n,                    \
+-        "/usr/lib/" n
++        "/usr/lib/" n,                          \
++        ROOTPREFIX "/lib/" n
+ 
+ #define CONF_PATHS(n)                           \
+         CONF_PATHS_USR(n)                       \
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
new file mode 100644
index 000000000000..fde1e2b276c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 25 Jul 2019 20:45:55 +0300
+Subject: [PATCH] systemd-shutdown: execute scripts in
+ /etc/systemd/system-shutdown
+
+This is needed for NixOS to use such scripts as systemd directory is immutable.
+---
+ src/shutdown/shutdown.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
+index 8395bb429d..14fbc85bb4 100644
+--- a/src/shutdown/shutdown.c
++++ b/src/shutdown/shutdown.c
+@@ -334,6 +334,7 @@ static void init_watchdog(void) {
+ int main(int argc, char *argv[]) {
+         static const char* const dirs[] = {
+                 SYSTEM_SHUTDOWN_PATH,
++                "/etc/systemd/system-shutdown",
+                 NULL
+         };
+         _cleanup_free_ char *cgroup = NULL;
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
new file mode 100644
index 000000000000..d91150cfc490
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 25 Jul 2019 20:46:58 +0300
+Subject: [PATCH] systemd-sleep: execute scripts in /etc/systemd/system-sleep
+
+This is needed for NixOS to use such scripts as systemd directory is immutable.
+---
+ src/sleep/sleep.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
+index de1f6c7ec1..d0cdebd80a 100644
+--- a/src/sleep/sleep.c
++++ b/src/sleep/sleep.c
+@@ -224,6 +224,7 @@ static int execute(
+         };
+         static const char* const dirs[] = {
+                 SYSTEM_SLEEP_PATH,
++                "/etc/systemd/system-sleep",
+                 NULL
+         };
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
new file mode 100644
index 000000000000..13dec1070ffc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Florian Klink <flokli@flokli.de>
+Date: Sun, 8 Mar 2020 01:05:54 +0100
+Subject: [PATCH] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
+
+This will be the $PATH used to lookup ExecStart= etc. options, which
+systemd itself uses extensively.
+---
+ src/basic/path-util.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/basic/path-util.h b/src/basic/path-util.h
+index 97175bee11..3839704901 100644
+--- a/src/basic/path-util.h
++++ b/src/basic/path-util.h
+@@ -25,11 +25,11 @@
+ #  define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x)
+ #endif
+ 
+-#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/")
+-#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/")
++#define DEFAULT_PATH_NORMAL "@defaultPathNormal@"
++#define DEFAULT_PATH_NORMAL_NULSTR "@defaultPathNormal@\0"
+ #define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/")
+ #define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/")
+-#define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/")
++#define DEFAULT_PATH_COMPAT DEFAULT_PATH_NORMAL
+ 
+ #if HAVE_SPLIT_USR
+ #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch
new file mode 100644
index 000000000000..3fbfd7f10ab4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sun, 6 Dec 2020 08:34:19 +0100
+Subject: [PATCH] pkg-config: derive prefix from --prefix
+
+Point prefix to the one configured, instead of `/usr` `systemd` has limited
+support for making the pkgconfig prefix overridable, and interpolates those
+values later down.
+
+So we only need to patch this one value to get the correct paths.
+See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details.
+
+Co-Authored-By: Florian Klink <flokli@flokli.de>
+---
+ src/core/systemd.pc.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index 5932a21b5b..20bf8e316d 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -11,7 +11,7 @@
+ # considered deprecated (though there is no plan to remove them). New names
+ # shall have underscores.
+ 
+-prefix=/usr
++prefix={{PREFIX}}
+ root_prefix={{ROOTPREFIX_NOSLASH}}
+ rootprefix=${root_prefix}
+ sysconf_dir={{SYSCONF_DIR}}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch
new file mode 100644
index 000000000000..d6640c87454a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuriy Taraday <yorik.sar@gmail.com>
+Date: Fri, 17 Jun 2022 12:45:10 +0000
+Subject: [PATCH] inherit systemd environment when calling generators.
+
+Systemd generators need access to the environment configured in
+stage-2-init.sh since it schedules fsck and mkfs executions based on
+being able to find an appropriate binary for the target filesystem.
+
+With this commit I am altering the systemd behaviour since upstream
+tries to gather environments with that they call
+"environment-generators" and then seems to pass that on to all the other
+executables that are being called from managers.
+---
+ src/core/manager.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 771e8e7f16..acf3ead8d7 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -3899,9 +3899,17 @@ static int build_generator_environment(Manager *m, char ***ret) {
+          * adjust generated units to that. Let's pass down some bits of information that are easy for us to
+          * determine (but a bit harder for generator scripts to determine), as environment variables. */
+ 
++        // On NixOS we must propagate PATH to generators so they are
++        // able to find binaries such as `fsck.${fstype}` and
++        // `mkfs.${fstype}`. That is why we ignore transient_environment that
++        // overrides the PATH variable. This propagates systemd's
++        // environment (e.g. PATH) that was setup
++        // before calling systemd from stage-2-init.sh.
++#if 0
+         nl = strv_copy(m->transient_environment);
+         if (!nl)
+                 return -ENOMEM;
++#endif
+ 
+         r = strv_env_assign(&nl, "SYSTEMD_SCOPE", runtime_scope_to_string(m->runtime_scope));
+         if (r < 0)
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch
new file mode 100644
index 000000000000..73b237a29602
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: oxalica <oxalicc@pm.me>
+Date: Tue, 4 Oct 2022 09:18:07 +0800
+Subject: [PATCH] core: don't taint on unmerged /usr
+
+NixOS has very different approach towards /bin and /sbin - they don't
+really exist (except for /bin/sh and /usr/bin/env, because these are used
+heavily in shebangs around the world). The concept of merged or unmerged
+usr doesn't really apply here at all, it's neither of the two.
+Users don't execute things from /bin or /sbin, there's nothing else in
+there. In all cases, systemd doesn't look things up from /usr/bin or /bin,
+so showing the taint isn't really helpful.
+
+See also: https://github.com/systemd/systemd/issues/24191
+---
+ src/core/manager.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index acf3ead8d7..bdbab16829 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -4754,10 +4754,6 @@ char* manager_taint_string(const Manager *m) {
+         if (m->taint_usr)
+                 stage[n++] = "split-usr";
+ 
+-        _cleanup_free_ char *usrbin = NULL;
+-        if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin"))
+-                stage[n++] = "unmerged-usr";
+-
+         if (access("/proc/cgroups", F_OK) < 0)
+                 stage[n++] = "cgroups-missing";
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch
new file mode 100644
index 000000000000..6de01a0ae802
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Cao <nickcao@nichi.co>
+Date: Sun, 15 Jan 2023 20:15:55 +0800
+Subject: [PATCH] tpm2_context_init: fix driver name checking
+
+https://github.com/systemd/systemd/commit/542dbc623e introduced
+additional checks for tpm2 driver names, namely ensuring the driver
+name, when concated with "libtss2-tcti-" and ".so.0", generates a valid
+filename (with no '/' inside).
+
+For example, if the driver is name "device", the line
+  fn = strjoina("libtss2-tcti-", driver, ".so.0")
+would yield "libtss2-tcti-device.so.0", passing the check. And the
+filename is then passed to dlopen for loading the driver.
+
+Our current approach for systemd to correctly locate these dynamically
+loaded libraries is to patch the filenames to include their absolute
+path. Thus the line mentioned above is patched into
+  fn = strjoina("/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-", driver, ".so.0")
+yielding "/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-device.so.0",
+tripping the check.
+
+This patch relaxes the check to also accept absolute paths, by replacing
+filename_is_valid with path_is_valid.
+---
+ src/shared/tpm2-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
+index ae8a8bc073..c284b244f8 100644
+--- a/src/shared/tpm2-util.c
++++ b/src/shared/tpm2-util.c
+@@ -582,7 +582,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
+                 fn = strjoina("libtss2-tcti-", driver, ".so.0");
+ 
+                 /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
+-                if (!filename_is_valid(fn))
++                if (!path_is_valid(fn))
+                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
+ 
+                 context->tcti_dl = dlopen(fn, RTLD_NOW);
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
new file mode 100644
index 000000000000..dd9af6738c4e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 1 Sep 2023 09:57:02 +0200
+Subject: [PATCH] systemctl-edit: suggest `systemdctl edit --runtime` on system
+ scope
+
+This is a NixOS-specific change. When trying to modify a unit with
+`systemctl edit` on NixOS, it'll fail with "Read-only file system":
+
+    $ systemctl edit libvirtd
+    Failed to open "/etc/systemd/system/libvirtd.service.d/.#override.conffa9825a0c9a249eb": Read-only file system
+
+This is because `/etc/systemd/system` is a symlink into the store. In
+fact, I'd consider this a feature rather than a bug since this ensures I
+don't introduce state imperatively.
+
+However, people wrongly assume that it's not possible to edit units
+ad-hoc and re-deploy their system for quick&dirty debugging where this
+would be absolutely fine (and doable with `--runtime` which adds a
+transient and non-persistent unit override in `/run`).
+
+To make sure that people learn about it quicker, this patch
+throws an error which suggests using `--runtime` when running
+`systemctl edit` on the system scope.
+
+For the user scope this isn't needed because user-level unit overrides
+are written into `$XDG_CONFIG_HOME/systemd/user`.
+---
+ src/systemctl/systemctl-edit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/systemctl/systemctl-edit.c b/src/systemctl/systemctl-edit.c
+index e3f25d52d5..81c9c6f6b7 100644
+--- a/src/systemctl/systemctl-edit.c
++++ b/src/systemctl/systemctl-edit.c
+@@ -323,6 +323,9 @@ int verb_edit(int argc, char *argv[], void *userdata) {
+         sd_bus *bus;
+         int r;
+ 
++        if (!arg_runtime && arg_runtime_scope == RUNTIME_SCOPE_SYSTEM)
++                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "The unit-directory '/etc/systemd/system' is read-only on NixOS, so it's not possible to edit system-units directly. Use 'systemctl edit --runtime' instead.");
++
+         if (!on_tty())
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot edit units if not on a tty.");
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/default.nix b/nixpkgs/pkgs/os-specific/linux/systemd/default.nix
new file mode 100644
index 000000000000..0311d46d1fc4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/default.nix
@@ -0,0 +1,792 @@
+# NOTE: Make sure to (re-)format this file on changes with `nixpkgs-fmt`!
+
+{ stdenv
+, lib
+, nixosTests
+, pkgsCross
+, fetchFromGitHub
+, fetchpatch
+, fetchzip
+, buildPackages
+, makeBinaryWrapper
+, ninja
+, meson
+, m4
+, pkg-config
+, coreutils
+, gperf
+, getent
+, glibcLocales
+
+  # glib is only used during tests (test-bus-gvariant, test-bus-marshal)
+, glib
+, substituteAll
+, gettext
+, python3Packages
+
+  # Mandatory dependencies
+, libcap
+, util-linux
+, kbd
+, kmod
+, libxcrypt
+
+  # Optional dependencies
+, pam
+, cryptsetup
+, audit
+, acl
+, lz4
+, libgcrypt
+, libgpg-error
+, libidn2
+, curl
+, gnutar
+, gnupg
+, zlib
+, xz
+, zstd
+, tpm2-tss
+, libuuid
+, libapparmor
+, intltool
+, bzip2
+, pcre2
+, e2fsprogs
+, elfutils
+, linuxHeaders ? stdenv.cc.libc.linuxHeaders
+, iptables
+, withSelinux ? false
+, libselinux
+, withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp
+, libseccomp
+, withKexectools ? lib.meta.availableOn stdenv.hostPlatform kexec-tools
+, kexec-tools
+, bashInteractive
+, bash
+, libmicrohttpd
+, libfido2
+, p11-kit
+
+  # the (optional) BPF feature requires bpftool, libbpf, clang and llvm-strip to be available during build time.
+  # Only libbpf should be a runtime dependency.
+  # Note: llvmPackages is explicitly taken from buildPackages instead of relying
+  # on splicing. Splicing will evaluate the adjacent (pkgsHostTarget) llvmPackages
+  # which is sometimes problematic: llvmPackages.clang looks at targetPackages.stdenv.cc
+  # which, in the unfortunate case of pkgsCross.ghcjs, `throw`s. If we explicitly
+  # take buildPackages.llvmPackages, this is no problem because
+  # `buildPackages.targetPackages.stdenv.cc == stdenv.cc` relative to us. Working
+  # around this is important, because systemd is in the dependency closure of
+  # GHC via emscripten and jdk.
+, bpftools
+, libbpf
+
+  # Needed to produce a ukify that works for cross compiling UKIs.
+, targetPackages
+
+, withAcl ? true
+, withAnalyze ? true
+, withApparmor ? true
+, withAudit ? true
+, withBootloader ? withEfi && !stdenv.hostPlatform.isMusl # compiles systemd-boot, assumes EFI is available.
+, withCompression ? true  # adds bzip2, lz4, xz and zstd
+, withCoredump ? true
+, withCryptsetup ? true
+, withRepart ? true
+, withDocumentation ? true
+, withEfi ? stdenv.hostPlatform.isEfi
+, withFido2 ? true
+, withFirstboot ? false # conflicts with the NixOS /etc management
+, withHomed ? !stdenv.hostPlatform.isMusl
+, withHostnamed ? true
+, withHwdb ? true
+, withImportd ? !stdenv.hostPlatform.isMusl
+, withKmod ? true
+, withLibBPF ? lib.versionAtLeast buildPackages.llvmPackages.clang.version "10.0"
+    && (stdenv.hostPlatform.isAarch -> lib.versionAtLeast stdenv.hostPlatform.parsed.cpu.version "6") # assumes hard floats
+    && !stdenv.hostPlatform.isMips64   # see https://github.com/NixOS/nixpkgs/pull/194149#issuecomment-1266642211
+    # buildPackages.targetPackages.llvmPackages is the same as llvmPackages,
+    # but we do it this way to avoid taking llvmPackages as an input, and
+    # risking making it too easy to ignore the above comment about llvmPackages.
+    && lib.meta.availableOn stdenv.hostPlatform buildPackages.targetPackages.llvmPackages.compiler-rt
+, withLibidn2 ? true
+, withLocaled ? true
+, withLogind ? true
+, withMachined ? true
+, withNetworkd ? true
+, withNss ? !stdenv.hostPlatform.isMusl
+, withOomd ? true
+, withPam ? true
+, withPasswordQuality ? false
+, withPCRE2 ? true
+, withPolkit ? true
+, withPortabled ? !stdenv.hostPlatform.isMusl
+, withRemote ? !stdenv.hostPlatform.isMusl
+, withResolved ? true
+, withShellCompletions ? true
+, withSysusers ? true
+, withSysupdate ? true
+, withTimedated ? true
+, withTimesyncd ? true
+, withTpm2Tss ? true
+, withUkify ? false  # adds python to closure which is too much by default
+, withUserDb ? true
+, withUtmp ? !stdenv.hostPlatform.isMusl
+  # tests assume too much system access for them to be feasible for us right now
+, withTests ? false
+  # build only libudev and libsystemd
+, buildLibsOnly ? false
+
+  # name argument
+, pname ? "systemd"
+
+, libxslt
+, docbook_xsl
+, docbook_xml_dtd_42
+, docbook_xml_dtd_45
+}:
+
+assert withImportd -> withCompression;
+assert withCoredump -> withCompression;
+assert withHomed -> withCryptsetup;
+assert withHomed -> withPam;
+assert withUkify -> withEfi;
+assert withRepart -> withCryptsetup;
+assert withBootloader -> withEfi;
+# passwdqc is not packaged in nixpkgs yet, if you want to fix this, please submit a PR.
+assert !withPasswordQuality;
+
+let
+  wantCurl = withRemote || withImportd;
+  wantGcrypt = withResolved || withImportd;
+  version = "254.3";
+
+  # Bump this variable on every (major) version change. See below (in the meson options list) for why.
+  # command:
+  #  $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
+  #     jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
+  releaseTimestamp = "1690536449";
+in
+stdenv.mkDerivation (finalAttrs: {
+  inherit pname version;
+
+  # We use systemd/systemd-stable for src, and ship NixOS-specific patches inside nixpkgs directly
+  # This has proven to be less error-prone than the previous systemd fork.
+  src = fetchFromGitHub {
+    owner = "systemd";
+    repo = "systemd-stable";
+    rev = "v${version}";
+    hash = "sha256-ObnsAiKwhwEb4ti611eS/wGpg3Sss/pUy/gANPAbXbs=";
+  };
+
+  # On major changes, or when otherwise required, you *must* reformat the patches,
+  # `git am path/to/00*.patch` them into a systemd worktree, rebase to the more recent
+  # systemd version, and export the patches again via
+  # `git -c format.signoff=false format-patch v${version} --no-numbered --zero-commit --no-signature`.
+  # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches
+  patches = [
+    ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
+    ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
+    ./0003-Fix-NixOS-containers.patch
+    ./0004-Add-some-NixOS-specific-unit-directories.patch
+    ./0005-Get-rid-of-a-useless-message-in-user-sessions.patch
+    ./0006-hostnamed-localed-timedated-disable-methods-that-cha.patch
+    ./0007-Fix-hwdb-paths.patch
+    ./0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+    ./0009-localectl-use-etc-X11-xkb-for-list-x11.patch
+    ./0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+    ./0011-add-rootprefix-to-lookup-dir-paths.patch
+    ./0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0015-pkg-config-derive-prefix-from-prefix.patch
+    ./0016-inherit-systemd-environment-when-calling-generators.patch
+    ./0017-core-don-t-taint-on-unmerged-usr.patch
+    ./0018-tpm2_context_init-fix-driver-name-checking.patch
+    ./0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
+
+    # Fix for `RuntimeError: ELF .dynamic section is missing.`
+    # https://github.com/systemd/systemd/issues/29381
+    # https://github.com/systemd/systemd/pull/29392
+    (fetchpatch {
+      url = "https://github.com/systemd/systemd/commit/cecbb162a3134b43d2ca160e13198c73ff34c3ef.patch";
+      hash = "sha256-hWpUosTDA18mYm5nIb9KnjwOlnzbEHgzha/WpyHoC54=";
+    })
+  ] ++ lib.optional stdenv.hostPlatform.isMusl (
+    let
+      oe-core = fetchzip {
+        url = "https://git.openembedded.org/openembedded-core/snapshot/openembedded-core-eb8a86fee9eeae787cc0a58ef2ed087fd48d93eb.tar.gz";
+        sha256 = "tE2KpXLvOknIpEZFdOnNxvBmDvZrra3kvQp9tKxa51c=";
+      };
+      musl-patches = oe-core + "/meta/recipes-core/systemd/systemd";
+    in
+    [
+      (musl-patches + "/0001-Adjust-for-musl-headers.patch")
+      (musl-patches + "/0005-pass-correct-parameters-to-getdents64.patch")
+      (musl-patches + "/0006-test-bus-error-strerror-is-assumed-to-be-GNU-specifi.patch")
+      (musl-patches + "/0009-missing_type.h-add-comparison_fn_t.patch")
+      (musl-patches + "/0010-add-fallback-parse_printf_format-implementation.patch")
+      (musl-patches + "/0011-src-basic-missing.h-check-for-missing-strndupa.patch")
+      (musl-patches + "/0012-don-t-fail-if-GLOB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch")
+      (musl-patches + "/0013-add-missing-FTW_-macros-for-musl.patch")
+      (musl-patches + "/0014-Use-uintmax_t-for-handling-rlim_t.patch")
+      (musl-patches + "/0016-don-t-pass-AT_SYMLINK_NOFOLLOW-flag-to-faccessat.patch")
+      (musl-patches + "/0017-Define-glibc-compatible-basename-for-non-glibc-syste.patch")
+      (musl-patches + "/0018-Do-not-disable-buffering-when-writing-to-oom_score_a.patch")
+      (musl-patches + "/0019-distinguish-XSI-compliant-strerror_r-from-GNU-specif.patch")
+      (musl-patches + "/0020-avoid-redefinition-of-prctl_mm_map-structure.patch")
+      (musl-patches + "/0021-do-not-disable-buffer-in-writing-files.patch")
+      (musl-patches + "/0022-Handle-__cpu_mask-usage.patch")
+      (musl-patches + "/0023-Handle-missing-gshadow.patch")
+      (musl-patches + "/0024-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch")
+      (musl-patches + "/0028-sd-event-Make-malloc_trim-conditional-on-glibc.patch")
+      (musl-patches + "/0029-shared-Do-not-use-malloc_info-on-musl.patch")
+    ]
+  );
+
+  postPatch = ''
+    substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
+  '' + lib.optionalString withLibBPF ''
+    substituteInPlace meson.build \
+      --replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
+  '' + lib.optionalString withUkify ''
+    substituteInPlace src/ukify/ukify.py \
+      --replace \
+      "'readelf'" \
+      "'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'"
+  '' + (
+    let
+      # The following patches references to dynamic libraries to ensure that
+      # all the features that are implemented via dlopen(3) are available (or
+      # explicitly deactivated) by pointing dlopen to the absolute store path
+      # instead of relying on the linkers runtime lookup code.
+      #
+      # All of the shared library references have to be handled. When new ones
+      # are introduced by upstream (or one of our patches) they must be
+      # explicitly declared, otherwise the build will fail.
+      #
+      # As of systemd version 247 we've seen a few errors like `libpcre2.… not
+      # found` when using e.g. --grep with journalctl. Those errors should
+      # become less unexpected now.
+      #
+      # There are generally two classes of dlopen(3) calls. Those that we want to
+      # support and those that should be deactivated / unsupported. This change
+      # enforces that we handle all dlopen calls explicitly. Meaning: There is
+      # not a single dlopen call in the source code tree that we did not
+      # explicitly handle.
+      #
+      # In order to do this we introduced a list of attributes that maps from
+      # shared object name to the package that contains them. The package can be
+      # null meaning the reference should be nuked and the shared object will
+      # never be loadable during runtime (because it points at an invalid store
+      # path location).
+      #
+      # To get a list of dynamically loaded libraries issue something like
+      # `grep -ri '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"'' $src` and update the below list.
+      dlopenLibs =
+        let
+          opt = condition: pkg: if condition then pkg else null;
+        in
+        [
+          # bpf compilation support. We use libbpf 1 now.
+          { name = "libbpf.so.1"; pkg = opt withLibBPF libbpf; }
+          { name = "libbpf.so.0"; pkg = null; }
+
+          # We did never provide support for libxkbcommon & qrencode
+          { name = "libxkbcommon.so.0"; pkg = null; }
+          { name = "libqrencode.so.4"; pkg = null; }
+          { name = "libqrencode.so.3"; pkg = null; }
+
+          # We did not provide libpwquality before so it is safe to disable it for
+          # now.
+          { name = "libpwquality.so.1"; pkg = null; }
+
+          # Only include cryptsetup if it is enabled. We might not be able to
+          # provide it during "bootstrap" in e.g. the minimal systemd build as
+          # cryptsetup has udev (aka systemd) in it's dependencies.
+          { name = "libcryptsetup.so.12"; pkg = opt withCryptsetup cryptsetup; }
+
+          # We are using libidn2 so we only provide that and ignore the others.
+          # Systemd does this decision during configure time and uses ifdef's to
+          # enable specific branches. We can safely ignore (nuke) the libidn "v1"
+          # libraries.
+          { name = "libidn2.so.0"; pkg = opt withLibidn2 libidn2; }
+          { name = "libidn.so.12"; pkg = null; }
+          { name = "libidn.so.11"; pkg = null; }
+
+          # journalctl --grep requires libpcre so let's provide it
+          { name = "libpcre2-8.so.0"; pkg = pcre2; }
+
+          # Support for TPM2 in systemd-cryptsetup, systemd-repart and systemd-cryptenroll
+          { name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-tcti-"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
+
+          # inspect-elf support
+          { name = "libelf.so.1"; pkg = opt withCoredump elfutils; }
+          { name = "libdw.so.1"; pkg = opt withCoredump elfutils; }
+
+          # Support for PKCS#11 in systemd-cryptsetup, systemd-cryptenroll and systemd-homed
+          { name = "libp11-kit.so.0"; pkg = opt (withHomed || withCryptsetup) p11-kit; }
+
+          # Password quality support
+          { name = "libpasswdqc.so.1"; pkg = opt withPasswordQuality null; }
+        ];
+
+      patchDlOpen = dl:
+        let
+          library = "${lib.makeLibraryPath [ dl.pkg ]}/${dl.name}";
+        in
+        if dl.pkg == null then ''
+          # remove the dependency on the library by replacing it with an invalid path
+          for file in $(grep -lr '"${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("${builtins.storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
+            substituteInPlace "$file" --replace '"${dl.name}"' '"${builtins.storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
+          done
+        '' else ''
+          # ensure that the library we provide actually exists
+          if ! [ -e ${library} ]; then
+            # exceptional case, details:
+            # https://github.com/systemd/systemd-stable/blob/v249-stable/src/shared/tpm2-util.c#L157
+            if ! [[ "${library}" =~ .*libtss2-tcti-$ ]]; then
+              echo 'The shared library `${library}` does not exist but was given as substitute for `${dl.name}`'
+              exit 1
+            fi
+          fi
+          # make the path to the dependency explicit
+          for file in $(grep -lr '"${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
+            substituteInPlace "$file" --replace '"${dl.name}"' '"${library}"'
+          done
+
+        '';
+    in
+    # patch all the dlopen calls to contain absolute paths to the libraries
+    lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs
+  )
+  # finally ensure that there are no left-over dlopen calls (or rather strings pointing to shared libraries) that we didn't handle
+  + ''
+    if grep -qr '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src; then
+      echo "Found unhandled dynamic library calls: "
+      grep -r '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src
+      exit 1
+    fi
+  ''
+  # Finally, patch shebangs in scripts used at build time. This must not patch
+  # scripts that will end up in the output, to avoid build platform references
+  # when cross-compiling.
+  + ''
+    shopt -s extglob
+    patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
+  '';
+
+  outputs = [ "out" "dev" ] ++ (lib.optional (!buildLibsOnly) "man");
+
+  nativeBuildInputs =
+    [
+      pkg-config
+      makeBinaryWrapper
+      gperf
+      ninja
+      meson
+      glibcLocales
+      getent
+      m4
+
+      intltool
+      gettext
+
+      libxslt
+      docbook_xsl
+      docbook_xml_dtd_42
+      docbook_xml_dtd_45
+      bash
+      (buildPackages.python3Packages.python.withPackages (ps: with ps; [ lxml jinja2 ] ++ lib.optional withEfi ps.pyelftools))
+    ]
+    ++ lib.optionals withLibBPF [
+      bpftools
+      buildPackages.llvmPackages.clang
+      buildPackages.llvmPackages.libllvm
+    ]
+  ;
+
+  buildInputs =
+    [
+      libxcrypt
+      libcap
+      libuuid
+      linuxHeaders
+      bashInteractive # for patch shebangs
+    ]
+
+    ++ lib.optionals wantGcrypt [ libgcrypt libgpg-error ]
+    ++ lib.optional withTests glib
+    ++ lib.optional withAcl acl
+    ++ lib.optional withApparmor libapparmor
+    ++ lib.optional withAudit audit
+    ++ lib.optional wantCurl (lib.getDev curl)
+    ++ lib.optionals withCompression [ bzip2 lz4 xz zstd ]
+    ++ lib.optional withCoredump elfutils
+    ++ lib.optional withCryptsetup (lib.getDev cryptsetup.dev)
+    ++ lib.optional withKexectools kexec-tools
+    ++ lib.optional withKmod kmod
+    ++ lib.optional withLibidn2 libidn2
+    ++ lib.optional withLibseccomp libseccomp
+    ++ lib.optional withNetworkd iptables
+    ++ lib.optional withPam pam
+    ++ lib.optional withPCRE2 pcre2
+    ++ lib.optional withSelinux libselinux
+    ++ lib.optional withRemote libmicrohttpd
+    ++ lib.optionals (withHomed || withCryptsetup) [ p11-kit ]
+    ++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
+    ++ lib.optionals withLibBPF [ libbpf ]
+    ++ lib.optional withTpm2Tss tpm2-tss
+    ++ lib.optional withUkify (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
+  ;
+
+  mesonBuildType = "release";
+
+  mesonFlags = [
+    "-Dversion-tag=${version}"
+    # We bump this variable on every (major) version change to ensure
+    # that we have known-good value for a timestamp that is in the (not so distant) past.
+    # This serves as a lower bound for valid system timestamps during startup. Systemd will
+    # reset the system timestamp if this date is +- 15 years from the system time.
+    # See the systemd v250 release notes for further details:
+    # https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
+    "-Dtime-epoch=${releaseTimestamp}"
+
+    "-Dmode=release"
+    "-Ddbuspolicydir=${placeholder "out"}/share/dbus-1/system.d"
+    "-Ddbussessionservicedir=${placeholder "out"}/share/dbus-1/services"
+    "-Ddbussystemservicedir=${placeholder "out"}/share/dbus-1/system-services"
+    "-Dpam=${lib.boolToString withPam}"
+    "-Dpamconfdir=${placeholder "out"}/etc/pam.d"
+    "-Drootprefix=${placeholder "out"}"
+    "-Dpkgconfiglibdir=${placeholder "dev"}/lib/pkgconfig"
+    "-Dpkgconfigdatadir=${placeholder "dev"}/share/pkgconfig"
+    "-Dloadkeys-path=${kbd}/bin/loadkeys"
+    "-Dsetfont-path=${kbd}/bin/setfont"
+    "-Dtty-gid=3" # tty in NixOS has gid 3
+    "-Ddebug-shell=${bashInteractive}/bin/bash"
+    "-Dglib=${lib.boolToString withTests}"
+    # while we do not run tests we should also not build them. Removes about 600 targets
+    "-Dtests=false"
+    "-Dacl=${lib.boolToString withAcl}"
+    "-Danalyze=${lib.boolToString withAnalyze}"
+    "-Daudit=${lib.boolToString withAudit}"
+    "-Dgcrypt=${lib.boolToString wantGcrypt}"
+    "-Dimportd=${lib.boolToString withImportd}"
+    "-Dlz4=${lib.boolToString withCompression}"
+    "-Dhomed=${lib.boolToString withHomed}"
+    "-Dlogind=${lib.boolToString withLogind}"
+    "-Dlocaled=${lib.boolToString withLocaled}"
+    "-Dhostnamed=${lib.boolToString withHostnamed}"
+    "-Dmachined=${lib.boolToString withMachined}"
+    "-Dnetworkd=${lib.boolToString withNetworkd}"
+    "-Doomd=${lib.boolToString withOomd}"
+    "-Dpolkit=${lib.boolToString withPolkit}"
+    "-Dlibcryptsetup=${lib.boolToString withCryptsetup}"
+    "-Dportabled=${lib.boolToString withPortabled}"
+    "-Dhwdb=${lib.boolToString withHwdb}"
+    "-Dremote=${lib.boolToString withRemote}"
+    "-Dtimedated=${lib.boolToString withTimedated}"
+    "-Dtimesyncd=${lib.boolToString withTimesyncd}"
+    "-Duserdb=${lib.boolToString withUserDb}"
+    "-Dcoredump=${lib.boolToString withCoredump}"
+    "-Dfirstboot=false"
+    "-Dresolve=${lib.boolToString withResolved}"
+    "-Dsplit-usr=false"
+    "-Dlibcurl=${lib.boolToString wantCurl}"
+    "-Dlibidn=false"
+    "-Dlibidn2=${lib.boolToString withLibidn2}"
+    "-Dfirstboot=${lib.boolToString withFirstboot}"
+    "-Dsysusers=${lib.boolToString withSysusers}"
+    "-Drepart=${lib.boolToString withRepart}"
+    "-Dsysupdate=${lib.boolToString withSysupdate}"
+    "-Dquotacheck=false"
+    "-Dldconfig=false"
+    "-Dsmack=true"
+    "-Db_pie=true"
+    "-Dinstall-sysconfdir=false"
+    "-Dsbat-distro=nixos"
+    "-Dsbat-distro-summary=NixOS"
+    "-Dsbat-distro-url=https://nixos.org/"
+    "-Dsbat-distro-pkgname=${pname}"
+    "-Dsbat-distro-version=${version}"
+    /*
+      As of now, systemd doesn't allow runtime configuration of these values. So
+      the settings in /etc/login.defs have no effect on it. Many people think this
+      should be supported however, see
+      - https://github.com/systemd/systemd/issues/3855
+      - https://github.com/systemd/systemd/issues/4850
+      - https://github.com/systemd/systemd/issues/9769
+      - https://github.com/systemd/systemd/issues/9843
+      - https://github.com/systemd/systemd/issues/10184
+    */
+    "-Dsystem-uid-max=999"
+    "-Dsystem-gid-max=999"
+
+    "-Dsysvinit-path="
+    "-Dsysvrcnd-path="
+
+    "-Dsulogin-path=${util-linux.login}/bin/sulogin"
+    "-Dnologin-path=${util-linux.login}/bin/nologin"
+    "-Dmount-path=${lib.getOutput "mount" util-linux}/bin/mount"
+    "-Dumount-path=${lib.getOutput "mount" util-linux}/bin/umount"
+    "-Dcreate-log-dirs=false"
+
+    # Use cgroupsv2. This is already the upstream default, but better be explicit.
+    "-Ddefault-hierarchy=unified"
+    # Upstream defaulted to disable manpages since they optimize for the much
+    # more frequent development builds
+    "-Dman=true"
+
+    "-Defi=${lib.boolToString withEfi}"
+    "-Dbootloader=${lib.boolToString withBootloader}"
+
+    "-Dukify=${lib.boolToString withUkify}"
+  ] ++ lib.optionals (withShellCompletions == false) [
+    "-Dbashcompletiondir=no"
+    "-Dzshcompletiondir=no"
+  ] ++ lib.optionals (!withNss) [
+    "-Dnss-myhostname=false"
+    "-Dnss-mymachines=false"
+    "-Dnss-resolve=false"
+    "-Dnss-systemd=false"
+  ] ++ lib.optionals withLibBPF [
+    "-Dbpf-framework=true"
+  ] ++ lib.optionals withTpm2Tss [
+    "-Dtpm2=true"
+  ] ++ lib.optionals (!withUtmp) [
+    "-Dutmp=false"
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    "-Dgshadow=false"
+    "-Didn=false"
+  ] ++ lib.optionals withKmod [
+    "-Dkmod=true"
+    "-Dkmod-path=${kmod}/bin/kmod"
+  ];
+  preConfigure =
+    let
+      # A list of all the runtime binaries that the systemd executables, tests and libraries are referencing in their source code, scripts and unit files.
+      # As soon as a dependency isn't required anymore we should remove it from the list. The `where` attribute for each of the replacement patterns must be exhaustive. If another (unhandled) case is found in the source code the build fails with an error message.
+      binaryReplacements = [
+        { search = "/usr/bin/getent"; replacement = "${getent}/bin/getent"; where = [ "src/nspawn/nspawn-setuid.c" ]; }
+
+        {
+          search = "/sbin/mkswap";
+          replacement = "${lib.getBin util-linux}/sbin/mkswap";
+          where = [
+            "man/systemd-makefs@.service.xml"
+          ];
+        }
+        { search = "/sbin/swapon"; replacement = "${lib.getOutput "swap" util-linux}/sbin/swapon"; where = [ "src/core/swap.c" "src/basic/unit-def.h" ]; }
+        { search = "/sbin/swapoff"; replacement = "${lib.getOutput "swap" util-linux}/sbin/swapoff"; where = [ "src/core/swap.c" ]; }
+        {
+          search = "/bin/echo";
+          replacement = "${coreutils}/bin/echo";
+          where = [
+            "man/systemd-analyze.xml"
+            "man/systemd.service.xml"
+            "man/systemd-run.xml"
+            "src/analyze/test-verify.c"
+            "src/test/test-env-file.c"
+            "src/test/test-fileio.c"
+            "src/test/test-load-fragment.c"
+          ];
+        }
+        {
+          search = "/bin/cat";
+          replacement = "${coreutils}/bin/cat";
+          where = [ "test/test-execute/exec-noexecpaths-simple.service" "src/journal/cat.c" ];
+        }
+        {
+          search = "/usr/lib/systemd/systemd-fsck";
+          replacement = "$out/lib/systemd/systemd-fsck";
+          where = [
+            "man/systemd-fsck@.service.xml"
+          ];
+        }
+      ] ++ lib.optionals withImportd [
+        {
+          search = "\"gpg\"";
+          replacement = "\\\"${gnupg}/bin/gpg\\\"";
+          where = [ "src/import/pull-common.c" ];
+        }
+        {
+          search = "\"tar\"";
+          replacement = "\\\"${gnutar}/bin/tar\\\"";
+          where = [
+            "src/import/export-tar.c"
+            "src/import/import-common.c"
+            "src/import/import-tar.c"
+          ];
+          ignore = [
+            # occurrences here refer to the tar sub command
+            "src/sysupdate/sysupdate-resource.c"
+            "src/sysupdate/sysupdate-transfer.c"
+            "src/import/pull.c"
+            "src/import/export.c"
+            "src/import/import.c"
+            "src/import/importd.c"
+            # runs `tar` but also also creates a temporary directory with the string
+            "src/import/pull-tar.c"
+          ];
+        }
+      ] ++ lib.optionals withKmod [
+        { search = "/sbin/modprobe"; replacement = "${lib.getBin kmod}/sbin/modprobe"; where = [ "units/modprobe@.service" ]; }
+      ];
+
+      # { replacement, search, where } -> List[str]
+      mkSubstitute = { replacement, search, where, ignore ? [ ] }:
+        map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where;
+      mkEnsureSubstituted = { replacement, search, where, ignore ? [ ] }:
+        let
+          ignore' = lib.concatStringsSep "|" (ignore ++ [ "^test" "NEWS" ]);
+        in
+        ''
+          set +e
+          search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}")
+          set -e
+          if [[ -n "$search" ]]; then
+            echo "Not all references to '${search}' have been replaced. Found the following matches:"
+            echo "$search"
+            exit 1
+          fi
+        '';
+    in
+    ''
+      mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")
+      export LC_ALL="en_US.UTF-8";
+
+      ${lib.concatStringsSep "\n" (lib.flatten (map mkSubstitute binaryReplacements))}
+      ${lib.concatMapStringsSep "\n" mkEnsureSubstituted binaryReplacements}
+
+      substituteInPlace src/libsystemd/sd-journal/catalog.c \
+        --replace /usr/lib/systemd/catalog/ $out/lib/systemd/catalog/
+
+      substituteInPlace src/import/pull-tar.c \
+        --replace 'wait_for_terminate_and_check("tar"' 'wait_for_terminate_and_check("${gnutar}/bin/tar"'
+    '';
+
+  # These defines are overridden by CFLAGS and would trigger annoying
+  # warning messages
+  postConfigure = ''
+    substituteInPlace config.h \
+      --replace "POLKIT_AGENT_BINARY_PATH" "_POLKIT_AGENT_BINARY_PATH" \
+      --replace "SYSTEMD_BINARY_PATH" "_SYSTEMD_BINARY_PATH" \
+      --replace "SYSTEMD_CGROUP_AGENTS_PATH" "_SYSTEMD_CGROUP_AGENT_PATH"
+  '';
+
+  env.NIX_CFLAGS_COMPILE = toString ([
+    # Can't say ${polkit.bin}/bin/pkttyagent here because that would
+    # lead to a cyclic dependency.
+    "-UPOLKIT_AGENT_BINARY_PATH"
+    "-DPOLKIT_AGENT_BINARY_PATH=\"/run/current-system/sw/bin/pkttyagent\""
+
+    # Set the release_agent on /sys/fs/cgroup/systemd to the
+    # currently running systemd (/run/current-system/systemd) so
+    # that we don't use an obsolete/garbage-collected release agent.
+    "-USYSTEMD_CGROUP_AGENTS_PATH"
+    "-DSYSTEMD_CGROUP_AGENTS_PATH=\"/run/current-system/systemd/lib/systemd/systemd-cgroups-agent\""
+
+    "-USYSTEMD_BINARY_PATH"
+    "-DSYSTEMD_BINARY_PATH=\"/run/current-system/systemd/lib/systemd/systemd\""
+
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    "-D__UAPI_DEF_ETHHDR=0"
+  ]);
+
+  doCheck = false; # fails a bunch of tests
+
+  # trigger the test -n "$DESTDIR" || mutate in upstreams build system
+  preInstall = ''
+    export DESTDIR=/
+  '';
+
+  mesonInstallTags = lib.optionals buildLibsOnly [ "devel" "libudev" "libsystemd" ];
+
+  postInstall = lib.optionalString (!buildLibsOnly) ''
+    mkdir -p $out/example/systemd
+    mv $out/lib/{binfmt.d,sysctl.d,tmpfiles.d} $out/example
+    mv $out/lib/systemd/{system,user} $out/example/systemd
+
+    rm -rf $out/etc/systemd/system
+
+    # Fix reference to /bin/false in the D-Bus services.
+    for i in $out/share/dbus-1/system-services/*.service; do
+      substituteInPlace $i --replace /bin/false ${coreutils}/bin/false
+    done
+
+    rm -rf $out/etc/rpm
+
+    # "kernel-install" shouldn't be used on NixOS.
+    find $out -name "*kernel-install*" -exec rm {} \;
+  '' + lib.optionalString (!withDocumentation) ''
+    rm -rf $out/share/doc
+  '' + lib.optionalString (withKmod && !buildLibsOnly) ''
+    mv $out/lib/modules-load.d $out/example
+  '' + lib.optionalString withSysusers ''
+    mv $out/lib/sysusers.d $out/example
+  '';
+
+  # Avoid *.EFI binary stripping. At least on aarch64-linux strip
+  # removes too much from PE32+ files:
+  #   https://github.com/NixOS/nixpkgs/issues/169693
+  # The hack is to move EFI file out of lib/ before doStrip
+  # run and return it after doStrip run.
+  preFixup = lib.optionalString withBootloader ''
+    mv $out/lib/systemd/boot/efi $out/dont-strip-me
+  '';
+
+  # Wrap in the correct path for LUKS2 tokens.
+  postFixup = lib.optionalString withCryptsetup ''
+    for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
+      # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so`
+      wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
+    done
+  '' + lib.optionalString withBootloader ''
+    mv $out/dont-strip-me $out/lib/systemd/boot/efi
+  '' + lib.optionalString withUkify ''
+    # To cross compile a derivation that builds a UKI with ukify, we need to wrap
+    # ukify with the correct binutils. When wrapping, no splicing happens so we
+    # have to explicitly pull binutils from targetPackages.
+    wrapProgram $out/lib/systemd/ukify --prefix PATH : ${lib.makeBinPath [ targetPackages.stdenv.cc.bintools ] }:${placeholder "out"}/lib/systemd
+  '';
+
+  disallowedReferences = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform)
+    # 'or p' is for manually specified buildPackages as they dont have __spliced
+    (builtins.map (p: p.__spliced.buildHost or p) finalAttrs.nativeBuildInputs);
+
+  passthru = {
+    # The interface version prevents NixOS from switching to an
+    # incompatible systemd at runtime.  (Switching across reboots is
+    # fine, of course.)  It should be increased whenever systemd changes
+    # in a backwards-incompatible way.  If the interface version of two
+    # systemd builds is the same, then we can switch between them at
+    # runtime; otherwise we can't and we need to reboot.
+    interfaceVersion = 2;
+
+    inherit withCryptsetup withHostnamed withImportd withKmod withLocaled withMachined withPortabled withTimedated withUtmp util-linux kmod kbd;
+
+    tests = {
+      inherit (nixosTests) switchTest;
+      cross = pkgsCross.${if stdenv.buildPlatform.isAarch64 then "gnu64" else "aarch64-multiplatform"}.systemd;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/wiki/Software/systemd/";
+    description = "A system and service manager for Linux";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    badPlatforms = [ lib.systems.inspect.platformPatterns.isStatic ];
+    # https://github.com/systemd/systemd/issues/20600#issuecomment-912338965
+    broken = stdenv.hostPlatform.isStatic;
+    priority = 10;
+    maintainers = with maintainers; [ flokli kloenk ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix b/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix
new file mode 100644
index 000000000000..c8ba3164ab09
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, libxcrypt, withoutInitTools ? false }:
+
+stdenv.mkDerivation rec {
+  pname = if withoutInitTools then "sysvtools" else "sysvinit";
+  version = "3.04";
+
+  src = fetchurl {
+    url = "mirror://savannah/sysvinit/sysvinit-${version}.tar.xz";
+    sha256 = "sha256-KmIf5uRSi8kTCLdIZ92q6733dT8COVwMW66Be9K346U=";
+  };
+
+  prePatch = ''
+    # Patch some minimal hard references, so halt/shutdown work
+    sed -i -e "s,/sbin/,$out/sbin/," src/halt.c src/init.c src/paths.h
+  '';
+
+  buildInputs = [ libxcrypt ];
+
+  makeFlags = [ "SULOGINLIBS=-lcrypt" "ROOT=$(out)" "MANDIR=/share/man" ];
+
+  preInstall =
+    ''
+      substituteInPlace src/Makefile --replace /usr /
+    '';
+
+  postInstall = ''
+    mv $out/sbin/killall5 $out/bin
+    ln -sf killall5 $out/bin/pidof
+  ''
+    + lib.optionalString withoutInitTools
+    ''
+      shopt -s extglob
+      rm -rf $out/sbin/!(sulogin)
+      rm -rf $out/include
+      rm -rf $out/share/man/man5
+      rm $(for i in $out/share/man/man8/*; do echo $i; done | grep -v 'pidof\|killall5')
+      rm $out/bin/wall $out/share/man/man1/wall.1
+    '';
+
+  meta = {
+    homepage = "https://www.nongnu.org/sysvinit/";
+    description = "Utilities related to booting and shutdown";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tailor-gui/default.nix b/nixpkgs/pkgs/os-specific/linux/tailor-gui/default.nix
new file mode 100644
index 000000000000..ecbec75fd82d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tailor-gui/default.nix
@@ -0,0 +1,60 @@
+{ stdenv
+, lib
+, rustPlatform
+, cargo
+, rustc
+, pkg-config
+, desktop-file-utils
+, appstream-glib
+, wrapGAppsHook4
+, meson
+, ninja
+, libadwaita
+, gtk4
+, tuxedo-rs
+}:
+let
+  src = tuxedo-rs.src;
+  sourceRoot = "source/tailor_gui";
+  pname = "tailor_gui";
+  version = tuxedo-rs.version;
+in
+stdenv.mkDerivation {
+
+  inherit src sourceRoot pname version;
+
+  cargoDeps = rustPlatform.fetchCargoTarball {
+    inherit src sourceRoot;
+    name = "${pname}-${version}";
+    hash = "sha256-mt4YQ0iB/Mlnm+o9sGgYVEdbxjF7qArxA5FIK4MAZ8M=";
+  };
+
+  nativeBuildInputs = [
+    rustPlatform.cargoSetupHook
+    pkg-config
+    desktop-file-utils
+    appstream-glib
+    wrapGAppsHook4
+  ];
+
+  buildInputs = [
+    cargo
+    rustc
+    meson
+    ninja
+    libadwaita
+    gtk4
+  ];
+
+  meta = with lib; {
+    description = "Rust GUI for interacting with hardware from TUXEDO Computers";
+    longDescription = ''
+      An alternative to the TUXEDO Control Center (https://www.tuxedocomputers.com/en/TUXEDO-Control-Center.tuxedo),
+      written in Rust.
+    '';
+    homepage = "https://github.com/AaronErhardt/tuxedo-rs";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ mrcjkb ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix b/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix
new file mode 100644
index 000000000000..fdc0c52a0bf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, cmake, fetchFromGitHub, fetchpatch } :
+
+stdenv.mkDerivation rec {
+  pname = "target-isns";
+  version = "0.6.8";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1b6jjalvvkkjyjbg1pcgk8vmvc6xzzksyjnh2pfi45bbpya4zxim";
+  };
+
+  patches = [
+    # fix absoulute paths
+    ./install_prefix_path.patch
+
+    # fix gcc 10 compiler warning, remove with next update
+    (fetchpatch {
+      url = "https://github.com/open-iscsi/target-isns/commit/3d0c47dd89bcf83d828bcc22ecaaa5f58d78b58e.patch";
+      sha256 = "1x2bkc1ff15621svhpq1r11m0q4ajv0j4fng6hm7wkkbr2s6d1vx";
+    })
+  ];
+
+  cmakeFlags = [ "-DSUPPORT_SYSTEMD=ON" ];
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    description = "iSNS client for the Linux LIO iSCSI target";
+    homepage = "https://github.com/open-iscsi/target-isns";
+    maintainers = [ maintainers.markuskowa ];
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch b/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
new file mode 100644
index 000000000000..f98fc21b7a24
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
@@ -0,0 +1,17 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index f46144d..aeac3e4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -14,10 +14,10 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror")
+ option(SUPPORT_SYSTEMD "Support service control via systemd" OFF)
+
+ add_subdirectory(src)
+-install(FILES target-isns.conf DESTINATION /etc/)
++install(FILES target-isns.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/etc/)
+ install(FILES target-isns.8 DESTINATION ${CMAKE_INSTALL_PREFIX}/share/man/man8/)
+ if (SUPPORT_SYSTEMD)
+-  install(FILES target-isns.service DESTINATION /usr/lib/systemd/system/)
++  install(FILES target-isns.service DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/system/)
+ endif (SUPPORT_SYSTEMD)
+
+ add_subdirectory(tests)
diff --git a/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix b/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix
new file mode 100644
index 000000000000..f6bb705258f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix
@@ -0,0 +1,31 @@
+{ lib, python3, fetchFromGitHub, nixosTests }:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "targetcli";
+  version = "2.1.57";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "${pname}-fb";
+    rev = "v${version}";
+    hash = "sha256-7JRNHKku9zTeSafL327hkM/E5EWTKqwPudCfmngvWuo=";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [ configshell rtslib ];
+
+  postInstall = ''
+    install -D targetcli.8 -t $out/share/man/man8/
+    install -D targetclid.8 -t $out/share/man/man8/
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) iscsi-root;
+  };
+
+  meta = with lib; {
+    description = "A command shell for managing the Linux LIO kernel target";
+    homepage = "https://github.com/open-iscsi/targetcli-fb";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tbs/default.nix b/nixpkgs/pkgs/os-specific/linux/tbs/default.nix
new file mode 100644
index 000000000000..54268693454c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tbs/default.nix
@@ -0,0 +1,64 @@
+{ stdenv, lib, fetchFromGitHub, kernel, kmod, perl, patchutils, perlPackages }:
+let
+
+  media = fetchFromGitHub rec {
+    name = repo;
+    owner = "tbsdtv";
+    repo = "linux_media";
+    rev = "efe31531b77efd3a4c94516504a5823d31cdc776";
+    sha256 = "1533qi3sb91v00289hl5zaj4l35r2sf9fqc6z5ky1vbb7byxgnlr";
+  };
+
+  build = fetchFromGitHub rec {
+    name = repo;
+    owner = "tbsdtv";
+    repo = "media_build";
+    rev = "a0d62eba4d429e0e9d2c2f910fb203e817cac84b";
+    sha256 = "1329s7w9xlqjqwkpaqsd6b5dmzhm97jw0c7c7zzmmbdkl289i4i4";
+  };
+
+in stdenv.mkDerivation {
+  pname = "tbs";
+  version = "2018.04.18-${kernel.version}";
+
+  srcs = [ media build ];
+  sourceRoot = build.name;
+
+  preConfigure = ''
+    make dir DIR=../${media.name}
+  '';
+
+  postPatch = ''
+    patchShebangs .
+
+    sed -i v4l/Makefile \
+      -i v4l/scripts/make_makefile.pl \
+      -e 's,/sbin/depmod,${kmod}/bin/depmod,g' \
+      -e 's,/sbin/lsmod,${kmod}/bin/lsmod,g'
+
+    sed -i v4l/Makefile \
+      -e 's,^OUTDIR ?= /lib/modules,OUTDIR ?= ${kernel.dev}/lib/modules,' \
+      -e 's,^SRCDIR ?= /lib/modules,SRCDIR ?= ${kernel.dev}/lib/modules,'
+  '';
+
+  buildFlags = [ "VER=${kernel.modDirVersion}" ];
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [ patchutils kmod perl perlPackages.ProcProcessTable ]
+  ++ kernel.moduleBuildDependencies;
+
+   postInstall = ''
+    find $out/lib/modules/${kernel.modDirVersion} -name "*.ko" -exec xz {} \;
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.tbsdtv.com/";
+    description = "Linux driver for TBSDTV cards";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ ck3d ];
+    priority = -1;
+    broken = true;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch
new file mode 100644
index 000000000000..eee640e8a824
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch
@@ -0,0 +1,31 @@
+__BEGIN_DECLS/__END_DECLS are BSD specific and not defined in musl
+glibc and uclibc had sys/cdefs.h doing it.
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Index: tcp_wrappers_7.6/tcpd.h
+===================================================================
+--- tcp_wrappers_7.6.orig/tcpd.h
++++ tcp_wrappers_7.6/tcpd.h
+@@ -11,7 +11,9 @@
+ #include <netinet/in.h>
+ #include <stdio.h>
+ 
+-__BEGIN_DECLS
++#ifdef __cplusplus
++extern "C" {
++#endif
+ 
+ /* Structure to describe one communications endpoint. */
+ 
+@@ -252,6 +254,8 @@ extern char *fix_strtok();
+ extern char *my_strtok();
+ #endif
+ 
+-__END_DECLS
++#ifdef __cplusplus
++}
++#endif
+ 
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix
new file mode 100644
index 000000000000..92a6b328b2cc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix
@@ -0,0 +1,75 @@
+{ fetchurl, lib, stdenv, libnsl }:
+
+let
+  vanillaVersion = "7.6.q";
+  patchLevel = "26";
+in stdenv.mkDerivation rec {
+  pname = "tcp-wrappers";
+  version = "${vanillaVersion}-${patchLevel}";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${vanillaVersion}.orig.tar.gz";
+    sha256 = "0p9ilj4v96q32klavx0phw9va21fjp8vpk11nbh6v2ppxnnxfhwm";
+  };
+
+  debian = fetchurl {
+    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${version}.debian.tar.xz";
+    sha256 = "1dcdhi9lwzv7g19ggwxms2msq9fy14rl09rjqb10hwv0jix7z8j8";
+  };
+
+  prePatch = ''
+    tar -xaf $debian
+    patches="$(cat debian/patches/series | sed 's,^,debian/patches/,') $patches"
+
+    substituteInPlace Makefile --replace STRINGS STRINGDEFS
+    substituteInPlace debian/patches/13_shlib_weaksym --replace STRINGS STRINGDEFS
+  '';
+
+  # Fix __BEGIN_DECLS usage (even if it wasn't non-standard, this doesn't include sys/cdefs.h)
+  patches = [ ./cdecls.patch ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace Makefile \
+      --replace '-DNETGROUP' '-DUSE_GETDOMAIN'
+  '';
+
+  buildInputs = [ libnsl ];
+
+  makeFlags = [ "REAL_DAEMON_DIR=$(out)/bin" "linux" "AR:=$(AR)" ];
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    cp -v safe_finger tcpd tcpdchk tcpdmatch try-from "$out/bin"
+
+    mkdir -p "$out/lib"
+    cp -v shared/lib*.so* "$out/lib"
+
+    mkdir -p "$out/include"
+    cp -v *.h "$out/include"
+
+    for i in 3 5 8;
+    do
+      mkdir -p "$out/man/man$i"
+      cp *.$i "$out/man/man$i" ;
+    done
+  '';
+
+  meta = {
+    description = "TCP Wrappers, a network logger, also known as TCPD or LOG_TCP";
+
+    longDescription = ''
+      Wietse Venema's network logger, also known as TCPD or LOG_TCP.
+      These programs log the client host name of incoming telnet, ftp,
+      rsh, rlogin, finger etc. requests.  Security options are: access
+      control per host, domain and/or service; detection of host name
+      spoofing or host address spoofing; booby traps to implement an
+      early-warning system.  The current version supports the System
+      V.4 TLI network programming interface (Solaris, DG/UX) in
+      addition to the traditional BSD sockets.
+    '';
+
+    homepage = "ftp://ftp.porcupine.org/pub/security/index.html";
+    license = "BSD-style";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch
new file mode 100644
index 000000000000..328a4a102618
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch
@@ -0,0 +1,295 @@
+--- a/options.c
++++ b/options.c
+@@ -34,6 +34,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <sys/socket.h>
+--- a/safe_finger.c
++++ b/safe_finger.c
+@@ -20,6 +20,11 @@
+ 
+ /* System libraries */
+ 
++#include <unistd.h>
++#include <fcntl.h>
++#include <stdlib.h>
++#include <sys/wait.h>
++#include <grp.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <signal.h>
+@@ -27,7 +31,7 @@
+ #include <ctype.h>
+ #include <pwd.h>
+ 
+-extern void exit();
++int pipe_stdin(char **argv);
+ 
+ /* Local stuff */
+ 
+--- a/scaffold.c
++++ b/scaffold.c
+@@ -10,6 +10,7 @@
+ 
+ /* System libraries. */
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+@@ -27,7 +27,4 @@
+ #endif
+ 
+-#ifndef INET6
+-extern char *malloc();
+-#endif
+ 
+ /* Application-specific. */
+--- a/shell_cmd.c
++++ b/shell_cmd.c
+@@ -14,6 +14,10 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
++#include <fcntl.h>
++#include <sys/wait.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <signal.h>
+@@ -25,8 +25,6 @@
+ #include <syslog.h>
+ #include <string.h>
+ 
+-extern void exit();
+-
+ /* Local stuff. */
+ 
+ #include "tcpd.h"
+--- a/tcpdchk.c
++++ b/tcpdchk.c
+@@ -20,6 +20,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #ifdef INET6
+@@ -35,10 +36,7 @@
+ #include <netdb.h>
+ #include <string.h>
+ 
+-extern int errno;
+-extern void exit();
+-extern int optind;
+-extern char *optarg;
++int cidr_mask_addr(char *str);
+ 
+ #ifndef INADDR_NONE
+ #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
+--- a/clean_exit.c
++++ b/clean_exit.c
+@@ -13,8 +13,8 @@
+ #endif
+ 
+ #include <stdio.h>
+-
+-extern void exit();
++#include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "tcpd.h"
+ 
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -23,6 +23,7 @@
+ 
+ /* System libraries. */
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #ifdef INT32_T
+     typedef uint32_t u_int32_t;
+@@ -43,8 +44,8 @@
+ #include <netdb.h>
+ #endif
+ 
+-extern char *fgets();
+-extern int errno;
++static int match_pattern_ylo(const char *s, const char *pattern);
++int cidr_mask_addr(char *str);
+ 
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+--- a/inetcf.c
++++ b/inetcf.c
+@@ -9,15 +9,14 @@
+ static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23";
+ #endif
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <string.h>
+ 
+-extern int errno;
+-extern void exit();
+-
++#include "scaffold.h"
+ #include "tcpd.h"
+ #include "inetcf.h"
+ 
+--- a/percent_x.c
++++ b/percent_x.c
+@@ -16,12 +16,12 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
+ 
+-extern void exit();
+-
+ /* Local stuff. */
+ 
+ #include "tcpd.h"
+--- a/rfc931.c
++++ b/rfc931.c
+@@ -15,6 +15,7 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <sys/types.h>
+--- a/tcpd.c
++++ b/tcpd.c
+@@ -16,6 +16,7 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <sys/stat.h>
+@@ -39,6 +39,8 @@
+ #include "patchlevel.h"
+ #include "tcpd.h"
+ 
++void fix_options(struct request_info *request);
++
+ int     allow_severity = SEVERITY;	/* run-time adjustable */
+ int     deny_severity = LOG_WARNING;	/* ditto */
+ 
+--- a/tcpdmatch.c
++++ b/tcpdmatch.c
+@@ -19,6 +19,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+@@ -30,9 +32,6 @@
+ #include <setjmp.h>
+ #include <string.h>
+ 
+-extern void exit();
+-extern int optind;
+-extern char *optarg;
+ 
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+--- a/update.c
++++ b/update.c
+@@ -19,6 +19,7 @@
+ 
+ /* System libraries */
+ 
++#include <unistd.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
+--- a/misc.c
++++ b/misc.c
+@@ -14,11 +14,10 @@
+ #include <arpa/inet.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "tcpd.h"
+ 
+-extern char *fgets();
+-
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+ #endif
+--- a/fix_options.c
++++ b/fix_options.c
+@@ -32,6 +32,7 @@
+ 
+ /* fix_options - get rid of IP-level socket options */
+ 
++void
+ fix_options(request)
+ struct request_info *request;
+ {
+@@ -38,11 +38,8 @@
+ #ifdef IP_OPTIONS
+     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+     char    lbuf[BUFFER_SIZE], *lp;
+-#ifdef __GLIBC__
+-    size_t  optsize = sizeof(optbuf), ipproto;
+-#else
+-    int     optsize = sizeof(optbuf), ipproto;
+-#endif
++    socklen_t optsize = sizeof(optbuf);
++    int ipproto;
+     struct protoent *ip;
+     int     fd = request->fd;
+     unsigned int opt;
+--- a/socket.c
++++ b/socket.c
+@@ -95,11 +95,7 @@
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
+ #endif
+-#ifdef __GLIBC__
+-    size_t  len;
+-#else
+-    int     len;
+-#endif
++    socklen_t len;
+     char    buf[BUFSIZ];
+     int     fd = request->fd;
+ 
+@@ -430,11 +426,7 @@
+ #else
+     struct sockaddr_in sin;
+ #endif
+-#ifdef __GLIBC__
+-    size_t  size = sizeof(sin);
+-#else
+-    int     size = sizeof(sin);
+-#endif
++    socklen_t size;
+ 
+     /*
+      * Eat up the not-yet received datagram. Some systems insist on a
diff --git a/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix
new file mode 100644
index 000000000000..eec5eac344ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, teck-programmer }:
+
+stdenv.mkDerivation {
+  pname = "teck-udev-rules";
+  version = lib.getVersion teck-programmer;
+
+  inherit (teck-programmer) src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install 40-teck.rules -D -t $out/etc/udev/rules.d/
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for TECK keyboards";
+    inherit (teck-programmer.meta) license;
+    maintainers = [ lib.maintainers.lourkeur ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix
new file mode 100644
index 000000000000..e3d50eee5f67
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, coreutils }:
+
+stdenv.mkDerivation {
+  pname = "teensy-udev-rules";
+  version = "2022-05-15";
+
+  # Source: https://www.pjrc.com/teensy/00-teensy.rules
+  src = ./teensy.rules;
+
+  dontUnpack = true;
+
+  runtimeDeps = [ coreutils ];
+
+  installPhase = ''
+    install -D $src $out/etc/udev/rules.d/70-teensy.rules
+    substituteInPlace $out/etc/udev/rules.d/70-teensy.rules \
+      --replace "/bin/stty" "${coreutils}/bin/stty"
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.pjrc.com/teensy/00-teensy.rules";
+    description = ''
+      udev rules that give non-root users permission to communicate with the
+      Teensy family of microcontrolers.
+
+      ModemManager (part of NetworkManager) can interfere with USB Serial
+      devices, which includes the Teensy.  See comments in the .rules file (or
+      this package's homepage) for possible workarounds.
+    '';
+    platforms = platforms.linux;
+    license = "unknown";
+    maintainers = with maintainers; [ aidalgol ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules
new file mode 100644
index 000000000000..0a921a507af6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules
@@ -0,0 +1,39 @@
+# UDEV Rules for Teensy boards, http://www.pjrc.com/teensy/
+#
+# The latest version of this file may be found at:
+#   http://www.pjrc.com/teensy/00-teensy.rules
+#
+# This file must be placed at:
+#
+# /etc/udev/rules.d/00-teensy.rules    (preferred location)
+#   or
+# /lib/udev/rules.d/00-teensy.rules    (req'd on some broken systems)
+#
+# To install, type this command in a terminal:
+#   sudo cp 00-teensy.rules /etc/udev/rules.d/00-teensy.rules
+#
+# After this file is installed, physically unplug and reconnect Teensy.
+#
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_PORT_IGNORE}="1"
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789a]*", ENV{MTP_NO_PROBE}="1"
+KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666", RUN:="/bin/stty -F /dev/%k raw -echo"
+KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666"
+KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="013*", MODE:="0666"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="013*", MODE:="0666"
+
+#
+# If you share your linux system with other users, or just don't like the
+# idea of write permission for everybody, you can replace MODE:="0666" with
+# OWNER:="yourusername" to create the device owned by you, or with
+# GROUP:="somegroupname" and mange access using standard unix groups.
+#
+# ModemManager tends to interfere with USB Serial devices like Teensy.
+# Problems manifest as the Arduino Serial Monitor missing some incoming
+# data, and "Unable to open /dev/ttyACM0 for reboot request" when
+# uploading.  If you experience these problems, disable or remove
+# ModemManager from your system.  If you must use a modem, perhaps
+# try disabling the "MM_FILTER_RULE_TTY_ACM_INTERFACE" ModemManager
+# rule.  Changing ModemManager's filter policy from "strict" to "default"
+# may also help.  But if you don't use a modem, completely removing
+# the troublesome ModemManager is the most effective solution.
diff --git a/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix b/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix
new file mode 100644
index 000000000000..e532f9965aa8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv
+, boost
+, cmake
+, fetchFromGitHub
+, pkg-config
+, txt2tags
+}:
+
+stdenv.mkDerivation rec {
+  pname = "thunderbolt";
+  version = "0.9.3";
+  src = fetchFromGitHub {
+    owner = "01org";
+    repo = "thunderbolt-software-user-space";
+    rev = "v${version}";
+    sha256 = "02w1bfm7xvq0dzkhwqiq0camkzz9kvciyhnsis61c8vzp39cwx0x";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config txt2tags ];
+  buildInputs = [ boost ];
+
+  cmakeFlags = [
+    "-DUDEV_BIN_DIR=${placeholder "out"}/bin"
+    "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d"
+  ];
+
+  meta = {
+    description = "Thunderbolt(TM) user-space components";
+    license = lib.licenses.bsd3;
+    maintainers = [ lib.maintainers.ryantrinkle ];
+    homepage = "https://01.org/thunderbolt-sw";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix b/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix
new file mode 100644
index 000000000000..a26602b6b44c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchurl, fetchpatch, libxml2, ncurses, bison, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "tiptop";
+  version = "2.3.1";
+
+  src = fetchurl {
+    url = "${meta.homepage}/releases/${pname}-${version}.tar.gz";
+    sha256 = "10j1138y3cj3hsmfz4w0bmk90523b0prqwi9nhb4z8xvjnf49i2i";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "reproducibility.patch";
+      url = "https://salsa.debian.org/debian/tiptop/raw/debian/2.3.1-1/debian/patches/0001-fix-reproducibility-of-build-process.patch";
+      sha256 = "116l7n3nl9lj691i7j8x0d0za1i6zpqgghw5d70qfpb17c04cblp";
+    })
+
+    # Pull upstream patch for ncurses-6.3
+    (fetchpatch {
+      name = "ncurses-6.3.patch";
+      url = "https://gitlab.inria.fr/rohou/tiptop/-/commit/a78234c27fdd62fed09430d998950e49e11a1832.patch";
+      sha256 = "1k55agdri7iw3gwm4snj3ps62qzmxlqr6s0868l8qamjw38z9g00";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace ./configure --replace -lcurses -lncurses
+  '';
+
+  nativeBuildInputs = [ flex bison ];
+  buildInputs = [ libxml2 ncurses ];
+
+  env.NIX_CFLAGS_COMPILE = "-I${libxml2.dev}/include/libxml2";
+
+  meta = with lib; {
+    description = "Performance monitoring tool for Linux";
+    homepage = "http://tiptop.gforge.inria.fr";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ ];
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
new file mode 100644
index 000000000000..0e9821467850
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
@@ -0,0 +1,25 @@
+From 90b540bd135de2587352719b14c385b20aa572be Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Wed, 15 Jun 2022 16:09:58 -0400
+Subject: [PATCH] cmake-find-aravis: fix pkg cfg include dirs
+
+---
+ cmake/modules/FindAravis.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmake/modules/FindAravis.cmake b/cmake/modules/FindAravis.cmake
+index 5dab5431..811302b9 100644
+--- a/cmake/modules/FindAravis.cmake
++++ b/cmake/modules/FindAravis.cmake
+@@ -20,7 +20,7 @@ find_path(aravis_INCLUDE_DIR
+ 	arv.h
+ 	PATHS
+ 	${aravis_PKGCONF_INCLUDE_DIRS}
+-	${aravis0_6_PKGCONF_INCLUDE_DIRS}
++	${aravis0_8_PKGCONF_INCLUDE_DIRS}
+ 	/usr/local/include
+ 	# /usr/local/include/aravis-0.4
+ 	/usr/local/include/aravis-0.8
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
new file mode 100644
index 000000000000..3d1e5503bcd3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
@@ -0,0 +1,70 @@
+From 5e7146e176cb1b01b47d16a66763469dccd87f25 Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Thu, 9 Jun 2022 19:45:30 -0400
+Subject: [PATCH] tcamconvert&tcamsrc: add missing include/lib dirs
+
+These were building libraries with dependencies on gstreamer-video
+and gstreamer-base but weren't adding the proper include and
+lib directories which resulted in build failure on systems
+where video and base aren't installed in the same location
+as gstreamer itself (e.g: nix, nixos).
+---
+ src/gstreamer-1.0/tcamconvert/CMakeLists.txt |  2 ++
+ src/gstreamer-1.0/tcamsrc/CMakeLists.txt     | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/gstreamer-1.0/tcamconvert/CMakeLists.txt b/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
+index 30563c38..066cb5d7 100644
+--- a/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
++++ b/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
+@@ -28,6 +28,8 @@ add_library(tcamconvert SHARED
+ target_include_directories(tcamconvert
+   PRIVATE
+   ${GSTREAMER_INCLUDE_DIRS}
++  ${GSTREAMER_BASE_INCLUDE_DIRS}
++  ${GSTREAMER_VIDEO_INCLUDE_DIRS}
+   )
+ 
+ set_project_warnings(tcamconvert)
+diff --git a/src/gstreamer-1.0/tcamsrc/CMakeLists.txt b/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
+index 3bc7ed97..ed5be37f 100644
+--- a/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
++++ b/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
+@@ -21,12 +21,15 @@ add_library(gsttcamstatistics SHARED
+ target_include_directories(gsttcamstatistics
+   PRIVATE
+   ${GSTREAMER_INCLUDE_DIRS}
++  ${GSTREAMER_BASE_INCLUDE_DIRS}
++  ${GSTREAMER_VIDEO_INCLUDE_DIRS}
+   )
+ 
+ target_link_libraries( gsttcamstatistics
+   PRIVATE
+   ${GSTREAMER_LIBRARIES}
+   ${GSTREAMER_BASE_LIBRARIES}
++  ${GSTREAMER_VIDEO_LIBRARIES}
+   )
+ 
+ 
+@@ -53,10 +56,18 @@ add_library(gsttcamsrc SHARED
+ 	tcambind.cpp
+     )
+ 
++  target_include_directories(gsttcamsrc
++    PRIVATE
++    ${GSTREAMER_INCLUDE_DIRS}
++    ${GSTREAMER_BASE_INCLUDE_DIRS}
++    ${GSTREAMER_VIDEO_INCLUDE_DIRS}
++    )
++
+   target_link_libraries( gsttcamsrc
+     PRIVATE
+ 	${GSTREAMER_LIBRARIES}
+ 	${GSTREAMER_BASE_LIBRARIES}
++    ${GSTREAMER_VIDEO_LIBRARIES}
+ 
+ 	tcamgstbase
+ 	tcam::gst-helper
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch
new file mode 100644
index 000000000000..9b373516aa9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch
@@ -0,0 +1,25 @@
+From fdbc0b74812b9afd663226715375b5688e5408b5 Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Thu, 9 Jun 2022 20:23:02 -0400
+Subject: [PATCH] udev/rules: fix install location
+
+---
+ CMakeInstall.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeInstall.cmake b/CMakeInstall.cmake
+index 4773091f..962c9b09 100644
+--- a/CMakeInstall.cmake
++++ b/CMakeInstall.cmake
+@@ -92,7 +92,7 @@ else()
+ 
+   else()
+ 
+-    set(TCAM_INSTALL_UDEV "${CMAKE_INSTALL_PREFIX}/udev/rules.d" CACHE PATH "udev rules installation path" FORCE)
++    set(TCAM_INSTALL_UDEV "${CMAKE_INSTALL_PREFIX}/lib/udev/rules.d" CACHE PATH "udev rules installation path" FORCE)
+     set(TCAM_INSTALL_SYSTEMD "${CMAKE_INSTALL_PREFIX}/lib/systemd/system/" CACHE PATH "systemd unit installation path" FORCE)
+ 
+     set(TCAM_INSTALL_PKGCONFIG "${CMAKE_INSTALL_PREFIX}/lib/pkgconfig" CACHE PATH "pkgconfig installation path" FORCE)
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix b/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix
new file mode 100644
index 000000000000..ce59cea368b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix
@@ -0,0 +1,138 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, pkg-config
+, runtimeShell
+, catch2
+, elfutils
+, libselinux
+, libsepol
+, libunwind
+, libusb1
+, libuuid
+, libzip
+, orc
+, pcre
+, zstd
+, glib
+, gobject-introspection
+, gst_all_1
+, wrapGAppsHook
+, withDoc ? true
+, sphinx
+, graphviz
+, withAravis ? true
+, aravis
+, meson
+, withAravisUsbVision ? withAravis
+, withGui ? true
+, qt5
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tiscamera";
+  version = "1.0.0";
+
+  src = fetchFromGitHub {
+    owner = "TheImagingSource";
+    repo = pname;
+    rev = "v-${pname}-${version}";
+    sha256 = "0msz33wvqrji11kszdswcvljqnjflmjpk0aqzmsv6i855y8xn6cd";
+  };
+
+  patches = [
+    ./0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
+    ./0001-udev-rules-fix-install-location.patch
+    ./0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
+  ];
+
+  postPatch = ''
+    cp ${catch2}/include/catch2/catch.hpp external/catch/catch.hpp
+
+    substituteInPlace ./data/udev/80-theimagingsource-cameras.rules.in \
+      --replace "/bin/sh" "${runtimeShell}/bin/sh" \
+      --replace "typically /usr/bin/" "" \
+      --replace "typically /usr/share/theimagingsource/tiscamera/uvc-extension/" ""
+  '';
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    wrapGAppsHook
+    gobject-introspection
+  ] ++ lib.optionals withDoc [
+    sphinx
+    graphviz
+  ] ++ lib.optionals withAravis [
+    meson
+  ] ++ lib.optionals withGui [
+    qt5.wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    elfutils
+    libselinux
+    libsepol
+    libunwind
+    libusb1
+    libuuid
+    libzip
+    orc
+    pcre
+    zstd
+    glib
+    gst_all_1.gstreamer
+    gst_all_1.gst-plugins-base
+    gst_all_1.gst-plugins-good
+    gst_all_1.gst-plugins-bad
+    gst_all_1.gst-plugins-ugly
+  ] ++ lib.optionals withAravis [
+    aravis
+  ] ++ lib.optionals withGui [
+    qt5.qtbase
+  ];
+
+  hardeningDisable = [ "format" ];
+
+  cmakeFlags = [
+    "-DTCAM_BUILD_GST_1_0=ON"
+    "-DTCAM_BUILD_TOOLS=ON"
+    "-DTCAM_BUILD_V4L2=ON"
+    "-DTCAM_BUILD_LIBUSB=ON"
+    "-DTCAM_BUILD_TESTS=ON"
+    "-DTCAM_BUILD_ARAVIS=${if withAravis then "ON" else "OFF"}"
+    "-DTCAM_BUILD_DOCUMENTATION=${if withDoc then "ON" else "OFF"}"
+    "-DTCAM_BUILD_WITH_GUI=${if withGui then "ON" else "OFF"}"
+    "-DTCAM_DOWNLOAD_MESON=OFF"
+    "-DTCAM_INTERNAL_ARAVIS=OFF"
+    "-DTCAM_ARAVIS_USB_VISION=${if withAravis && withAravisUsbVision then "ON" else "OFF"}"
+    "-DTCAM_INSTALL_FORCE_PREFIX=ON"
+  ];
+
+  doCheck = true;
+
+  # gstreamer tests requires, besides gst-plugins-bad, plugins installed by this expression.
+  checkPhase = "ctest --force-new-ctest-process -E gstreamer";
+
+  # wrapGAppsHook: make sure we add ourselves to the introspection
+  # and gstreamer paths.
+  GI_TYPELIB_PATH = "${placeholder "out"}/lib/girepository-1.0";
+  GST_PLUGIN_SYSTEM_PATH_1_0 = "${placeholder "out"}/lib/gstreamer-1.0";
+
+  QT_PLUGIN_PATH = lib.optionalString withGui "${qt5.qtbase.bin}/${qt5.qtbase.qtPluginPrefix}";
+
+  dontWrapQtApps = true;
+
+  preFixup = ''
+    gappsWrapperArgs+=("''${qtWrapperArgs[@]}")
+  '';
+
+  meta = with lib; {
+    description = "The Linux sources and UVC firmwares for The Imaging Source cameras";
+    homepage = "https://github.com/TheImagingSource/tiscamera";
+    license = with licenses; [ asl20 ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jraygauthier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tmon/default.nix b/nixpkgs/pkgs/os-specific/linux/tmon/default.nix
new file mode 100644
index 000000000000..3a2697e0a712
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tmon/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, kernel, ncurses }:
+
+stdenv.mkDerivation {
+  pname = "tmon";
+  version = kernel.version;
+
+  inherit (kernel) src;
+
+  buildInputs = [ ncurses ];
+
+  configurePhase = ''
+    cd tools/thermal/tmon
+  '';
+
+  makeFlags = kernel.makeFlags ++ [ "INSTALL_ROOT=\"$(out)\"" "BINDIR=bin" ];
+  NIX_CFLAGS_LINK = "-lgcc_s";
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Monitoring and Testing Tool for Linux kernel thermal subsystem";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tomb/default.nix b/nixpkgs/pkgs/os-specific/linux/tomb/default.nix
new file mode 100644
index 000000000000..9c97377cfe04
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tomb/default.nix
@@ -0,0 +1,79 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, substituteAll
+, makeWrapper
+, zsh
+, coreutils
+, cryptsetup
+, e2fsprogs
+, file
+, gawk
+, getent
+, gettext
+, gnugrep
+, gnupg
+, libargon2
+, lsof
+, pinentry
+, util-linux
+, nix-update-script
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tomb";
+  version = "2.10";
+
+  src = fetchFromGitHub {
+    owner = "dyne";
+    repo = "Tomb";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-lLxQJX0P6b6lbXEcrq45EsX9iKiayZ9XkhqgMfpN3/w=";
+  };
+
+  buildInputs = [ zsh pinentry ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    # if not, it shows .tomb-wrapped when running
+    substituteInPlace tomb \
+      --replace 'TOMBEXEC=$0' 'TOMBEXEC=tomb'
+  '';
+
+  installPhase = ''
+    install -Dm755 tomb $out/bin/tomb
+    install -Dm644 doc/tomb.1 $out/share/man/man1/tomb.1
+
+    wrapProgram $out/bin/tomb \
+      --prefix PATH : $out/bin:${lib.makeBinPath [
+          coreutils
+          cryptsetup
+          e2fsprogs
+          file
+          gawk
+          getent
+          gettext
+          gnugrep
+          gnupg
+          libargon2
+          lsof
+          pinentry
+          util-linux
+        ]}
+  '';
+
+  passthru = {
+    updateScript = nix-update-script { };
+  };
+
+  meta = with lib; {
+    description = "File encryption on GNU/Linux";
+    homepage = "https://www.dyne.org/software/tomb/";
+    changelog = "https://github.com/dyne/Tomb/blob/v${version}/ChangeLog.md";
+    license = licenses.gpl3Only;
+    mainProgram = "tomb";
+    maintainers = with maintainers; [ peterhoeg anthonyroussel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix b/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix
new file mode 100644
index 000000000000..d9c5921d4655
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -0,0 +1,67 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch
+, kernel
+, writeScript
+, coreutils
+, gnugrep
+, jq
+, curl
+, common-updater-scripts
+, runtimeShell
+}:
+
+stdenv.mkDerivation rec {
+  name = "tp_smapi-${version}-${kernel.version}";
+  version = "0.43";
+
+  src = fetchFromGitHub {
+    owner = "linux-thinkpad";
+    repo = "tp_smapi";
+    rev = "tp-smapi/${version}";
+    sha256 = "1rjb0njckczc2mj05cagvj0lkyvmyk6bw7wkiinv81lw8m90g77g";
+  };
+
+  patches = [
+    # update DEFINE_SEMAPHORE usage for linux 6.4+
+    # https://github.com/linux-thinkpad/tp_smapi/pull/45
+    (fetchpatch {
+      url = "https://github.com/linux-thinkpad/tp_smapi/commit/0c3398b1acf2a2cabd9cee91dc3fe3d35805fa8b.patch";
+      hash = "sha256-J/WvijrpHGwFOZMMxnHdNin5eh8vViTcNb4nwsCqsLs=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "SHELL=${stdenv.shell}"
+    "HDAPS=1"
+  ];
+
+  installPhase = ''
+    install -v -D -m 644 thinkpad_ec.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/thinkpad_ec.ko"
+    install -v -D -m 644 tp_smapi.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/tp_smapi.ko"
+    install -v -D -m 644 hdaps.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/hdapsd.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = import ./update.nix {
+    inherit lib writeScript coreutils gnugrep jq curl common-updater-scripts runtimeShell;
+  };
+
+  meta = {
+    description = "IBM ThinkPad hardware functions driver";
+    homepage = "https://github.com/linux-thinkpad/tp_smapi";
+    license = lib.licenses.gpl2;
+    maintainers = [ ];
+    # driver is only ment for linux thinkpads i think  bellow platforms should cover it.
+    platforms = [ "x86_64-linux" "i686-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix b/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix
new file mode 100644
index 000000000000..65b557e45457
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix
@@ -0,0 +1,11 @@
+{ lib, writeScript, coreutils, curl, gnugrep, jq, common-updater-scripts, runtimeShell }:
+
+writeScript "update-tp_smapi" ''
+#!${runtimeShell}
+PATH=${lib.makeBinPath [ common-updater-scripts coreutils curl gnugrep jq ]}
+
+tags=`curl -s https://api.github.com/repos/evgeni/tp_smapi/tags`
+latest_tag=`echo $tags | jq -r '.[] | .name' | grep -oP "^tp-smapi/\K.*" | sort --version-sort | tail -1`
+
+update-source-version linuxPackages.tp_smapi "$latest_tag"
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix b/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix
new file mode 100644
index 000000000000..455a36eb7aeb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, perl, kmod, coreutils }:
+
+# Requires the acpi_call kernel module in order to run.
+stdenv.mkDerivation rec {
+  pname = "tpacpi-bat";
+  version = "3.2";
+
+  src = fetchFromGitHub {
+    owner = "teleshoes";
+    repo = "tpacpi-bat";
+    rev = "v${version}";
+    sha256 = "sha256-9XnvVNdgB5VeI3juZfc8N5weEyULXuqu1IDChZfQqFk=";
+  };
+
+  buildInputs = [ perl ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp tpacpi-bat $out/bin
+  '';
+
+  postPatch = ''
+    substituteInPlace tpacpi-bat \
+      --replace modprobe ${kmod}/bin/modprobe \
+      --replace cat ${coreutils}/bin/cat
+  '';
+
+  meta = {
+    maintainers = [lib.maintainers.orbekk];
+    platforms = lib.platforms.linux;
+    description = "Tool to set battery charging thresholds on Lenovo Thinkpad";
+    license = lib.licenses.gpl3Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix b/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix
new file mode 100644
index 000000000000..371f66856de5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix
@@ -0,0 +1,64 @@
+{ lib, stdenv, fetchgit, pkg-config, asciidoc, xmlto, docbook_xsl, docbook_xml_dtd_45, libxslt, libtraceevent, libtracefs, zstd, sourceHighlight }:
+stdenv.mkDerivation rec {
+  pname = "trace-cmd";
+  version = "3.2";
+
+  src = fetchgit {
+    url    = "https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "trace-cmd-v${version}";
+    sha256 = "sha256-KlykIYF4uy1phgWRG5j76FJqgO7XhNnyrTDVTs8YOXY=";
+  };
+
+  # Don't build and install html documentation
+  postPatch = ''
+    sed -i -e '/^all:/ s/html//' -e '/^install:/ s/install-html//' \
+       Documentation{,/trace-cmd,/libtracecmd}/Makefile
+    patchShebangs check-manpages.sh
+  '';
+
+  nativeBuildInputs = [ asciidoc libxslt pkg-config xmlto docbook_xsl docbook_xml_dtd_45 sourceHighlight ];
+
+  buildInputs = [ libtraceevent libtracefs zstd ];
+
+  outputs = [ "out" "lib" "dev" "man" "devman" ];
+
+  MANPAGE_DOCBOOK_XSL="${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl";
+
+  dontConfigure = true;
+
+  enableParallelBuilding = true;
+  makeFlags = [
+    # The following values appear in the generated .pc file
+    "prefix=${placeholder "lib"}"
+  ];
+
+  # We do not mention targets (like "doc") explicitly in makeFlags
+  # because the Makefile would not print warnings about too old
+  # libraries (see "warning:" in the Makefile)
+  postBuild = ''
+    make libs doc -j$NIX_BUILD_CORES
+  '';
+
+  installTargets = [
+    "install_cmd"
+    "install_libs"
+    "install_doc"
+  ];
+  installFlags = [
+    "LDCONFIG=false"
+    "bindir=${placeholder "out"}/bin"
+    "mandir=${placeholder "man"}/share/man"
+    "libdir=${placeholder "lib"}/lib"
+    "pkgconfig_dir=${placeholder "dev"}/lib/pkgconfig"
+    "includedir=${placeholder "dev"}/include"
+    "BASH_COMPLETE_DIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "User-space tools for the Linux kernel ftrace subsystem";
+    homepage    = "https://www.trace-cmd.org/";
+    license     = with licenses; [ lgpl21Only gpl2Only ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice basvandijk wentasah ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix b/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
new file mode 100644
index 000000000000..23ebbae8d1cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
@@ -0,0 +1,36 @@
+{ lib, mkDerivation, fetchgit, qtbase, cmake, asciidoc
+, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config
+, libtraceevent, libtracefs, freefont_ttf
+}:
+
+mkDerivation rec {
+  pname = "kernelshark";
+  version = "2.2.1";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/";
+    rev = "kernelshark-v${version}";
+    hash = "sha256-V25IzPDOt6V03wgIa/AJ0T8mRaGmXYuMCcvbSOKleY0=";
+  };
+
+  outputs = [ "out" ];
+
+  nativeBuildInputs = [ pkg-config cmake ];
+
+  buildInputs = [ qtbase json_c mesa_glu freeglut libtraceevent libtracefs trace-cmd ];
+
+  cmakeFlags = [
+    "-D_INSTALL_PREFIX=${placeholder "out"}"
+    "-D_POLKIT_INSTALL_PREFIX=${placeholder "out"}"
+    "-DPKG_CONGIG_DIR=${placeholder "out"}/lib/pkgconfig"
+    "-DTT_FONT_FILE=${freefont_ttf}/share/fonts/truetype/FreeSans.ttf"
+  ];
+
+  meta = with lib; {
+    description = "GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem";
+    homepage    = "https://kernelshark.org/";
+    license     = licenses.gpl2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ basvandijk ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trelay/Makefile b/nixpkgs/pkgs/os-specific/linux/trelay/Makefile
new file mode 100644
index 000000000000..3206728dfbf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trelay/Makefile
@@ -0,0 +1,14 @@
+KERNELRELEASE ?= $(shell uname -r)
+KERNEL_DIR  ?= /lib/modules/$(KERNELRELEASE)/build
+PWD := $(shell pwd)
+
+obj-m := trelay.o
+
+all:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) modules
+
+install:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) modules_install
+
+clean:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) clean
diff --git a/nixpkgs/pkgs/os-specific/linux/trelay/default.nix b/nixpkgs/pkgs/os-specific/linux/trelay/default.nix
new file mode 100644
index 000000000000..aea5b57dfca1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trelay/default.nix
@@ -0,0 +1,46 @@
+{ stdenv, lib, fetchgit, kernel, kmod }:
+let
+  version = "22.03.5";
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "trelay";
+  version = "${version}-${kernel.version}";
+
+  src = fetchgit {
+    url = "https://git.openwrt.org/openwrt/openwrt.git";
+    rev = "v${version}";
+    hash = "sha256-5f9LvaZUxtfTpTR268QMkEmHUpn/nct+MVa44SBGT5c=";
+    sparseCheckout = [ "package/kernel/trelay/src" ];
+  };
+
+  sourceRoot = "${finalAttrs.src.name}/package/kernel/trelay/src";
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+
+  postPatch = ''
+    cp '${./Makefile}' Makefile
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "For relaying IP packets between two devices to build a IP bridge between them";
+    longDescription = ''
+      A kernel module that relays ethernet packets between two devices (similar to a bridge),
+      but without any MAC address checks.
+
+      This makes it possible to bridge client mode or ad-hoc mode wifi devices to ethernet VLANs,
+      assuming the remote end uses the same source MAC address as the device that packets are
+      supposed to exit from.
+    '';
+    homepage = "https://github.com/openwrt/openwrt/tree/main/package/kernel/trelay";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.aprl ];
+    platforms = platforms.linux;
+    broken = lib.versionOlder kernel.version "5.10";
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix
new file mode 100644
index 000000000000..e5d20171c5cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "trezor-udev-rules";
+  version = "unstable-2019-07-17";
+
+  udevRules = fetchurl {
+    # let's pin the latest commit in the repo which touched the udev rules file
+    url = "https://raw.githubusercontent.com/trezor/trezor-firmware/68a3094b0a8e36b588b1bcb58c34a2c9eafc0dca/common/udev/51-trezor.rules";
+    sha256 = "0vlxif89nsqpbnbz1vwfgpl1zayzmq87gw1snskn0qns6x2rpczk";
+  };
+
+  dontUnpack = true;
+
+  installPhase = ''
+    cp ${udevRules} 51-trezor.rules
+    mkdir -p $out/lib/udev/rules.d
+    # we use trezord group, not plugdev
+    # we don't need the udev-acl tag
+    substituteInPlace 51-trezor.rules \
+      --replace 'GROUP="plugdev"' 'GROUP="trezord"' \
+      --replace ', TAG+="udev-acl"' ""
+    cp 51-trezor.rules $out/lib/udev/rules.d/51-trezor.rules
+  '';
+
+  meta = with lib; {
+    description = "Udev rules for Trezor";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ prusnak ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/trezor/trezor-firmware/tree/master/common/udev";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trinity/default.nix b/nixpkgs/pkgs/os-specific/linux/trinity/default.nix
new file mode 100644
index 000000000000..e0ab2b2802f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trinity/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "trinity";
+  version = "1.9-unstable-2023-07-10";
+
+  src = fetchFromGitHub {
+    owner = "kernelslacker";
+    repo = "trinity";
+    rev = "e71872454d26baf37ae1d12e9b04a73d64179555";
+    hash = "sha256-Zy+4L1CuB2Ul5iF+AokDkAW1wheDzoCTNkvRZFGRNps=";
+  };
+
+  postPatch = ''
+    patchShebangs configure
+    patchShebangs scripts
+  '';
+
+  enableParallelBuilding = true;
+
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  meta = with lib; {
+    description = "A Linux System call fuzz tester";
+    homepage = "https://github.com/kernelslacker/trinity";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tuna/default.nix b/nixpkgs/pkgs/os-specific/linux/tuna/default.nix
new file mode 100644
index 000000000000..0e621a24f081
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuna/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonApplication
+, fetchgit
+, pygobject3
+, pytestCheckHook
+, gdk-pixbuf
+, glib
+, gobject-introspection
+, gtk3
+, python-linux-procfs
+, python-ethtool
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "tuna";
+  version = "0.15";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/${pname}/${pname}.git";
+    rev = "v${version}";
+    sha256 = "sha256-lRHlbdCQ0NcjcWgLvCze67kN8NsK0f5RmKfPbkHhk78=";
+  };
+
+  patchPhase = ''
+    mv tuna-cmd.py tuna/cmd.py
+
+    substituteInPlace setup.py \
+      --replace 'packages = ["tuna", "tuna/gui"],' \
+                'packages = ["tuna", "tuna/gui"], entry_points={"console_scripts":["tuna=tuna.cmd:main"]},'
+
+    substituteInPlace tuna/tuna_gui.py \
+      --replace "self.binpath + 'pkexec'" "'/run/wrappers/bin/pkexec'" \
+      --replace 'tuna_glade_dirs = [".", "tuna", "/usr/share/tuna"]' "tuna_glade_dirs = [ \"$out/share/tuna\" ]"
+  '';
+
+  nativeBuildInputs = [
+    glib.dev
+    gobject-introspection
+    gtk3
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = [ pygobject3 python-linux-procfs python-ethtool ];
+
+  postInstall = ''
+    mkdir -p $out/share/tuna
+    cp tuna/tuna_gui.glade $out/share/tuna/
+  '';
+
+  # contains no tests
+  doCheck = false;
+  pythonImportsCheck = [ "tuna" ];
+
+  meta = with lib; {
+    description = "Thread and IRQ affinity setting GUI and cmd line tool";
+    homepage = "https://git.kernel.org/pub/scm/utils/tuna/tuna.git";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ elohmeier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix b/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix
new file mode 100644
index 000000000000..e71e349a2516
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix
@@ -0,0 +1,24 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "tunctl";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/tunctl/tunctl-${version}.tar.gz";
+    sha256 = "aa2a6c4cc6bfacb11e0d9f62334a6638a0d435475c61230116f00b6af8b14fff";
+  };
+
+  makeFlags = [ "tunctl" ];
+  installPhase = ''
+    mkdir -p $out/bin
+    cp tunctl $out/bin
+  '';
+
+  meta = {
+    homepage = "https://tunctl.sourceforge.net/";
+    description = "Utility to set up and maintain TUN/TAP network interfaces";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix b/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix
new file mode 100644
index 000000000000..fb1bcf582fba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, kernel, libcap }:
+
+stdenv.mkDerivation {
+  pname = "turbostat";
+  inherit (kernel) src version;
+
+  buildInputs = [ libcap ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postPatch = ''
+    cd tools/power/x86/turbostat
+  '';
+
+  meta = with lib; {
+    description = "Report processor frequency and idle statistics";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix b/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
new file mode 100644
index 000000000000..353857de320d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel, linuxHeaders, pahole }:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "tuxedo-keyboard-${kernel.version}";
+  version = "3.2.7";
+
+  src = fetchFromGitHub {
+    owner = "tuxedocomputers";
+    repo = "tuxedo-keyboard";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-Q0wnejeLGLSDS0GPxQuYUKCAdzbYA66KT0DuWsEKIRs=";
+  };
+
+  buildInputs = [
+    pahole
+    linuxHeaders
+  ];
+
+  makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}"
+
+    for module in clevo_acpi.ko clevo_wmi.ko tuxedo_keyboard.ko tuxedo_io/tuxedo_io.ko uniwill_wmi.ko; do
+        mv src/$module $out/lib/modules/${kernel.modDirVersion}
+    done
+
+    runHook postInstall
+  '';
+
+  meta = {
+    broken = stdenv.isAarch64 || (lib.versionOlder kernel.version "5.5");
+    description = "Keyboard and hardware I/O driver for TUXEDO Computers laptops";
+    homepage = "https://github.com/tuxedocomputers/tuxedo-keyboard/";
+    license = lib.licenses.gpl3Plus;
+    longDescription = ''
+      This driver provides support for Fn keys, brightness/color/mode for most TUXEDO
+      keyboards (except white backlight-only models).
+
+      Can be used with the "hardware.tuxedo-keyboard" NixOS module.
+    '';
+    maintainers = [ lib.maintainers.blanky0230 ];
+    platforms = lib.platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/tuxedo-rs/default.nix b/nixpkgs/pkgs/os-specific/linux/tuxedo-rs/default.nix
new file mode 100644
index 000000000000..04c1518aab83
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuxedo-rs/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, fetchFromGitHub
+, rustPlatform
+}:
+let
+
+  # NOTE: This src is shared with tailor-gui.
+  # When updating, the tailor-gui.cargoDeps hash needs to be updated.
+  src = fetchFromGitHub {
+    owner = "AaronErhardt";
+    repo = "tuxedo-rs";
+    rev = "74b863e6dcb1ec2e6c8fb02c16bb6f23b59e67f6";
+    hash = "sha256-Yujki2vGzaT8Ze5Usk8FPg8bn86MvyyPTiWuWwEw7Xs=";
+  };
+
+in
+rustPlatform.buildRustPackage {
+  pname = "tuxedo-rs";
+  version = "0.2.3";
+
+  inherit src;
+
+  # Some of the tests are impure and rely on files in /etc/tailord
+  doCheck = false;
+
+  cargoHash = "sha256-uYt442u/BIzw/lBu18LrsJf5D46oUOFzBJ5pUjCpK6w=";
+
+  postInstall = ''
+    install -Dm444 tailord/com.tux.Tailor.conf -t $out/share/dbus-1/system.d
+  '';
+
+  meta = with lib; {
+    description = "Rust utilities for interacting with hardware from TUXEDO Computers";
+    longDescription = ''
+      An alternative to the TUXEDO Control Center daemon.
+
+      Contains the following binaries:
+      - tailord: Daemon handling fan, keyboard and general HW support for Tuxedo laptops
+      - tailor: CLI
+    '';
+    homepage = "https://github.com/AaronErhardt/tuxedo-rs";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ mrcjkb ];
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix b/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix
new file mode 100644
index 000000000000..11b2ed28fb3f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix
@@ -0,0 +1,98 @@
+{ lib, stdenv, fetchFromGitHub, substituteAll, pkg-config, gnused, autoreconfHook
+, gtk-doc, acl, systemd, glib, libatasmart, polkit, coreutils, bash, which
+, expat, libxslt, docbook_xsl, util-linux, mdadm, libgudev, libblockdev, parted
+, gobject-introspection, docbook_xml_dtd_412, docbook_xml_dtd_43
+, xfsprogs, f2fs-tools, dosfstools, e2fsprogs, btrfs-progs, exfat, nilfs-utils, ntfs3g
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "udisks";
+  version = "2.10.1";
+
+  src = fetchFromGitHub {
+    owner = "storaged-project";
+    repo = "udisks";
+    rev = "${pname}-${version}";
+    sha256 = "sha256-L8jr1+SJWsCizkPXC8VKDy2eVa7/FpqdB8SkBYq6vwc=";
+  };
+
+  outputs = [ "out" "man" "dev" ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "devdoc";
+
+  patches = [
+    (substituteAll {
+      src = ./fix-paths.patch;
+      bash = "${bash}/bin/bash";
+      false = "${coreutils}/bin/false";
+      mdadm = "${mdadm}/bin/mdadm";
+      mkswap = "${util-linux}/bin/mkswap";
+      sed = "${gnused}/bin/sed";
+      sh = "${bash}/bin/sh";
+      sleep = "${coreutils}/bin/sleep";
+      swapon = "${util-linux}/bin/swapon";
+      true = "${coreutils}/bin/true";
+    })
+    (substituteAll {
+      src = ./force-path.patch;
+      path = lib.makeBinPath [
+        btrfs-progs coreutils dosfstools e2fsprogs exfat f2fs-tools nilfs-utils
+        xfsprogs ntfs3g parted util-linux
+      ];
+    })
+  ];
+
+  strictDeps = true;
+  # pkg-config had to be in both to find gtk-doc and gobject-introspection
+  depsBuildBuild = [ pkg-config ];
+  nativeBuildInputs = [
+    autoreconfHook which gobject-introspection pkg-config
+    gtk-doc libxslt docbook_xml_dtd_412 docbook_xml_dtd_43 docbook_xsl
+  ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+      substituteInPlace udisks/udisksclient.c \
+        --replace 'defined( __GNUC_PREREQ)' 1 \
+        --replace '__GNUC_PREREQ(4,6)' 1
+  '';
+
+  buildInputs = [
+    expat libgudev libblockdev acl systemd glib libatasmart polkit util-linux
+  ];
+
+  preConfigure = "NOCONFIGURE=1 ./autogen.sh";
+
+  configureFlags = [
+    (lib.enableFeature (stdenv.buildPlatform == stdenv.hostPlatform) "gtk-doc")
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+    "--with-udevdir=$(out)/lib/udev"
+    "--with-tmpfilesdir=no"
+  ];
+
+  makeFlags = [
+    "INTROSPECTION_GIRDIR=$(dev)/share/gir-1.0"
+    "INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"
+  ];
+
+  installFlags = [
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = true;
+
+  passthru = {
+    inherit libblockdev;
+    tests.vm = nixosTests.udisks2;
+  };
+
+  meta = with lib; {
+    description = "A daemon, tools and libraries to access and manipulate disks, storage devices and technologies";
+    homepage = "https://www.freedesktop.org/wiki/Software/udisks/";
+    license = with licenses; [ lgpl2Plus gpl2Plus ]; # lgpl2Plus for the library, gpl2Plus for the tools & daemon
+    maintainers = teams.freedesktop.members ++ (with maintainers; [ johnazoidberg ]);
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch
new file mode 100644
index 000000000000..76d44b96d551
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch
@@ -0,0 +1,69 @@
+diff --git a/data/80-udisks2.rules b/data/80-udisks2.rules
+index ca802cce..bfd1c29e 100644
+--- a/data/80-udisks2.rules
++++ b/data/80-udisks2.rules
+@@ -17,9 +17,9 @@ ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="?*", GOTO="udisks_probe_end"
+ #
+ # TODO: file bug against mdadm(8) to have --export-prefix option that can be used with e.g. UDISKS_MD_MEMBER
+ #
+-SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="/bin/sh -c '/sbin/mdadm --examine --export $tempnode | /bin/sed s/^MD_/UDISKS_MD_MEMBER_/g'"
++SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="@sh@ -c '@mdadm@ --examine --export $tempnode | @sed@ s/^MD_/UDISKS_MD_MEMBER_/g'"
+
+-SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="/bin/sh -c '/sbin/mdadm --detail --export $tempnode | /bin/sed s/^MD_/UDISKS_MD_/g'"
++SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="@sh@ -c '@mdadm@ --detail --export $tempnode | @sed@ s/^MD_/UDISKS_MD_/g'"
+
+ LABEL="udisks_probe_end"
+
+diff --git a/src/tests/test.c b/src/tests/test.c
+index 3ddbdf2c..a87f960a 100644
+--- a/src/tests/test.c
++++ b/src/tests/test.c
+@@ -71,7 +71,7 @@ test_spawned_job_successful (void)
+ {
+   UDisksSpawnedJob *job;
+
+-  job = udisks_spawned_job_new ("/bin/true", NULL, getuid (), geteuid (), NULL, NULL);
++  job = udisks_spawned_job_new ("@true@", NULL, getuid (), geteuid (), NULL, NULL);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_success), NULL);
+   g_object_unref (job);
+@@ -84,10 +84,10 @@ test_spawned_job_failure (void)
+ {
+   UDisksSpawnedJob *job;
+
+-  job = udisks_spawned_job_new ("/bin/false", NULL, getuid (), geteuid (), NULL, NULL);
++  job = udisks_spawned_job_new ("@false@", NULL, getuid (), geteuid (), NULL, NULL);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+-                             (gpointer) "Command-line `/bin/false' exited with non-zero exit status 1: ");
++                             (gpointer) "Command-line `@false@' exited with non-zero exit status 1: ");
+   g_object_unref (job);
+ }
+
+@@ -119,7 +119,7 @@ test_spawned_job_cancelled_at_start (void)
+
+   cancellable = g_cancellable_new ();
+   g_cancellable_cancel (cancellable);
+-  job = udisks_spawned_job_new ("/bin/true", NULL, getuid (), geteuid (), NULL, cancellable);
++  job = udisks_spawned_job_new ("@true@", NULL, getuid (), geteuid (), NULL, cancellable);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+                              (gpointer) "Operation was cancelled (g-io-error-quark, 19)");
+@@ -144,7 +144,7 @@ test_spawned_job_cancelled_midway (void)
+   GCancellable *cancellable;
+
+   cancellable = g_cancellable_new ();
+-  job = udisks_spawned_job_new ("/bin/sleep 0.5", NULL, getuid (), geteuid (), NULL, cancellable);
++  job = udisks_spawned_job_new ("@sleep@ 0.5", NULL, getuid (), geteuid (), NULL, cancellable);
+   udisks_spawned_job_start (job);
+   g_timeout_add (10, on_timeout, cancellable); /* 10 msec */
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+@@ -197,7 +197,7 @@ test_spawned_job_premature_termination (void)
+ {
+   UDisksSpawnedJob *job;
+
+-  job = udisks_spawned_job_new ("/bin/sleep 1000", NULL, getuid (), geteuid (), NULL, NULL /* GCancellable */);
++  job = udisks_spawned_job_new ("@sleep@ 1000", NULL, getuid (), geteuid (), NULL, NULL /* GCancellable */);
+   udisks_spawned_job_start (job);
+   g_object_unref (job);
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch b/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch
new file mode 100644
index 000000000000..741f53544bee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch
@@ -0,0 +1,17 @@
+diff --git a/src/main.c b/src/main.c
+index b4dbf9e0..3171fa34 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -144,8 +144,7 @@ main (int    argc,
+       g_setenv("G_MESSAGES_DEBUG", "udisks", FALSE);
+     }
+ 
+-  if (g_getenv ("PATH") == NULL)
+-    g_setenv ("PATH", "/usr/bin:/bin:/usr/sbin:/sbin", TRUE);
++  g_setenv ("PATH", "@path@", TRUE);
+ 
+   udisks_notice ("udisks daemon version %s starting", PACKAGE_VERSION);
+ 
+-- 
+2.33.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix b/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix
new file mode 100644
index 000000000000..fe01cecc8cc7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix
@@ -0,0 +1,73 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, appimageTools
+, electron
+, makeWrapper
+, asar
+, autoPatchelfHook
+, libusb1
+}:
+
+let
+  pname = "uhk-agent";
+  version = "3.2.0";
+
+  src = fetchurl {
+    url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
+    name = "${pname}-${version}.AppImage";
+    sha256 = "sha256-YMm84jKtWz5DeGJhBlmo2hlIy4iarEvWylgAWY/itII=";
+  };
+
+  appimageContents = appimageTools.extract {
+    name = "${pname}-${version}";
+    inherit src;
+  };
+in
+stdenvNoCC.mkDerivation {
+  inherit pname version src;
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [
+    asar
+    makeWrapper
+    autoPatchelfHook
+  ];
+
+  buildInputs = [
+    libusb1
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out"/{opt,share/applications}
+
+    cp -r --no-preserve=mode "${appimageContents}/resources"        "$out/opt/${pname}"
+    cp -r --no-preserve=mode "${appimageContents}/usr/share/icons"  "$out/share/icons"
+    cp -r --no-preserve=mode "${appimageContents}/${pname}.desktop" "$out/share/applications/${pname}.desktop"
+
+    substituteInPlace "$out/share/applications/${pname}.desktop" \
+      --replace "Exec=AppRun" "Exec=${pname}"
+
+    asar extract "$out/opt/${pname}/app.asar" "$out/opt/${pname}/app.asar.unpacked"
+    rm           "$out/opt/${pname}/app.asar"
+
+    makeWrapper "${electron}/bin/electron" "$out/bin/${pname}" \
+      --add-flags "$out/opt/${pname}/app.asar.unpacked" \
+      --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
+      --set-default ELECTRON_IS_DEV 0 \
+      --inherit-argv0
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Agent is the configuration application of the Ultimate Hacking Keyboard";
+    homepage = "https://github.com/UltimateHackingKeyboard/agent";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ ngiger nickcao ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix
new file mode 100644
index 000000000000..1b68c46b6571
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, uhk-agent }:
+
+stdenv.mkDerivation {
+  pname = "uhk-udev-rules";
+  inherit (uhk-agent) version;
+
+  dontUnpack = true;
+  dontBuild = true;
+  installPhase = ''
+    runHook preInstall
+    install -D -m 644 ${uhk-agent.out}/opt/uhk-agent/rules/50-uhk60.rules $out/lib/udev/rules.d/50-uhk60.rules
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for UHK keyboards from https://ultimatehackingkeyboard.com";
+    inherit (uhk-agent.meta) license;
+    maintainers = [ lib.maintainers.ngiger ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ulogd/default.nix b/nixpkgs/pkgs/os-specific/linux/ulogd/default.nix
new file mode 100644
index 000000000000..a79a38389e4a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ulogd/default.nix
@@ -0,0 +1,78 @@
+{ stdenv, lib, fetchurl, gnumake, libnetfilter_acct, libnetfilter_conntrack
+, libnetfilter_log, libmnl, libnfnetlink, automake, autoconf, autogen, libtool
+, postgresql, libmysqlclient, sqlite
+, pkg-config, libpcap, linuxdoc-tools, autoreconfHook, nixosTests }:
+
+stdenv.mkDerivation rec {
+  version = "2.0.8";
+  pname = "ulogd";
+
+  src = fetchurl {
+    url = "https://netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2";
+    hash = "sha256-Tq1sOXDD9X+h6J/i18xIO6b+K9GwhwFSHgs6/WZ98pE=";
+  };
+
+  outputs = [ "out" "doc" "man" ];
+
+  postPatch = ''
+    substituteInPlace ulogd.8 --replace "/usr/share/doc" "$doc/share/doc"
+  '';
+
+  postBuild = ''
+    pushd doc/
+    linuxdoc --backend=txt --filter ulogd.sgml
+    linuxdoc --backend=html --split=0 ulogd.sgml
+    popd
+  '';
+
+  postInstall = ''
+    install -Dm444 -t $out/share/doc/${pname} ulogd.conf doc/ulogd.txt doc/ulogd.html README doc/*table
+    install -Dm444 -t $out/share/doc/${pname}-mysql doc/mysql*.sql
+    install -Dm444 -t $out/share/doc/${pname}-pgsql doc/pgsql*.sql
+  '';
+
+  buildInputs = [
+    libnetfilter_acct
+    libnetfilter_conntrack
+    libnetfilter_log
+    libmnl
+    libnfnetlink
+    libpcap
+    postgresql
+    libmysqlclient
+    sqlite
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    automake
+    autoconf
+    autogen
+    libtool
+    linuxdoc-tools
+  ];
+
+  passthru.tests = { inherit (nixosTests) ulogd; };
+
+  meta = with lib; {
+    description = "Userspace logging daemon for netfilter/iptables";
+
+    longDescription = ''
+      Logging daemon that reads event messages coming from the Netfilter
+      connection tracking, the Netfilter packet logging subsystem and from the
+      Netfilter accounting subsystem. You have to enable support for connection
+      tracking event delivery; ctnetlink and the NFLOG target in your Linux
+      kernel 2.6.x or load their respective modules. The deprecated ULOG target
+      (which has been superseded by NFLOG) is also supported.
+
+      The received messages can be logged into files or into a MySQL, SQLite3
+      or PostgreSQL database. IPFIX and Graphite output are also supported.
+    '';
+
+    homepage = "https://www.netfilter.org/projects/ulogd/index.html";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ p-h ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ultrablue-server/default.nix b/nixpkgs/pkgs/os-specific/linux/ultrablue-server/default.nix
new file mode 100644
index 000000000000..bb162f1693ba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ultrablue-server/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, fetchFromGitHub
+, buildGoModule
+}:
+
+buildGoModule rec {
+  pname = "ultrablue-server";
+  version = "unstable-fosdem2023";
+
+  src = fetchFromGitHub {
+    owner = "ANSSI-FR";
+    repo = "ultrablue";
+    # Do not use a more recent
+    rev = "tags/fosdem-2023";
+    hash = "sha256-rnUbgZI+SycYCDUoSziOy+WxRFvyM3XJWJnk3+t0eb4=";
+    # rev = "6de04af6e353e38c030539c5678e5918f64be37e";
+  };
+
+  sourceRoot = "${src.name}/server";
+
+  vendorHash = "sha256-249LWguTHIF0HNIo8CsE/HWpAtBw4P46VPvlTARLTpw=";
+  doCheck = false;
+
+  meta = with lib; {
+    description = "User-friendly Lightweight TPM Remote Attestation over Bluetooth";
+    homepage = "https://github.com/ANSSI-FR/ultrablue";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ raitobezarius ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix b/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix
new file mode 100644
index 000000000000..cc9fb7374658
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix
@@ -0,0 +1,27 @@
+{ lib, fetchFromGitHub, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  version = "0.3.0";
+  pname = "undervolt";
+
+  src = fetchFromGitHub {
+    owner = "georgewhewell";
+    repo = "undervolt";
+    rev = version;
+    sha256 = "1aybk8vbb4745raz7rvpkk6b98xrdiwjhkpbv3kwsgsr9sj42lp0";
+  };
+
+  meta = with lib; {
+    homepage = "https://github.com/georgewhewell/undervolt/";
+    description = "A program for undervolting Intel CPUs on Linux";
+
+    longDescription = ''
+      Undervolt is a program for undervolting Intel CPUs under Linux. It works in a similar
+      manner to the Windows program ThrottleStop (i.e, MSR 0x150). You can apply a fixed
+      voltage offset to one of 5 voltage planes, and override your systems temperature
+      target (CPU will throttle when this temperature is reached).
+    '';
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch b/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch
new file mode 100644
index 000000000000..941b5c90a624
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch
@@ -0,0 +1,41 @@
+From 9d76d183a97cb667a1ab6d95af69d6db745215df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Milan=20P=C3=A4ssler?= <milan@petabyte.dev>
+Date: Tue, 1 Jun 2021 16:55:45 +0200
+Subject: [PATCH] adjust socket paths for nixos
+
+The original unscd would crash, because it is not allowed to create its
+legacy socket at /var/run/.nscd_socket.
+
+This socket is only required for very old glibc versions, but removing it
+is currently non-trivial, so we just move it somewhere, where it is
+allowed to be created. A patch has been submitted upstream to make this
+hack unnecessary.
+
+Also change /var/run to /run, since we shouldn't be using /var/run
+anymore.
+---
+ nscd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/nscd.c b/nscd.c
+index a71e474..0cd7106 100644
+--- a/nscd.c
++++ b/nscd.c
+@@ -2100,10 +2100,10 @@ static void main_loop(void)
+ ** Initialization
+ */
+ 
+-#define NSCD_PIDFILE    "/var/run/nscd/nscd.pid"
+-#define NSCD_DIR        "/var/run/nscd"
+-#define NSCD_SOCKET     "/var/run/nscd/socket"
+-#define NSCD_SOCKET_OLD "/var/run/.nscd_socket"
++#define NSCD_PIDFILE    "/run/nscd/nscd.pid"
++#define NSCD_DIR        "/run/nscd"
++#define NSCD_SOCKET     "/run/nscd/socket"
++#define NSCD_SOCKET_OLD "/run/nscd/socket_legacy"
+ 
+ static smallint wrote_pidfile;
+ 
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/unscd/default.nix b/nixpkgs/pkgs/os-specific/linux/unscd/default.nix
new file mode 100644
index 000000000000..82b8c7076271
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unscd/default.nix
@@ -0,0 +1,76 @@
+{ fetchurl, fetchpatch, stdenv, systemd, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "unscd";
+  version = "0.54";
+
+  src = fetchurl {
+    url = "https://busybox.net/~vda/unscd/nscd-${version}.c";
+    sha256 = "0iv4iwgs3sjnqnwd7dpcw6s7i4ar9q89vgsms32clx14fdqjrqch";
+  };
+
+  unpackPhase = ''
+    runHook preUnpack
+    cp $src nscd.c
+    chmod u+w nscd.c
+    runHook postUnpack
+  '';
+
+  patches = [
+    # Patches from Debian that have not (yet) been included upstream, but are useful to us
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/change_invalidate_request_info_output";
+      sha256 = "17whakazpisiq9nnw3zybaf7v3lqkww7n6jkx0igxv4z2r3mby6l";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/support_large_numbers_in_config";
+      sha256 = "0jrqb4cwclwirpqfb6cvnmiff3sm2jhxnjwxa7h0wx78sg0y3bpp";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/no_debug_on_invalidate";
+      sha256 = "0znwzb522zgikb0mm7awzpvvmy0wf5z7l3jgjlkdpgj0scxgz86w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/notify_systemd_about_successful_startup";
+      sha256 = "1ipwmbfwm65yisy74nig9960vxpjx683l3skgxfgssfx1jb9z2mc";
+    })
+
+    # The original unscd would crash, because it is not allowed to create its
+    # legacy socket at /var/run/.nscd_socket.
+    # This socket is only required for very old glibc versions, but removing it
+    # is currently non-trivial, so we just move it somewhere, where it is
+    # allowed to be created. A patch has been submitted upstream to make this
+    # hack unnecessary.
+    # Also change /var/run to /run, since we shouldn't be using /var/run
+    # anymore.
+    # See also: http://lists.busybox.net/pipermail/busybox/2021-June/088866.html
+    ./0001-adjust-socket-paths-for-nixos.patch
+  ];
+
+  buildInputs = [ systemd ];
+
+  buildPhase = ''
+    runHook preBuild
+    gcc -Wall \
+      -Wl,--sort-section -Wl,alignment \
+      -Wl,--sort-common \
+      -fomit-frame-pointer \
+      -lsystemd \
+      -o nscd nscd.c
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm755 -t $out/bin nscd
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://busybox.net/~vda/unscd/";
+    description = "Less buggy replacement for the glibc name service cache daemon";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/unstick/default.nix b/nixpkgs/pkgs/os-specific/linux/unstick/default.nix
new file mode 100644
index 000000000000..ee82679de4ea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unstick/default.nix
@@ -0,0 +1,26 @@
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config, libseccomp }:
+
+stdenv.mkDerivation rec {
+  pname = "unstick";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "kwohlfahrt";
+    repo = "unstick";
+    rev = "effee9aa242ca12dc94cc6e96bc073f4cc9e8657";
+    sha256 = "08la3jmmzlf4pm48bf9zx4cqj9gbqalpqy0s57bh5vfsdk74nnhv";
+  };
+
+  sourceRoot = "${src.name}/src";
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+  buildInputs = [ libseccomp ];
+
+  meta = {
+    homepage = "https://github.com/kwohlfahrt/unstick";
+    description = "Silently eats chmod commands forbidden by Nix";
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ kwohlfahrt ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/untie/default.nix b/nixpkgs/pkgs/os-specific/linux/untie/default.nix
new file mode 100644
index 000000000000..947ae2ca8d8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/untie/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "untie";
+  version = "0.3";
+  src = fetchurl {
+    url = "http://guichaz.free.fr/untie/files/${pname}-${version}.tar.bz2";
+    sha256 = "1334ngvbi4arcch462mzi5vxvxck4sy1nf0m58116d9xmx83ak0m";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "A tool to run processes untied from some of the namespaces";
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+  };
+
+  passthru = {
+    updateInfo = {
+      downloadPage = "http://guichaz.free.fr/untie";
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/upower/default.nix b/nixpkgs/pkgs/os-specific/linux/upower/default.nix
new file mode 100644
index 000000000000..36d8a3b9c45f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/upower/default.nix
@@ -0,0 +1,214 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, makeWrapper
+, pkg-config
+, rsync
+, libxslt
+, meson
+, ninja
+, python3
+, dbus
+, umockdev
+, libeatmydata
+, gtk-doc
+, docbook-xsl-nons
+, udev
+, libgudev
+, libusb1
+, glib
+, gettext
+, systemd
+, nixosTests
+, useIMobileDevice ? true
+, libimobiledevice
+, withDocs ? withIntrospection
+, mesonEmulatorHook
+, withIntrospection ? lib.meta.availableOn stdenv.hostPlatform gobject-introspection && stdenv.hostPlatform.emulatorAvailable buildPackages
+, buildPackages
+, gobject-introspection
+}:
+
+assert withDocs -> withIntrospection;
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "upower";
+  version = "1.90.2";
+
+  outputs = [ "out" "dev" "installedTests" ]
+    ++ lib.optionals withDocs [ "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "upower";
+    repo = "upower";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-7WzMAJuf1czU8ZalsEU/NwCXYqTGvcqEqxFt5ocgt48=";
+  };
+
+  patches = lib.optionals (stdenv.hostPlatform.system == "i686-linux") [
+    # Remove when this is fixed upstream:
+    # https://gitlab.freedesktop.org/upower/upower/-/issues/214
+    ./i686-test-remove-battery-check.patch
+  ] ++ [
+    ./installed-tests-path.patch
+  ];
+
+  strictDeps = true;
+
+  depsBuildBuild = [
+    pkg-config
+  ];
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    python3
+    docbook-xsl-nons
+    gettext
+    libxslt
+    makeWrapper
+    pkg-config
+    rsync
+    glib
+  ] ++ lib.optionals withIntrospection [
+    gobject-introspection
+  ] ++ lib.optionals withDocs [
+    gtk-doc
+  ] ++ lib.optionals (withDocs && !stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
+    mesonEmulatorHook
+  ];
+
+  buildInputs = [
+    libgudev
+    libusb1
+    udev
+    systemd
+    # Duplicate from nativeCheckInputs until https://github.com/NixOS/nixpkgs/issues/161570 is solved
+    umockdev
+
+    # For installed tests.
+    (python3.withPackages (pp: [
+      pp.dbus-python
+      pp.python-dbusmock
+      pp.pygobject3
+      pp.packaging
+    ]))
+  ] ++ lib.optionals useIMobileDevice [
+    libimobiledevice
+  ];
+
+  nativeCheckInputs = [
+    python3.pkgs.dbus-python
+    python3.pkgs.python-dbusmock
+    python3.pkgs.pygobject3
+    dbus
+    umockdev
+    libeatmydata
+    python3.pkgs.packaging
+  ];
+
+  propagatedBuildInputs = [
+    glib
+  ];
+
+  mesonFlags = [
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "-Dos_backend=linux"
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dudevrulesdir=${placeholder "out"}/lib/udev/rules.d"
+    "-Dudevhwdbdir=${placeholder "out"}/lib/udev/hwdb.d"
+    (lib.mesonEnable "introspection" withIntrospection)
+    (lib.mesonBool "gtk-doc" withDocs)
+    "-Dinstalled_test_prefix=${placeholder "installedTests"}"
+  ];
+
+  doCheck = true;
+
+  postPatch = ''
+    patchShebangs src/linux/integration-test.py
+    patchShebangs src/linux/unittest_inspector.py
+
+    substituteInPlace src/linux/integration-test.py \
+      --replace "/usr/share/dbus-1" "$out/share/dbus-1"
+  '';
+
+  preCheck = ''
+    # Our gobject-introspection patches make the shared library paths absolute
+    # in the GIR files. When running tests, the library is not yet installed,
+    # though, so we need to replace the absolute path with a local one during build.
+    # We are using a symlink that will be overwitten during installation.
+    mkdir -p "$out/lib"
+    ln -s "$PWD/libupower-glib/libupower-glib.so" "$out/lib/libupower-glib.so.3"
+  '';
+
+  checkPhase = ''
+    runHook preCheck
+
+    # Slow fsync calls can make self-test fail:
+    # https://gitlab.freedesktop.org/upower/upower/-/issues/195
+    eatmydata meson test --print-errorlogs
+
+    runHook postCheck
+  '';
+
+  postCheck = ''
+    # Undo patchShebangs from postPatch so that it can be replaced with runtime shebang
+    # unittest_inspector.py intentionally not reverted because it would trigger
+    # meson rebuild during install and it is not used at runtime anyway.
+    sed -Ei 's~#!.+/bin/python3~#!/usr/bin/python3~' \
+      ../src/linux/integration-test.py
+  '';
+
+  postInstall = ''
+    # Move stuff from DESTDIR to proper location.
+    # We use rsync to merge the directories.
+    for dir in etc var; do
+        rsync --archive "$DESTDIR/$dir" "$out"
+        rm --recursive "$DESTDIR/$dir"
+    done
+    for o in out dev installedTests; do
+        rsync --archive "$DESTDIR/''${!o}" "$(dirname "''${!o}")"
+        rm --recursive "$DESTDIR/''${!o}"
+    done
+    # Ensure the DESTDIR is removed.
+    rmdir "$DESTDIR/nix/store" "$DESTDIR/nix" "$DESTDIR"
+  '';
+
+  postFixup = ''
+    wrapProgram "$installedTests/libexec/upower/integration-test.py" \
+      --prefix GI_TYPELIB_PATH : "${lib.makeSearchPath "lib/girepository-1.0" [
+        "$out"
+        umockdev.out
+      ]}" \
+      --prefix PATH : "${lib.makeBinPath [
+        umockdev
+      ]}"
+  '';
+
+  env = {
+    # HACK: We want to install configuration files to $out/etc
+    # but upower should read them from /etc on a NixOS system.
+    # With autotools, it was possible to override Make variables
+    # at install time but Meson does not support this
+    # so we need to convince it to install all files to a temporary
+    # location using DESTDIR and then move it to proper one in postInstall.
+    DESTDIR = "${placeholder "out"}/dest";
+  };
+
+  passthru = {
+    tests = {
+      installedTests = nixosTests.installed-tests.upower;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://upower.freedesktop.org/";
+    changelog = "https://gitlab.freedesktop.org/upower/upower/-/blob/v${finalAttrs.version}/NEWS";
+    description = "A D-Bus service for power management";
+    maintainers = teams.freedesktop.members;
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/upower/i686-test-remove-battery-check.patch b/nixpkgs/pkgs/os-specific/linux/upower/i686-test-remove-battery-check.patch
new file mode 100644
index 000000000000..c9121dfb038a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/upower/i686-test-remove-battery-check.patch
@@ -0,0 +1,12 @@
+diff -u "a/src/linux/integration-test.py" "b/src/linux/integration-test.py"

+--- a/src/linux/integration-test.py

++++ b/src/linux/integration-test.py

+@@ -870,5 +870,4 @@

+         self.assertEqual(self.get_dbus_dev_property(bat0_up, 'EnergyFull'), 126.0)

+         self.assertEqual(self.get_dbus_dev_property(bat0_up, 'EnergyFullDesign'), 132.0)

+         self.assertEqual(self.get_dbus_dev_property(bat0_up, 'Voltage'), 12.0)

+-        self.assertEqual(self.get_dbus_dev_property(bat0_up, 'Percentage'), 40.0)

+         self.stop_daemon()

+

+

+Diff finished.  Tue Nov  8 16:48:57 2022

diff --git a/nixpkgs/pkgs/os-specific/linux/upower/installed-tests-path.patch b/nixpkgs/pkgs/os-specific/linux/upower/installed-tests-path.patch
new file mode 100644
index 000000000000..367f3eab096b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/upower/installed-tests-path.patch
@@ -0,0 +1,56 @@
+diff --git a/meson_options.txt b/meson_options.txt
+index eec3659..f064a1b 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -6,6 +6,10 @@ option('gtk-doc',
+        type : 'boolean',
+        value : 'true',
+        description : 'Build developer documentation')
++option('installed_test_prefix',
++       type: 'string',
++       value: '',
++       description: 'Prefix for installed tests')
+ option('introspection',
+        type : 'feature',
+        value : 'auto',
+diff --git a/src/meson.build b/src/meson.build
+index a2352ac..c1f25ac 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -85,6 +85,7 @@ install_subdir('does-not-exist', install_dir: historydir, strip_directory : true
+ 
+ cdata = configuration_data()
+ cdata.set('libexecdir', get_option('prefix') / get_option('libexecdir'))
++cdata.set('installed_test_bindir', get_option('installed_test_prefix') / 'libexec' / 'upower')
+ cdata.set('historydir', historydir)
+ 
+ configure_file(
+@@ -147,16 +148,16 @@ if os_backend == 'linux' and gobject_introspection.found()
+         'linux/integration-test.py',
+         'linux/output_checker.py',
+       ],
+-      install_dir: get_option('prefix') / get_option('libexecdir') / 'upower'
++      install_dir: get_option('installed_test_prefix') / 'libexec' / 'upower'
+     )
+     install_subdir('linux/tests/',
+-      install_dir: get_option('prefix') / get_option('libexecdir') / 'upower'
++      install_dir: get_option('installed_test_prefix') / 'libexec' / 'upower'
+     )
+ 
+     configure_file(
+       input: 'upower-integration.test.in',
+       output: 'upower-integration.test',
+-      install_dir: get_option('datadir') / 'installed-tests' / 'upower',
++      install_dir: get_option('installed_test_prefix') / 'share' / 'installed-tests' / 'upower',
+       configuration: cdata
+     )
+ endif
+diff --git a/src/upower-integration.test.in b/src/upower-integration.test.in
+index 151ded0..b0a9bec 100644
+--- a/src/upower-integration.test.in
++++ b/src/upower-integration.test.in
+@@ -1,3 +1,3 @@
+ [Test]
+ Type=session
+-Exec=@libexecdir@/upower/integration-test.py
++Exec=@installed_test_bindir@/integration-test.py
diff --git a/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix
new file mode 100644
index 000000000000..d04c8ddb9398
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenvNoCC }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "usb-blaster-udev-rules";
+
+  udevRules = ./usb-blaster.rules;
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dm 644 "${udevRules}" "$out/lib/udev/rules.d/51-usbblaster.rules"
+  '';
+
+  meta = with lib; {
+    description = "udev rules that give NixOS permission to communicate with usb blasters";
+    longDescription = ''
+      udev rules that give NixOS permission to communicate with usb blasters.
+      To use it under NixOS, add
+
+        services.udev.packages = [ pkgs.usb-blaster-udev-rules ];
+
+      to the system configuration.
+    '';
+    license = licenses.free;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules
new file mode 100644
index 000000000000..0add604ee819
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules
@@ -0,0 +1,8 @@
+# USB-Blaster
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6001", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6002", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6003", TAG+="uaccess"
+
+# USB-Blaster II
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6010", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6810", TAG+="uaccess"
diff --git a/nixpkgs/pkgs/os-specific/linux/usbguard-notifier/default.nix b/nixpkgs/pkgs/os-specific/linux/usbguard-notifier/default.nix
new file mode 100644
index 000000000000..c5b296809da1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbguard-notifier/default.nix
@@ -0,0 +1,44 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  autoreconfHook,
+  pkg-config,
+  libqb,
+  usbguard,
+  librsvg,
+  libnotify,
+  catch2,
+  asciidoc,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "usbguard-notifier";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "Cropi";
+    repo = pname;
+    rev = "${pname}-${version}";
+    hash = "sha256-gWvCGSbOuey2ELAPD2WCG4q77IClL0S7rE2RaUJDc1I=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config asciidoc ];
+  buildInputs = [ libqb usbguard librsvg libnotify ];
+
+  configureFlags = [ "CPPFLAGS=-I${catch2}/include/catch2" ];
+
+  prePatch = ''
+    substituteInPlace configure.ac \
+      --replace 'AC_MSG_FAILURE([Cannot detect the systemd system unit dir])' \
+        'systemd_unit_dir="$out/lib/systemd/user"'
+  '';
+
+  meta = {
+    description = "Notifications for detecting usbguard policy and device presence changes";
+    homepage = "https://github.com/Cropi/usbguard-notifier";
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix b/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix
new file mode 100644
index 000000000000..46e9ee3d0a55
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix
@@ -0,0 +1,88 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, autoreconfHook
+, installShellFiles
+, nixosTests
+, asciidoc
+, pkg-config
+, libxslt
+, libxml2
+, docbook_xml_dtd_45
+, docbook_xsl
+, dbus-glib
+, libcap_ng
+, libqb
+, libseccomp
+, polkit
+, protobuf
+, audit
+, libsodium
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.1.2";
+  pname = "usbguard";
+
+  src = fetchFromGitHub {
+    owner = "USBGuard";
+    repo = pname;
+    rev = "usbguard-${version}";
+    sha256 = "sha256-uwNoKczmVOMpkU4KcKTOtbcTHiYVGXjk/rVbqMl5pGk=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    installShellFiles
+    asciidoc
+    pkg-config
+    libxslt # xsltproc
+    libxml2 # xmllint
+    docbook_xml_dtd_45
+    docbook_xsl
+    dbus-glib # gdbus-codegen
+    protobuf # protoc
+  ];
+
+  buildInputs = [
+    dbus-glib
+    libcap_ng
+    libqb
+    libseccomp
+    libsodium
+    polkit
+    protobuf
+    audit
+  ];
+
+  configureFlags = [
+    "--with-bundled-catch"
+    "--with-bundled-pegtl"
+    "--with-dbus"
+    "--with-crypto-library=sodium"
+    "--with-polkit"
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    installShellCompletion --bash --name usbguard.bash scripts/bash_completion/usbguard
+    installShellCompletion --zsh --name _usbguard scripts/usbguard-zsh-completion
+  '';
+
+  passthru.tests = nixosTests.usbguard;
+
+  meta = with lib; {
+    description = "The USBGuard software framework helps to protect your computer against BadUSB";
+    longDescription = ''
+      USBGuard is a software framework for implementing USB device authorization
+      policies (what kind of USB devices are authorized) as well as method of
+      use policies (how a USB device may interact with the system). Simply put,
+      it is a USB device whitelisting tool.
+    '';
+    homepage = "https://usbguard.github.io/";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.tnias ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/default.nix b/nixpkgs/pkgs/os-specific/linux/usbip/default.nix
new file mode 100644
index 000000000000..b91f55dcd2fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchpatch, kernel, udev, autoconf, automake, libtool, hwdata, kernelOlder }:
+
+stdenv.mkDerivation {
+  name = "usbip-${kernel.name}";
+
+  src = kernel.src;
+
+  patches = lib.optionals (kernelOlder "5.4") [
+    # fixes build with gcc8
+    ./fix-snprintf-truncation.patch
+    # fixes build with gcc9
+    ./fix-strncpy-truncation.patch
+  ] ++ kernel.patches;
+
+  nativeBuildInputs = [ autoconf automake libtool ];
+  buildInputs = [ udev ];
+
+  env.NIX_CFLAGS_COMPILE = toString [ "-Wno-error=address-of-packed-member" ];
+
+  preConfigure = ''
+    cd tools/usb/usbip
+    ./autogen.sh
+  '';
+
+  configureFlags = [ "--with-usbids-dir=${hwdata}/share/hwdata/" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/torvalds/linux/tree/master/tools/usb/usbip";
+    description = "allows to pass USB device from server to client over the network";
+    license = with licenses; [ gpl2Only gpl2Plus ];
+    platforms = platforms.linux;
+    broken = kernelOlder "4.10";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch b/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch
new file mode 100644
index 000000000000..63fca9ddbfe5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch
@@ -0,0 +1,13 @@
+diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
+index 8159fd98680b..7d6eb3e3fe1e 100644
+--- a/tools/usb/usbip/libsrc/vhci_driver.c
++++ b/tools/usb/usbip/libsrc/vhci_driver.c
+@@ -111,7 +111,7 @@ static int parse_status(const char *value)
+ static int refresh_imported_device_list(void)
+ {
+ 	const char *attr_status;
+-	char status[MAX_STATUS_NAME+1] = "status";
++	char status[MAX_STATUS_NAME+2] = "status";
+ 	int i, ret;
+ 
+ 	for (i = 0; i < vhci_driver->ncontrollers; i++) {
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch b/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch
new file mode 100644
index 000000000000..a5c4c97bbc08
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch
@@ -0,0 +1,37 @@
+diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
+index bb424638d75b..2fc5837e609a 100644
+--- a/tools/usb/usbip/libsrc/usbip_common.c
++++ b/tools/usb/usbip/libsrc/usbip_common.c
+@@ -226,8 +226,8 @@ int read_usb_device(struct udev_device *sdev, struct usbip_usb_device *udev)
+ 	path = udev_device_get_syspath(sdev);
+ 	name = udev_device_get_sysname(sdev);
+ 
+-	strncpy(udev->path,  path,  SYSFS_PATH_MAX);
+-	strncpy(udev->busid, name, SYSFS_BUS_ID_SIZE);
++	strncpy(udev->path,  path,  SYSFS_PATH_MAX-1);
++	strncpy(udev->busid, name, SYSFS_BUS_ID_SIZE-1);
+ 
+ 	sscanf(name, "%u-%u", &busnum, &devnum);
+ 	udev->busnum = busnum;
+diff --git a/tools/usb/usbip/libsrc/usbip_device_driver.c b/tools/usb/usbip/libsrc/usbip_device_driver.c
+index 5a3726eb44ab..95b416af8b99 100644
+--- a/tools/usb/usbip/libsrc/usbip_device_driver.c
++++ b/tools/usb/usbip/libsrc/usbip_device_driver.c
+@@ -91,7 +91,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ 	copy_descr_attr16(dev, &descr, idProduct);
+ 	copy_descr_attr16(dev, &descr, bcdDevice);
+ 
+-	strncpy(dev->path, path, SYSFS_PATH_MAX);
++	strncpy(dev->path, path, SYSFS_PATH_MAX-1);
+ 
+ 	dev->speed = USB_SPEED_UNKNOWN;
+ 	speed = udev_device_get_sysattr_value(sdev, "current_speed");
+@@ -110,7 +110,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ 	dev->busnum = 0;
+ 
+ 	name = udev_device_get_sysname(plat);
+-	strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE);
++	strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE-1);
+ 	return 0;
+ err:
+ 	fclose(fd);
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix
new file mode 100644
index 000000000000..6e4e4661fd53
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix
@@ -0,0 +1,39 @@
+{ stdenv, usbrelay, python3, installShellFiles }:
+let
+  python = python3.withPackages (ps: with ps; [ usbrelay-py paho-mqtt ]);
+in
+# This is a separate derivation, not just an additional output of
+# usbrelay, because otherwise, we have a cyclic dependency between
+# usbrelay (default.nix) and the python module (python.nix).
+stdenv.mkDerivation {
+  pname = "usbrelayd";
+
+  inherit (usbrelay) src version;
+
+  postPatch = ''
+    substituteInPlace 'usbrelayd.service' \
+      --replace '/usr/bin/python3' "${python}/bin/python3" \
+      --replace '/usr/sbin/usbrelayd' "$out/bin/usbrelayd"
+  '';
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = [ python ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall;
+    install -m 644 -D usbrelayd $out/bin/usbrelayd
+    install -m 644 -D usbrelayd.service $out/lib/systemd/system/usbrelayd.service
+    install -m 644 -D 50-usbrelay.rules $out/lib/udev/rules.d/50-usbrelay.rules
+    install -m 644 -D usbrelayd.conf $out/etc/usbrelayd.conf # include this as an example
+    installManPage usbrelayd.8
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "USB Relay MQTT service";
+    inherit (usbrelay.meta) homepage license maintainers platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix
new file mode 100644
index 000000000000..670de2028c4f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix
@@ -0,0 +1,38 @@
+{ stdenv, lib, fetchFromGitHub, hidapi, installShellFiles }:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "usbrelay";
+  version = "1.2.1";
+
+  src = fetchFromGitHub {
+    owner = "darrylb123";
+    repo = "usbrelay";
+    rev = finalAttrs.version;
+    sha256 = "sha256-9jEiMmBEpqY4+nKh3H8N/JrLohp/7oPK3rPmRjp2gvc=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  buildInputs = [
+    hidapi
+  ];
+
+  makeFlags = [
+    "DIR_VERSION=${finalAttrs.version}"
+    "PREFIX=${placeholder "out"}"
+    "LDCONFIG=${stdenv.cc.libc.bin}/bin/ldconfig"
+  ];
+
+  postInstall = ''
+    installManPage usbrelay.1
+  '';
+
+  meta = with lib; {
+    description = "Tool to control USB HID relays";
+    homepage = "https://github.com/darrylb123/usbrelay";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ wentasah ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix
new file mode 100644
index 000000000000..90838295ecb5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix
@@ -0,0 +1,16 @@
+{ buildPythonPackage, usbrelay }:
+
+buildPythonPackage {
+  pname = "usbrelay_py";
+  inherit (usbrelay) version src;
+
+  preConfigure = ''
+    cd usbrelay_py
+  '';
+
+  buildInputs = [ usbrelay ];
+
+  pythonImportsCheck = [ "usbrelay_py" ];
+
+  inherit (usbrelay) meta;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix
new file mode 100644
index 000000000000..58e4375dab8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix
@@ -0,0 +1,64 @@
+# NixOS test for usbrelayd
+#
+# It is not stored in nixos/tests directory, because it requires the
+# USB relay connected to the host computer and as such, it cannot be
+# run automatically.
+#
+# Run this test as:
+#
+#     nix-build test.nix -A driverInteractive && ./result/bin/nixos-test-driver --no-interactive
+#
+# The interactive driver is required because the default
+# (non-interactive) driver uses qemu without support for passing USB
+# devices to the guest (see
+# https://discourse.nixos.org/t/hardware-dependent-nixos-tests/18564
+# for discussion of other alternatives).
+
+import ../../../../nixos/tests/make-test-python.nix ({ pkgs, ... }: {
+  name = "usbrelayd";
+
+  nodes.machine = {
+    virtualisation.qemu.options = [
+      "-device qemu-xhci"
+      "-device usb-host,vendorid=0x16c0,productid=0x05df"
+    ];
+    services.usbrelayd.enable = true;
+    systemd.services.usbrelayd = {
+      after = [ "mosquitto.service" ];
+    };
+    services.mosquitto = {
+      enable = true;
+      listeners = [{
+        acl = [ "pattern readwrite #" ];
+        omitPasswordAuth = true;
+        settings.allow_anonymous = true;
+      }];
+    };
+    environment.systemPackages = [
+      pkgs.usbrelay
+      pkgs.mosquitto
+    ];
+    documentation.nixos.enable = false; # building nixos manual takes long time
+  };
+
+  testScript = ''
+    import os
+    if os.waitstatus_to_exitcode(os.system("lsusb -d 16c0:05df")) != 0:
+        print("No USB relay detected, skipping test")
+        import sys
+        sys.exit(2)
+    machine.start()
+    # usbrelayd is started by udev when an relay is detected
+    machine.wait_for_unit("usbrelayd.service")
+
+    stdout = machine.succeed("usbrelay")
+    relay_id = stdout.split(sep="_")[0]
+    assert relay_id != ""
+    import time
+    time.sleep(1)
+    machine.succeed(f"mosquitto_pub -h localhost -t cmnd/{relay_id}/1 -m ON")
+    time.sleep(1)
+    machine.succeed(f"mosquitto_pub -h localhost -t cmnd/{relay_id}/1 -m OFF")
+    print("Did you see the relay switching on and off?")
+  '';
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix b/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix
new file mode 100644
index 000000000000..fb3d32df09a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub
+, cmake
+, libpcap, boost }:
+
+stdenv.mkDerivation rec {
+  pname = "usbtop";
+  version = "1.0";
+
+  src = fetchFromGitHub {
+    owner = "aguinet";
+    repo = pname;
+    rev = "release-${version}";
+    sha256 = "0qbad0aq6j4jrh90l6a0akk71wdzhyzmy6q8wl138axyj2bp9kss";
+  };
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ libpcap boost ];
+
+  meta = with lib; {
+    homepage = "https://github.com/aguinet/usbtop";
+    description = "A top utility that shows an estimated instantaneous bandwidth on USB buses and devices";
+    maintainers = with maintainers; [ ];
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix b/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix
new file mode 100644
index 000000000000..cfd94bf33c46
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl, substituteAll, autoreconfHook, pkg-config, libusb1, hwdata, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "usbutils";
+  version = "017";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/usb/usbutils/usbutils-${version}.tar.xz";
+    hash = "sha256-pqJf/c+RA+ONekRzKsoXBz9OYCuS5K5VYlIxqCcC4Fs=";
+  };
+
+  patches = [
+    (substituteAll {
+      src = ./fix-paths.patch;
+      inherit hwdata;
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libusb1 python3 ];
+
+  outputs = [ "out" "man" "python" ];
+  postInstall = ''
+    moveToOutput "bin/lsusb.py" "$python"
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.linux-usb.org/";
+    description = "Tools for working with USB devices, such as lsusb";
+    maintainers = with maintainers; [ ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch
new file mode 100644
index 000000000000..ef63a41e726c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -61,7 +61,7 @@ EXTRA_DIST = \
+ 	LICENSES/GPL-3.0-only.txt
+ 
+ lsusb.py: $(srcdir)/lsusb.py.in
+-	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
++	sed 's|VERSION|$(VERSION)|g;s|@usbids@|@hwdata@/share/hwdata/usb.ids|g' $< >$@
+ 	chmod 755 $@
+ 
+ lsusb.8: $(srcdir)/lsusb.8.in
diff --git a/nixpkgs/pkgs/os-specific/linux/usermount/default.nix b/nixpkgs/pkgs/os-specific/linux/usermount/default.nix
new file mode 100644
index 000000000000..475ccd848eb1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usermount/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, dbus, libnotify, udisks2, gdk-pixbuf }:
+
+stdenv.mkDerivation {
+  pname = "usermount";
+  version = "0.1";
+
+  src = fetchFromGitHub {
+    owner = "tom5760";
+    repo = "usermount";
+    rev = "0d6aba3c1f8fec80de502f5b92fd8b28041cc8e4";
+    sha256 = "sha256-giMHUVYdAygiemYru20VxpQixr5aGgHhevNkHvkG9z4=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libnotify udisks2 gdk-pixbuf ];
+
+  env.NIX_CFLAGS_COMPILE = "-DENABLE_NOTIFICATIONS";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mv usermount $out/bin/
+  '';
+
+  meta = {
+    homepage = "https://github.com/tom5760/usermount";
+    description = "A simple tool to automatically mount removable drives using UDisks2 and D-Bus";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/util-linux/bcachefs-patch-set.patch b/nixpkgs/pkgs/os-specific/linux/util-linux/bcachefs-patch-set.patch
new file mode 100644
index 000000000000..068744d4f32d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/util-linux/bcachefs-patch-set.patch
@@ -0,0 +1,277 @@
+commit 68564ebb50f8afab5a9527c534417e247cca0b27
+Author: Filipe Manana <fdmanana@kernel.org>
+Date:   Thu Aug 17 10:20:13 2023 +0100
+
+    libmount: Fix regression when mounting with atime
+    
+    A regression was introduced in v2.39 that causes mounting with the atime
+    option to fail:
+    
+      $ mkfs.ext4 -F /dev/sdi
+      $ mount -o atime /dev/sdi /mnt/sdi
+      mount: /mnt/sdi: not mount point or bad option.
+             dmesg(1) may have more information after failed mount system call.
+    
+    The failure comes from the mount_setattr(2) call returning -EINVAL. This
+    is because we pass an invalid value for the attr_clr argument. From a
+    strace capture we have:
+    
+      mount_setattr(4, "", AT_EMPTY_PATH, {attr_set=0, attr_clr=MOUNT_ATTR_NOATIME, propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
+    
+    We can't pass MOUNT_ATTR_NOATIME to mount_setattr(2) through the attr_clr
+    argument because all atime options are exclusive, so in order to set atime
+    one has to pass MOUNT_ATTR__ATIME to attr_clr and leave attr_set as
+    MOUNT_ATTR_RELATIME (which is defined as a value of 0).
+    
+    This can be read from the man page for mount_setattr(2) and also from the
+    kernel source:
+    
+      $ cat fs/namespace.c
+      static int build_mount_kattr(const struct mount_attr *attr, size_t usize,
+                                   struct mount_kattr *kattr, unsigned int flags)
+      {
+          (...)
+          /*
+           * Since the MOUNT_ATTR_<atime> values are an enum, not a bitmap,
+           * users wanting to transition to a different atime setting cannot
+           * simply specify the atime setting in @attr_set, but must also
+           * specify MOUNT_ATTR__ATIME in the @attr_clr field.
+           * So ensure that MOUNT_ATTR__ATIME can't be partially set in
+           * @attr_clr and that @attr_set can't have any atime bits set if
+           * MOUNT_ATTR__ATIME isn't set in @attr_clr.
+           */
+          if (attr->attr_clr & MOUNT_ATTR__ATIME) {
+              if ((attr->attr_clr & MOUNT_ATTR__ATIME) != MOUNT_ATTR__ATIME)
+                  return -EINVAL;
+    
+                  /*
+                   * Clear all previous time settings as they are mutually
+                   * exclusive.
+                   */
+                  kattr->attr_clr |= MNT_RELATIME | MNT_NOATIME;
+                  switch (attr->attr_set & MOUNT_ATTR__ATIME) {
+                  case MOUNT_ATTR_RELATIME:
+                      kattr->attr_set |= MNT_RELATIME;
+                      break;
+                  case MOUNT_ATTR_NOATIME:
+                      kattr->attr_set |= MNT_NOATIME;
+                      break;
+                  case MOUNT_ATTR_STRICTATIME:
+                      break;
+                  default:
+                      return -EINVAL;
+                  }
+        (...)
+    
+    So fix this by setting attr_clr MOUNT_ATTR__ATIME if we want to clear any
+    atime related option.
+    
+    Signed-off-by: Filipe Manana <fdmanana@kernel.org>
+
+diff --git a/libmount/src/optlist.c b/libmount/src/optlist.c
+index 1e962ec6d..0702adae7 100644
+--- a/libmount/src/optlist.c
++++ b/libmount/src/optlist.c
+@@ -875,7 +875,18 @@ int mnt_optlist_get_attrs(struct libmnt_optlist *ls, uint64_t *set, uint64_t *cl
+ 
+ 		if (opt->ent->mask & MNT_INVERT) {
+ 			DBG(OPTLIST, ul_debugobj(ls, " clr: %s", opt->ent->name));
+-			*clr |= x;
++			/*
++			 * All atime settings are mutually exclusive so *clr must
++			 * have MOUNT_ATTR__ATIME set.
++			 *
++			 * See the function fs/namespace.c:build_mount_kattr()
++			 * in the linux kernel source.
++			 */
++			if (x == MOUNT_ATTR_RELATIME || x == MOUNT_ATTR_NOATIME ||
++			    x == MOUNT_ATTR_STRICTATIME)
++				*clr |= MOUNT_ATTR__ATIME;
++			else
++				*clr |= x;
+ 		} else {
+ 			DBG(OPTLIST, ul_debugobj(ls, " set: %s", opt->ent->name));
+ 			*set |= x;
+diff --git a/tests/expected/libmount/context-mount-flags b/tests/expected/libmount/context-mount-flags
+index 960641863..eb71323dd 100644
+--- a/tests/expected/libmount/context-mount-flags
++++ b/tests/expected/libmount/context-mount-flags
+@@ -3,3 +3,6 @@ ro,nosuid,noexec
+ successfully mounted
+ rw,nosuid,noexec
+ successfully umounted
++successfully mounted
++rw,relatime
++successfully umounted
+diff --git a/tests/ts/libmount/context b/tests/ts/libmount/context
+index f5b47185e..a5d2e81a3 100755
+--- a/tests/ts/libmount/context
++++ b/tests/ts/libmount/context
+@@ -116,8 +116,15 @@ $TS_CMD_FINDMNT --kernel --mountpoint $MOUNTPOINT -o VFS-OPTIONS -n >> $TS_OUTPU
+ 
+ ts_run $TESTPROG --umount $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ is_mounted $DEVICE && echo "$DEVICE still mounted" >> $TS_OUTPUT 2>> $TS_ERRLOG
+-ts_finalize_subtest
+ 
++# Test that the atime option works after the migration to use the new kernel mount APIs.
++ts_run $TESTPROG --mount -o atime $DEVICE $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_FINDMNT --kernel --mountpoint $MOUNTPOINT -o VFS-OPTIONS -n >> $TS_OUTPUT 2>> $TS_ERRLOG
++is_mounted $DEVICE || echo "$DEVICE not mounted" >> $TS_OUTPUT 2>> $TS_ERRLOG
++ts_run $TESTPROG --umount $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++is_mounted $DEVICE && echo "$DEVICE still mounted" >> $TS_OUTPUT 2>> $TS_ERRLOG
++
++ts_finalize_subtest
+ 
+ ts_init_subtest "mount-loopdev"
+ mkdir -p $MOUNTPOINT &> /dev/null
+
+commit 1ec71634aa4ef5ddca23d65c8a296f3614231e8a
+Author: Colin Gillespie <colin@cgillespie.xyz>
+Date:   Wed Aug 9 18:28:07 2023 +1000
+
+    libblkid: (bcachefs) fix not detecting large superblocks
+    
+    Probing does not detect bcachefs filesystems with a superblock larger
+    than 4KiB. Bcachefs superblocks grow in size and can become much larger
+    than this.
+    
+    Increase the superblock maximum size limit to 1MiB.
+    
+    Validate the superblock isn't larger than the maximum size defined in
+    the superblocks layout section.
+    
+    (cherry picked from commit 48d573797797650d96456979797c0155d58f61cb)
+
+diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
+index 40e702d75..236877042 100644
+--- a/libblkid/src/superblocks/bcache.c
++++ b/libblkid/src/superblocks/bcache.c
+@@ -102,6 +102,15 @@ union bcachefs_sb_csum {
+ 	uint8_t raw[16];
+ } __attribute__((packed));
+ 
++struct bcachefs_sb_layout {
++	uint8_t		magic[16];
++	uint8_t		layout_type;
++	uint8_t		sb_max_size_bits;
++	uint8_t		nr_superblocks;
++	uint8_t		pad[5];
++	uint64_t	sb_offset[61];
++} __attribute__((packed));
++
+ struct bcachefs_super_block {
+ 	union bcachefs_sb_csum	csum;
+ 	uint16_t	version;
+@@ -123,7 +132,7 @@ struct bcachefs_super_block {
+ 	uint64_t	flags[8];
+ 	uint64_t	features[2];
+ 	uint64_t	compat[2];
+-	uint8_t		layout[512];
++	struct bcachefs_sb_layout layout;
+ 	struct bcachefs_sb_field _start[];
+ }  __attribute__((packed));
+ 
+@@ -143,7 +152,7 @@ struct bcachefs_super_block {
+ /* granularity of offset and length fields within superblock */
+ #define BCACHEFS_SECTOR_SIZE   512
+ /* maximum superblock size */
+-#define BCACHEFS_SB_MAX_SIZE   4096
++#define BCACHEFS_SB_MAX_SIZE   0x100000
+ /* fields offset within super block */
+ #define BCACHEFS_SB_FIELDS_OFF offsetof(struct bcachefs_super_block, _start)
+ /* tag value for members field */
+@@ -302,6 +311,9 @@ static int probe_bcachefs(blkid_probe pr, const struct blkid_idmag *mag)
+ 		return BLKID_PROBE_NONE;
+ 
+ 	sb_size = BCACHEFS_SB_FIELDS_OFF + BYTES(bcs);
++	if (sb_size > BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits)
++		return BLKID_PROBE_NONE;
++
+ 	if (sb_size > BCACHEFS_SB_MAX_SIZE)
+ 		return BLKID_PROBE_NONE;
+ 
+
+commit acbf17ae8f8ee0f941fe98ed12f115f2b349bba8
+Author: Karel Zak <kzak@redhat.com>
+Date:   Wed Aug 23 11:53:45 2023 +0200
+
+    libblkid: (bcachefs) fix compiler warning [-Werror=sign-compare]
+    
+    Addresses: https://github.com/util-linux/util-linux/pull/2427
+    Signed-off-by: Karel Zak <kzak@redhat.com>
+    (cherry picked from commit 17873d38fc97913c0a31d4bd08cfbfe45c4de5be)
+
+diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
+index 236877042..6ab3fe9d4 100644
+--- a/libblkid/src/superblocks/bcache.c
++++ b/libblkid/src/superblocks/bcache.c
+@@ -311,7 +311,7 @@ static int probe_bcachefs(blkid_probe pr, const struct blkid_idmag *mag)
+ 		return BLKID_PROBE_NONE;
+ 
+ 	sb_size = BCACHEFS_SB_FIELDS_OFF + BYTES(bcs);
+-	if (sb_size > BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits)
++	if (sb_size > ((uint64_t) BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits))
+ 		return BLKID_PROBE_NONE;
+ 
+ 	if (sb_size > BCACHEFS_SB_MAX_SIZE)
+
+commit 6b9fda87c4e5d0c6f945d7565197f157b9fa3d5f
+Author: Thomas Weißschuh <thomas@t-8ch.de>
+Date:   Wed Aug 23 11:58:33 2023 +0200
+
+    libblkid: (bcachefs) fix size validation
+    
+    Avoid signed shift out-of-bounds.
+    
+    Also mark the constants explitly as unsigned instead of casting.
+    
+    Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+    (cherry picked from commit befe455f59de8c7bc66b85ed52aae8cbc95325fa)
+
+diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
+index 6ab3fe9d4..28ac4b52b 100644
+--- a/libblkid/src/superblocks/bcache.c
++++ b/libblkid/src/superblocks/bcache.c
+@@ -142,17 +142,19 @@ struct bcachefs_super_block {
+ /* magic string len */
+ #define BCACHE_SB_MAGIC_LEN (sizeof(BCACHE_SB_MAGIC) - 1)
+ /* super block offset */
+-#define BCACHE_SB_OFF       0x1000
++#define BCACHE_SB_OFF       0x1000U
+ /* supper block offset in kB */
+ #define BCACHE_SB_KBOFF     (BCACHE_SB_OFF >> 10)
+ /* magic string offset within super block */
+ #define BCACHE_SB_MAGIC_OFF offsetof(struct bcache_super_block, magic)
+ /* start of checksummed data within superblock */
+-#define BCACHE_SB_CSUMMED_START 8
++#define BCACHE_SB_CSUMMED_START 8U
+ /* granularity of offset and length fields within superblock */
+-#define BCACHEFS_SECTOR_SIZE   512
++#define BCACHEFS_SECTOR_SIZE   512U
++/* maximum superblock size shift */
++#define BCACHEFS_SB_MAX_SIZE_SHIFT   0x10U
+ /* maximum superblock size */
+-#define BCACHEFS_SB_MAX_SIZE   0x100000
++#define BCACHEFS_SB_MAX_SIZE   (1U << BCACHEFS_SB_MAX_SIZE_SHIFT)
+ /* fields offset within super block */
+ #define BCACHEFS_SB_FIELDS_OFF offsetof(struct bcachefs_super_block, _start)
+ /* tag value for members field */
+@@ -311,12 +313,16 @@ static int probe_bcachefs(blkid_probe pr, const struct blkid_idmag *mag)
+ 		return BLKID_PROBE_NONE;
+ 
+ 	sb_size = BCACHEFS_SB_FIELDS_OFF + BYTES(bcs);
+-	if (sb_size > ((uint64_t) BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits))
+-		return BLKID_PROBE_NONE;
+ 
+ 	if (sb_size > BCACHEFS_SB_MAX_SIZE)
+ 		return BLKID_PROBE_NONE;
+ 
++	if (bcs->layout.sb_max_size_bits > BCACHEFS_SB_MAX_SIZE_SHIFT)
++		return BLKID_PROBE_NONE;
++
++	if (sb_size > (BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits))
++		return BLKID_PROBE_NONE;
++
+ 	sb = blkid_probe_get_sb_buffer(pr, mag, sb_size);
+ 	if (!sb)
+ 		return BLKID_PROBE_NONE;
diff --git a/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix b/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix
new file mode 100644
index 000000000000..d710fabb7ace
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix
@@ -0,0 +1,141 @@
+{ lib, stdenv, fetchurl, pkg-config, zlib, shadow
+, capabilitiesSupport ? stdenv.isLinux
+, libcap_ng
+, libxcrypt
+, ncursesSupport ? true
+, ncurses
+, pamSupport ? true
+, pam
+, systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd
+, systemd
+, nlsSupport ? true
+, translateManpages ? true
+, po4a
+, installShellFiles
+, writeSupport ? stdenv.isLinux
+, shadowSupport ? stdenv.isLinux
+, memstreamHook
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "util-linux" + lib.optionalString (!nlsSupport && !ncursesSupport && !systemdSupport) "-minimal";
+  version = "2.39.2";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/util-linux-${version}.tar.xz";
+    hash = "sha256-h6vfqo5JD4vm3el298gLm1/58wHhtn44meHwWlmhUx8=";
+  };
+
+  patches = [
+    ./rtcwake-search-PATH-for-shutdown.patch
+    ./bcachefs-patch-set.patch
+  ];
+
+  # We separate some of the utilities into their own outputs. This
+  # allows putting together smaller systems depending on only part of
+  # the greater util-linux toolset.
+  # Compatibility is maintained by symlinking the binaries from the
+  # smaller outputs in the bin output.
+  outputs = [ "bin" "dev" "out" "lib" "man" ] ++ lib.optionals stdenv.isLinux [ "mount" ] ++ [ "login" ] ++ lib.optionals stdenv.isLinux [ "swap" ];
+  separateDebugInfo = true;
+
+  postPatch = ''
+    patchShebangs tests/run.sh
+
+    substituteInPlace sys-utils/eject.c \
+      --replace "/bin/umount" "$bin/bin/umount"
+  '' + lib.optionalString shadowSupport ''
+    substituteInPlace include/pathnames.h \
+      --replace "/bin/login" "${shadow}/bin/login"
+  '';
+
+  # !!! It would be better to obtain the path to the mount helpers
+  # (/sbin/mount.*) through an environment variable, but that's
+  # somewhat risky because we have to consider that mount can setuid
+  # root...
+  configureFlags = [
+    "--localstatedir=/var"
+    "--disable-use-tty-group"
+    "--enable-fs-paths-default=/run/wrappers/bin:/run/current-system/sw/bin:/sbin"
+    "--disable-makeinstall-setuid" "--disable-makeinstall-chown"
+    "--disable-su" # provided by shadow
+    (lib.enableFeature writeSupport "write")
+    (lib.enableFeature nlsSupport "nls")
+    (lib.withFeature ncursesSupport "ncursesw")
+    (lib.withFeature systemdSupport "systemd")
+    (lib.withFeatureAs systemdSupport
+       "systemdsystemunitdir" "${placeholder "bin"}/lib/systemd/system/")
+    (lib.enableFeature translateManpages "poman")
+    "SYSCONFSTATICDIR=${placeholder "lib"}/lib"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform)
+       "scanf_cv_type_modifier=ms"
+  ;
+
+  makeFlags = [
+    "usrbin_execdir=${placeholder "bin"}/bin"
+    "usrlib_execdir=${placeholder "lib"}/lib"
+    "usrsbin_execdir=${placeholder "bin"}/sbin"
+  ];
+
+  nativeBuildInputs = [ pkg-config installShellFiles ]
+    ++ lib.optionals translateManpages [ po4a ];
+
+  buildInputs = [ zlib libxcrypt ]
+    ++ lib.optionals pamSupport [ pam ]
+    ++ lib.optionals capabilitiesSupport [ libcap_ng ]
+    ++ lib.optionals ncursesSupport [ ncurses ]
+    ++ lib.optionals systemdSupport [ systemd ]
+    ++ lib.optionals (stdenv.system == "x86_64-darwin") [ memstreamHook ];
+
+  doCheck = false; # "For development purpose only. Don't execute on production system!"
+
+  enableParallelBuilding = true;
+
+  postInstall = lib.optionalString stdenv.isLinux ''
+    moveToOutput bin/mount "$mount"
+    moveToOutput bin/umount "$mount"
+    ln -svf "$mount/bin/"* $bin/bin/
+    '' + ''
+
+    moveToOutput sbin/nologin "$login"
+    moveToOutput sbin/sulogin "$login"
+    prefix=$login _moveSbin
+    ln -svf "$login/bin/"* $bin/bin/
+    '' + lib.optionalString stdenv.isLinux ''
+
+    moveToOutput sbin/swapon "$swap"
+    moveToOutput sbin/swapoff "$swap"
+    prefix=$swap _moveSbin
+    ln -svf "$swap/bin/"* $bin/bin/
+    '' + ''
+
+    installShellCompletion --bash bash-completion/*
+  '';
+
+  passthru = {
+    updateScript = gitUpdater {
+      # No nicer place to find latest release.
+      url = "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git";
+      rev-prefix = "v";
+      ignoredVersions = "(-rc).*";
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://www.kernel.org/pub/linux/utils/util-linux/";
+    description = "A set of system utilities for Linux";
+    changelog = "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v${lib.versions.majorMinor version}/v${version}-ReleaseNotes";
+    # https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/README.licensing
+    license = with licenses; [ gpl2Only gpl2Plus gpl3Plus lgpl21Plus bsd3 bsdOriginalUC publicDomain ];
+    platforms = platforms.unix;
+    pkgConfigModules = [
+      "blkid"
+      "fdisk"
+      "mount"
+      "smartcols"
+      "uuid"
+    ];
+    priority = 6; # lower priority than coreutils ("kill") and shadow ("login" etc.) packages
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch b/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch
new file mode 100644
index 000000000000..52c970a18f3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch
@@ -0,0 +1,69 @@
+Search $PATH for the shutdown binary instead of hard-coding /sbin/shutdown,
+which isn't valid on NixOS (and a compatibility link on most other modern
+distros anyway).
+
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -50,8 +50,8 @@
+ #ifndef _PATH_LOGIN
+ # define _PATH_LOGIN		"/bin/login"
+ #endif
+-#define _PATH_SHUTDOWN		"/sbin/shutdown"
+-#define _PATH_POWEROFF		"/sbin/poweroff"
++#define _PATH_SHUTDOWN		"shutdown"
++#define _PATH_POWEROFF		"poweroff"
+ 
+ #define _PATH_TERMCOLORS_DIRNAME "terminal-colors.d"
+ #define _PATH_TERMCOLORS_DIR	"/etc/" _PATH_TERMCOLORS_DIRNAME
+--- a/sys-utils/rtcwake.c
++++ b/sys-utils/rtcwake.c
+@@ -587,29 +587,29 @@ int main(int argc, char **argv)
+ 		char *arg[5];
+ 		int i = 0;
+ 
+-		if (!access(_PATH_SHUTDOWN, X_OK)) {
+-			arg[i++] = _PATH_SHUTDOWN;
+-			arg[i++] = "-h";
+-			arg[i++] = "-P";
+-			arg[i++] = "now";
+-			arg[i]   = NULL;
+-		} else if (!access(_PATH_POWEROFF, X_OK)) {
+-			arg[i++] = _PATH_POWEROFF;
+-			arg[i]   = NULL;
+-		} else {
+-			arg[i] 	 = NULL;
+-		}
++		arg[i++] = _PATH_SHUTDOWN;
++		arg[i++] = "-h";
++		arg[i++] = "-P";
++		arg[i++] = "now";
++		arg[i]   = NULL;
+ 
+-		if (arg[0]) {
+-			if (ctl.verbose)
+-				printf(_("suspend mode: off; executing %s\n"),
+-						arg[0]);
+-			if (!ctl.dryrun) {
+-				execv(arg[0], arg);
++		if (ctl.verbose)
++			printf(_("suspend mode: off; executing %s\n"),
++					arg[0]);
++
++		if (!ctl.dryrun) {
++			execvp(arg[0], arg);
++			if (ctl.verbose) {
+ 				warn(_("failed to execute %s"), arg[0]);
+-				rc = EX_EXEC_ENOENT;
++				// Reuse translations.
++				printf(_("suspend mode: off; executing %s\n"),
++						_PATH_POWEROFF);
+ 			}
+-		} else {
++
++			i = 0;
++			arg[i++] = _PATH_POWEROFF;
++			arg[i]   = NULL;
++			execvp(arg[0], arg);
+ 			/* Failed to find shutdown command */
+ 			warn(_("failed to find shutdown command"));
+ 			rc = EX_EXEC_ENOENT;
diff --git a/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix b/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix
new file mode 100644
index 000000000000..8fa91e158e1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libxml2 }:
+
+stdenv.mkDerivation {
+  version = "0.3.0";
+  pname = "uvcdynctrl";
+
+  src = fetchFromGitHub {
+    owner = "cshorler";
+    repo = "webcam-tools";
+    rev = "bee2ef3c9e350fd859f08cd0e6745871e5f55cb9";
+    sha256 = "0s15xxgdx8lnka7vi8llbf6b0j4rhbjl6yp0qxaihysf890xj73s";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libxml2 ];
+
+  prePatch = ''
+    local fixup_list=(
+      uvcdynctrl/CMakeLists.txt
+      uvcdynctrl/udev/rules/80-uvcdynctrl.rules
+      uvcdynctrl/udev/scripts/uvcdynctrl
+    )
+    for f in "''${fixup_list[@]}"; do
+      substituteInPlace "$f" \
+        --replace "/etc/udev" "$out/etc/udev" \
+        --replace "/lib/udev" "$out/lib/udev"
+    done
+  '';
+
+  meta = with lib; {
+    description = "A simple interface for devices supported by the linux UVC driver";
+    homepage = "https://guvcview.sourceforge.net";
+    license = licenses.gpl3Plus;
+    maintainers = [ maintainers.puffnfresh ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix
new file mode 100644
index 000000000000..87fd282f6960
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix
@@ -0,0 +1,58 @@
+{ stdenv, lib, fetchurl, pkg-config, perl
+, argp-standalone, libjpeg, udev
+, withUtils ? true
+, withGUI ? true, alsa-lib, libX11, qtbase, libGLU, wrapQtAppsHook
+}:
+
+# See libv4l in all-packages.nix for the libs only (overrides alsa, libX11 & QT)
+
+let
+  withQt = withUtils && withGUI;
+
+# we need to use stdenv.mkDerivation in order not to pollute the libv4l’s closure with Qt
+in stdenv.mkDerivation rec {
+  pname = "v4l-utils";
+  version = "1.24.1";
+
+  src = fetchurl {
+    url = "https://linuxtv.org/downloads/${pname}/${pname}-${version}.tar.bz2";
+    hash = "sha256-y7f+imMH9c5TOgXN7XC7k8O6BjlaubbQB+tTt12AX1s=";
+  };
+
+  outputs = [ "out" ] ++ lib.optional withUtils "lib" ++ [ "dev" ];
+
+  configureFlags = (if withUtils then [
+    "--with-localedir=${placeholder "lib"}/share/locale"
+    "--with-udevdir=${placeholder "out"}/lib/udev"
+  ] else [
+    "--disable-v4l-utils"
+  ]);
+
+  postFixup = ''
+    # Create symlink for V4l1 compatibility
+    ln -s "$dev/include/libv4l1-videodev.h" "$dev/include/videodev.h"
+  '';
+
+  nativeBuildInputs = [ pkg-config perl ] ++ lib.optional withQt wrapQtAppsHook;
+
+  buildInputs = [ udev ]
+    ++ lib.optional (!stdenv.hostPlatform.isGnu) argp-standalone
+    ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
+
+  propagatedBuildInputs = [ libjpeg ];
+
+  postPatch = ''
+    patchShebangs utils/
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "V4L utils and libv4l, provide common image formats regardless of the v4l device";
+    homepage = "https://linuxtv.org/projects.php";
+    changelog = "https://git.linuxtv.org/v4l-utils.git/plain/ChangeLog?h=v4l-utils-${version}";
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ codyopel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/default.nix b/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/default.nix
new file mode 100644
index 000000000000..a089ce8c77f8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchgit
+, autoreconfHook
+, glib
+, gst_all_1
+, libtool
+, pkg-config
+, which
+}:
+stdenv.mkDerivation rec {
+  pname = "v4l2-relayd";
+  version = "0.1.3";
+
+  src = fetchgit {
+    url = "https://git.launchpad.net/v4l2-relayd";
+    rev = "refs/tags/upstream/${version}";
+    hash = "sha256-oU6naDFZ0PQVHZ3brANfMULDqYMYxeJN+MCUCvN/DpU=";
+  };
+
+  patches = [
+    ./upstream-v4l2loopback-compatibility.patch
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    libtool
+    pkg-config
+    which
+  ];
+
+  buildInputs = [
+    glib
+    gst_all_1.gstreamer
+    gst_all_1.gst-plugins-base
+  ];
+
+  preConfigure = "./autogen.sh --prefix=$out";
+
+  meta = with lib; {
+    description = "Streaming relay for v4l2loopback using GStreamer";
+    homepage = "https://git.launchpad.net/v4l2-relayd";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ betaboon ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/upstream-v4l2loopback-compatibility.patch b/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/upstream-v4l2loopback-compatibility.patch
new file mode 100644
index 000000000000..643535228256
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l2-relayd/upstream-v4l2loopback-compatibility.patch
@@ -0,0 +1,16 @@
+diff --git a/src/v4l2-relayd.c b/src/v4l2-relayd.c
+index 21bb0d5..cfc9e27 100644
+--- a/src/v4l2-relayd.c
++++ b/src/v4l2-relayd.c
+@@ -27,7 +27,10 @@
+ #include <gst/app/gstappsrc.h>
+ #include <gst/video/video-info.h>
+ 
+-#define V4L2_EVENT_PRI_CLIENT_USAGE  V4L2_EVENT_PRIVATE_START
++#define V4L2LOOPBACK_EVENT_BASE (V4L2_EVENT_PRIVATE_START)
++#define V4L2LOOPBACK_EVENT_OFFSET 0x08E00000
++#define V4L2_EVENT_PRI_CLIENT_USAGE \
++	(V4L2LOOPBACK_EVENT_BASE + V4L2LOOPBACK_EVENT_OFFSET + 1)
+ 
+ struct v4l2_event_client_usage {
+   __u32 count;
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix
new file mode 100644
index 000000000000..2c1b4fbb4f4f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  pname = "v4l2loopback";
+  version = "unstable-2023-02-19-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "umlaeute";
+    repo = "v4l2loopback";
+    rev = "fb410fc7af40e972058809a191fae9517b9313af";
+    hash = "sha256-gLFtR7s+3LUQ0BZxHbmaArHbufuphbtAX99nxJU3c84=";
+  };
+
+  patches = [
+    # fix bug https://github.com/umlaeute/v4l2loopback/issues/535
+    ./revert-pr518.patch
+  ];
+
+  hardeningDisable = [ "format" "pic" ];
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+    sed -i '/depmod/d' Makefile
+  '';
+
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+
+  postInstall = ''
+    make install-utils PREFIX=$bin
+  '';
+
+  outputs = [ "out" "bin" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "A kernel module to create V4L2 loopback devices";
+    homepage = "https://github.com/umlaeute/v4l2loopback";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    platforms = platforms.linux;
+    outputsToInstall = [ "out" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l2loopback/revert-pr518.patch b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/revert-pr518.patch
new file mode 100644
index 000000000000..d5d2564c32c4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/revert-pr518.patch
@@ -0,0 +1,55 @@
+diff --git a/v4l2loopback.c b/v4l2loopback.c
+index 2ab1f76..2514f09 100644
+--- a/v4l2loopback.c
++++ b/v4l2loopback.c
+@@ -92,17 +92,6 @@ MODULE_LICENSE("GPL");
+ 		}                                                      \
+ 	} while (0)
+ 
+-/* TODO: Make sure that function is never interrupted. */
+-static inline int mod_inc(int *number, int mod)
+-{
+-	int result;
+-	result = (*number + 1) % mod;
+-	if (unlikely(result < 0))
+-		result += mod;
+-	*number = result;
+-	return result;
+-}
+-
+ static inline void v4l2l_get_timestamp(struct v4l2_buffer *b)
+ {
+ 	/* ktime_get_ts is considered deprecated, so use ktime_get_ts64 if possible */
+@@ -1424,8 +1413,9 @@ static int vidioc_reqbufs(struct file *file, void *fh,
+ 			i = dev->write_position;
+ 			list_for_each_entry(pos, &dev->outbufs_list,
+ 					    list_head) {
+-				dev->bufpos2index[mod_inc(&i, b->count)] =
++				dev->bufpos2index[i % b->count] =
+ 					pos->buffer.index;
++				++i;
+ 			}
+ 		}
+ 
+@@ -1489,9 +1479,10 @@ static void buffer_written(struct v4l2_loopback_device *dev,
+ 	del_timer_sync(&dev->timeout_timer);
+ 	spin_lock_bh(&dev->lock);
+ 
+-	dev->bufpos2index[mod_inc(&dev->write_position, dev->used_buffers)] =
++	dev->bufpos2index[dev->write_position % dev->used_buffers] =
+ 		buf->buffer.index;
+ 	list_move_tail(&buf->list_head, &dev->outbufs_list);
++	++dev->write_position;
+ 	dev->reread_count = 0;
+ 
+ 	check_timers(dev);
+@@ -1586,7 +1577,8 @@ static int get_capture_buffer(struct file *file)
+ 		if (dev->write_position >
+ 		    opener->read_position + dev->used_buffers)
+ 			opener->read_position = dev->write_position - 1;
+-		pos = mod_inc(&opener->read_position, dev->used_buffers);
++		pos = opener->read_position % dev->used_buffers;
++		++opener->read_position;
+ 	}
+ 	timeout_happened = dev->timeout_happened;
+ 	dev->timeout_happened = 0;
diff --git a/nixpkgs/pkgs/os-specific/linux/v86d/default.nix b/nixpkgs/pkgs/os-specific/linux/v86d/default.nix
new file mode 100644
index 000000000000..dbc98344c5ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v86d/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+, klibc
+}:
+
+let
+  pversion = "0.1.10";
+in stdenv.mkDerivation rec {
+  pname = "v86d";
+  version = "${pversion}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "mjanusz";
+    repo = "v86d";
+    rev = "v86d-${pversion}";
+    hash = "sha256-95LRzVbO/DyddmPwQNNQ290tasCGoQk7FDHlst6LkbA=";
+  };
+
+  patchPhase = ''
+    patchShebangs configure
+  '';
+
+  configureFlags = [ "--with-klibc" "--with-x86emu" ];
+
+  hardeningDisable = [ "stackprotector" ];
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+    "DESTDIR=$(out)"
+  ];
+
+  configurePhase = ''
+    ./configure $configureFlags
+  '';
+
+  buildInputs = [ klibc ];
+
+  meta = with lib; {
+    description = "A daemon to run x86 code in an emulated environment";
+    homepage = "https://github.com/mjanusz/v86d";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ codyopel ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vdo/default.nix b/nixpkgs/pkgs/os-specific/linux/vdo/default.nix
new file mode 100644
index 000000000000..11597c9ed653
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vdo/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv
+, fetchFromGitHub
+, installShellFiles
+, libuuid
+, lvm2_dmeventd  # <libdevmapper-event.h>
+, zlib
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "vdo";
+  version = "8.2.2.2";  # bump this version with kvdo
+
+  src = fetchFromGitHub {
+    owner = "dm-vdo";
+    repo = pname;
+    rev = version;
+    hash = "sha256-+2w9jzJemI2xr+i/Jd5TIBZ/o8Zv+Ett0fbJbkOD7KI=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  buildInputs = [
+    libuuid
+    lvm2_dmeventd
+    zlib
+    python3.pkgs.wrapPython
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pyyaml
+  ];
+
+  pythonPath = propagatedBuildInputs;
+
+  makeFlags = [
+    "DESTDIR=${placeholder "out"}"
+    "INSTALLOWNER="
+    # all of these paths are relative to DESTDIR and have defaults that don't work for us
+    "bindir=/bin"
+    "defaultdocdir=/share/doc"
+    "mandir=/share/man"
+    "python3_sitelib=${python3.sitePackages}"
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    installShellCompletion --bash $out/bash_completion.d/*
+    rm -r $out/bash_completion.d
+
+    wrapPythonPrograms
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/dm-vdo/vdo";
+    description = "A set of userspace tools for managing pools of deduplicated and/or compressed block storage";
+    # platforms are defined in https://github.com/dm-vdo/vdo/blob/master/utils/uds/atomicDefs.h
+    platforms = [ "x86_64-linux" "aarch64-linux" "s390-linux" "powerpc64-linux" "powerpc64le-linux" ];
+    license = with licenses; [ gpl2Plus ];
+    maintainers = with maintainers; [ ajs124 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix b/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix
new file mode 100644
index 000000000000..8cf4896ae027
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "veikk-linux-driver";
+  version = "2.0";
+
+  src = fetchFromGitHub {
+    owner = "jlam55555";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "11mg74ds58jwvdmi3i7c4chxs6v9g09r9ll22pc2kbxjdnrp8zrn";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "BUILD_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+    install -Dm755 veikk.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for VEIKK-brand digitizers";
+    homepage = "https://github.com/jlam55555/veikk-linux-driver/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ nicbk ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix b/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix
new file mode 100644
index 000000000000..f4430f3224ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix
@@ -0,0 +1,46 @@
+{ stdenv, fetchFromGitHub, fetchpatch, kernel, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "vendor-reset";
+  version = "unstable-2021-02-16-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "gnif";
+    repo = "vendor-reset";
+    rev = "225a49a40941e350899e456366265cf82b87ad25";
+    sha256 = "sha256-xa7P7+mRk4FVgi+YYCcsFLfyNqPmXvy3xhGoTDVqPxw=";
+  };
+
+  patches = [
+    # Fix build with Linux 5.18.
+    # https://github.com/gnif/vendor-reset/pull/58
+    (fetchpatch {
+      url = "https://github.com/gnif/vendor-reset/commit/5bbffcd6fee5348e8808bdbfcb5b21d455b02f55.patch";
+      sha256 = "sha256-L1QxVpcZAVYiaMFCBfL2EJgeMyOR8sDa1UqF1QB3bns=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D vendor-reset.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel vendor specific hardware reset module";
+    homepage = "https://github.com/gnif/vendor-reset";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix b/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix
new file mode 100644
index 000000000000..7c6d57273be9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "virtio_vmmci";
+  version = "0.5.0";
+
+  src = fetchFromGitHub {
+    owner = "voutilad";
+    repo = "virtio_vmmci";
+    rev = version;
+    hash = "sha256-ZHslYYZFjM3wp0W5J3/WwCtQ2wDzT1jNc26Z/giTC8g=";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  extraConfig = ''
+    CONFIG_RTC_HCTOSYS yes
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "DEPMOD=echo"
+    "INSTALL_MOD_PATH=$(out)"
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "An OpenBSD VMM Control Interface (vmmci) for Linux";
+    homepage = "https://github.com/voutilad/virtio_vmmci";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ qbit ];
+    platforms = platforms.linux;
+  };
+
+  enableParallelBuilding = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix b/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix
new file mode 100644
index 000000000000..3aae58933c8f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, virtualbox, kernel }:
+
+stdenv.mkDerivation {
+  pname = "virtualbox-modules";
+  version = "${virtualbox.version}-${kernel.version}";
+  src = virtualbox.modsrc;
+  hardeningDisable = [
+    "fortify" "pic" "stackprotector"
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  KERN_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  makeFlags = [ "INSTALL_MOD_PATH=$(out)" ];
+  installTargets = [ "install" ];
+
+  enableParallelBuilding = true;
+
+  meta = virtualbox.meta // {
+    description = virtualbox.meta.description + " (kernel modules)";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix
new file mode 100644
index 000000000000..c5981bfc2713
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix
@@ -0,0 +1,16 @@
+{ lib, stdenv, linux }:
+
+stdenv.mkDerivation {
+  pname = "vm-tools";
+  inherit (linux) version src;
+
+  makeFlags = [ "sbindir=${placeholder "out"}/bin" ];
+
+  preConfigure = "cd tools/vm";
+
+  meta = with lib; {
+    inherit (linux.meta) license platforms;
+    description = "Set of virtual memory tools";
+    maintainers = [ maintainers.evils ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix b/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix
new file mode 100644
index 000000000000..7ce99f40df1f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix
@@ -0,0 +1,38 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "vmm_clock";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "voutilad";
+    repo = "vmm_clock";
+    rev = version;
+    hash = "sha256-8z/N/dbkeFd40sH7jatNmSS62B88tC0jVgNljhxslOo=";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  extraConfig = ''
+    CONFIG_RTC_HCTOSYS yes
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "DEPMOD=echo"
+    "INSTALL_MOD_PATH=$(out)"
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description =
+      "Experimental implementation of a kvmclock-derived clocksource for Linux guests under OpenBSD's hypervisor";
+    homepage = "https://github.com/voutilad/vmm_clock";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ qbit ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+
+  enableParallelBuilding = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vmware/default.nix b/nixpkgs/pkgs/os-specific/linux/vmware/default.nix
new file mode 100644
index 000000000000..7c1994687ae7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vmware/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod, gnugrep }:
+
+stdenv.mkDerivation rec {
+  pname = "vmware-modules";
+  version = "workstation-17.0.2-2023-09-29-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "mkubecek";
+    repo = "vmware-host-modules";
+    # Developer no longer provides tags for kernel compatibility fixes
+    # Commit hash for branch workstation-17.0.2 as of 2023-09-29
+    rev = "29de7e2bd45d32e6983106d6f15810c70ba3e654";
+    hash = "sha256-l0QJbjySINM/7EyNhZl6UnUonwPoGnCnsQeC8YtI15c=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  enableParallelBuilding = true;
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace '/lib/modules/$(VM_UNAME)/misc' "$out/lib/modules/${kernel.modDirVersion}/misc" \
+      --replace /sbin/modinfo "${kmod}/bin/modinfo" \
+      --replace 'test -z "$(DESTDIR)"' "0"
+
+    for module in "vmmon-only" "vmnet-only"; do
+      substituteInPlace "./$module/Makefile" \
+        --replace '/lib/modules/' "${kernel.dev}/lib/modules/" \
+        --replace /bin/grep "${gnugrep}/bin/grep"
+    done
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/misc"
+  '';
+
+  meta = with lib; {
+    description = "Kernel modules needed for VMware hypervisor";
+    homepage = "https://github.com/mkubecek/vmware-host-modules";
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
+    broken = (kernel.kernelOlder "5.5" && kernel.isHardened);
+    maintainers = with maintainers; [ deinferno ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix b/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix
new file mode 100644
index 000000000000..2cf6e0c47e48
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix
@@ -0,0 +1,88 @@
+{ lib
+, fetchFromGitHub
+, python3Packages
+, dnsmasq
+, gawk
+, getent
+, gobject-introspection
+, gtk3
+, kmod
+, lxc
+, iproute2
+, iptables
+, util-linux
+, wrapGAppsHook
+, xclip
+, runtimeShell
+}:
+
+python3Packages.buildPythonApplication rec {
+  pname = "waydroid";
+  version = "1.4.1";
+  format = "other";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-0AkNzMIumvgnVcLKX72E2+Eg54Y9j7tdIYPsroOTLWA=";
+  };
+
+  buildInputs = [
+    gtk3
+  ];
+
+  nativeBuildInputs = [
+    gobject-introspection
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = with python3Packages; [
+    dbus-python
+    gbinder-python
+    pyclip
+    pygobject3
+  ];
+
+  dontUseSetuptoolsBuild = true;
+  dontUsePipInstall = true;
+  dontUseSetuptoolsCheck = true;
+  dontWrapPythonPrograms = true;
+  dontWrapGApps = true;
+
+  installPhase = ''
+    make install PREFIX=$out USE_SYSTEMD=0
+  '';
+
+  preFixup = ''
+    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
+
+    patchShebangs --host $out/lib/waydroid/data/scripts
+    wrapProgram $out/lib/waydroid/data/scripts/waydroid-net.sh \
+      --prefix PATH ":" ${lib.makeBinPath [ dnsmasq getent iproute2 iptables ]}
+
+    wrapPythonProgramsIn $out/lib/waydroid/ "${lib.concatStringsSep " " [
+      "$out"
+      python3Packages.dbus-python
+      python3Packages.gbinder-python
+      python3Packages.pygobject3
+      python3Packages.pyclip
+      gawk
+      kmod
+      lxc
+      util-linux
+      xclip
+    ]}"
+
+    substituteInPlace $out/lib/waydroid/tools/helpers/*.py \
+      --replace '"sh"' '"${runtimeShell}"'
+  '';
+
+  meta = with lib; {
+    description = "Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu";
+    homepage = "https://github.com/waydroid/waydroid";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mcaju ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix b/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix
new file mode 100644
index 000000000000..8d8342cce980
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix
@@ -0,0 +1,49 @@
+{ lib, stdenv, fetchzip, kernel, perl, wireguard-tools, bc }:
+
+# wireguard upstreamed since 5.6 https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html
+assert lib.versionOlder kernel.version "5.6";
+
+stdenv.mkDerivation rec {
+  pname = "wireguard";
+  version = "1.0.20220627";
+
+  src = fetchzip {
+    url = "https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${version}.tar.xz";
+    sha256 = "sha256-skbho3e49lZ/GLp/JDQpf/yXIEjes86aYtw/dn6e0Uo=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = [ perl bc ] ++ kernel.moduleBuildDependencies;
+
+  preBuild = "cd src";
+  buildFlags = [ "module" ];
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  INSTALL_MOD_PATH = placeholder "out";
+  installFlags = [ "DEPMOD=true" ];
+  enableParallelBuilding = true;
+
+  passthru = {
+    # remove this when our kernel comes with native wireguard support
+    # and our tests no longer tests this package
+    inherit (wireguard-tools) tests;
+  };
+
+  meta = with lib; {
+    inherit (wireguard-tools.meta) homepage license maintainers;
+    description = "Kernel module for the WireGuard secure network tunnel";
+    longDescription = ''
+      Backport of WireGuard for kernels 3.10 to 5.5, as an out of tree module.
+      (as WireGuard was merged into the Linux kernel for 5.6)
+    '';
+    downloadPage = "https://git.zx2c4.com/wireguard-linux-compat/refs/";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix
new file mode 100644
index 000000000000..e95506461a4b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix
@@ -0,0 +1,26 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "wireless-tools";
+  version = "30.pre9";
+
+  src = fetchurl {
+    url = "https://hewlettpackard.github.io/wireless-tools/wireless_tools.${version}.tar.gz";
+    sha256 = "0qscyd44jmhs4k32ggp107hlym1pcyjzihiai48xs7xzib4wbndb";
+  };
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "CC:=$(CC)"
+    "AR:=$(AR)"
+    "RANLIB:=$(RANLIB)"
+    "LDCONFIG=:"
+  ];
+
+  meta = {
+    description = "Wireless tools for Linux";
+    homepage = "https://hewlettpackard.github.io/wireless-tools/Tools.html";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wiringpi/default.nix b/nixpkgs/pkgs/os-specific/linux/wiringpi/default.nix
new file mode 100644
index 000000000000..bc80e2a33543
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wiringpi/default.nix
@@ -0,0 +1,84 @@
+{ lib
+, stdenv
+, symlinkJoin
+, fetchFromGitHub
+, libxcrypt
+}:
+
+let
+  version = "2.61-1";
+  mkSubProject = { subprj # The only mandatory argument
+  , buildInputs ? []
+  , src ? fetchFromGitHub {
+    owner = "WiringPi";
+    repo = "WiringPi";
+    rev = version;
+    sha256 = "sha256-VxAaPhaPXd9xYt663Ju6SLblqiSLizauhhuFqCqbO5M=";
+  }
+  }: stdenv.mkDerivation (finalAttrs: {
+    pname = "wiringpi-${subprj}";
+    inherit version src;
+    sourceRoot = "${src.name}/${subprj}";
+    inherit buildInputs;
+    # Remove (meant for other OSs) lines from Makefiles
+    preInstall = ''
+      sed -i "/chown root/d" Makefile
+      sed -i "/chmod/d" Makefile
+    '';
+    makeFlags = [
+      "DESTDIR=${placeholder "out"}"
+      "PREFIX=/."
+      # On NixOS we don't need to run ldconfig during build:
+      "LDCONFIG=echo"
+    ];
+  });
+  passthru = {
+    inherit mkSubProject;
+    wiringPi = mkSubProject {
+      subprj = "wiringPi";
+      buildInputs = [
+        libxcrypt
+      ];
+    };
+    devLib = mkSubProject {
+      subprj = "devLib";
+      buildInputs = [
+        passthru.wiringPi
+      ];
+    };
+    wiringPiD = mkSubProject {
+      subprj = "wiringPiD";
+      buildInputs = [
+        libxcrypt
+        passthru.wiringPi
+        passthru.devLib
+      ];
+    };
+    gpio = mkSubProject {
+      subprj = "gpio";
+      buildInputs = [
+        libxcrypt
+        passthru.wiringPi
+        passthru.devLib
+      ];
+    };
+  };
+in
+
+symlinkJoin {
+  name = "wiringpi-${version}";
+  inherit passthru;
+  paths = [
+    passthru.wiringPi
+    passthru.devLib
+    passthru.wiringPiD
+    passthru.gpio
+  ];
+  meta = with lib; {
+    description = "Gordon's Arduino wiring-like WiringPi Library for the Raspberry Pi (Unofficial Mirror for WiringPi bindings)";
+    homepage = "https://github.com/WiringPi/WiringPi";
+    license = licenses.lgpl3Plus;
+    maintainers = with maintainers; [ doronbehar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix
new file mode 100644
index 000000000000..8231e3e3ea33
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "wooting-udev-rules";
+  version = "unstable-2023-03-31";
+
+  # Source: https://help.wooting.io/en/article/wootility-configuring-device-access-for-wootility-under-linux-udev-rules-r6lb2o/
+  src = [ ./wooting.rules ];
+
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dpm644 $src $out/lib/udev/rules.d/70-wooting.rules
+  '';
+
+  meta = with lib; {
+    homepage = "https://help.wooting.io/en/article/wootility-configuring-device-access-for-wootility-under-linux-udev-rules-r6lb2o/";
+    description = "udev rules that give NixOS permission to communicate with Wooting keyboards";
+    platforms = platforms.linux;
+    license = "unknown";
+    maintainers = with maintainers; [ davidtwco ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules
new file mode 100644
index 000000000000..365627fa1aec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules
@@ -0,0 +1,96 @@
+# Wooting One Legacy
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff01", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff01", MODE:="0660", GROUP="input"
+# Wooting One update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2402", MODE:="0660", GROUP="input"
+
+# Wooting Two Legacy
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff02", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff02", MODE:="0660", GROUP="input"
+# Wooting Two update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2403", MODE:="0660", GROUP="input"
+
+# Wooting One
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1100", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1100", MODE:="0660", GROUP="input"
+# Wooting One Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1101", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1101", MODE:="0660", GROUP="input"
+# Wooting One 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1102", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1102", MODE:="0660", GROUP="input"
+
+# Wooting Two
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1200", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1200", MODE:="0660", GROUP="input"
+# Wooting Two Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1201", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1201", MODE:="0660", GROUP="input"
+# Wooting Two 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1202", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1202", MODE:="0660", GROUP="input"
+
+# Wooting Lekker
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1210", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1210", MODE:="0660", GROUP="input"
+# Wooting Lekker Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1211", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1211", MODE:="0660", GROUP="input"
+# Wooting Lekker 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1212", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1212", MODE:="0660", GROUP="input"
+
+# Wooting Lekker update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="121f", MODE:="0660", GROUP="input"
+
+# Wooting Two HE
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1220", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1220", MODE:="0660", GROUP="input"
+# Wooting Two HE Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1221", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1221", MODE:="0660", GROUP="input"
+# Wooting Two HE 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1222", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1222", MODE:="0660", GROUP="input"
+
+# Wooting Two HE update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="122f", MODE:="0660", GROUP="input"
+
+# Wooting Two HE (ARM)
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1230", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1230", MODE:="0660", GROUP="input"
+# Wooting Two HE Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1231", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1231", MODE:="0660", GROUP="input"
+# Wooting Two HE 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1232", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1232", MODE:="0660", GROUP="input"
+
+# Wooting Two HE (ARM) update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="123f", MODE:="0660", GROUP="input"
+
+# Wooting 60HE
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1300", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1300", MODE:="0660", GROUP="input"
+# Wooting 60HE Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1301", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1301", MODE:="0660", GROUP="input"
+# Wooting 60HE 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1302", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1302", MODE:="0660", GROUP="input"
+
+# Wooting 60HE update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="130f", MODE:="0660", GROUP="input"
+
+# Wooting 60HE (ARM)
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1310", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1310", MODE:="0660", GROUP="input"
+# Wooting 60HE (ARM) Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1311", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1311", MODE:="0660", GROUP="input"
+# Wooting 60HE (ARM) 2nd Alt-gamepad mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1312", MODE:="0660", GROUP="input"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1312", MODE:="0660", GROUP="input"
+
+# Wooting 60HE (ARM) update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="131f", MODE:="0660", GROUP="input"
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
new file mode 100644
index 000000000000..d459de8a7f39
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
@@ -0,0 +1,130 @@
+From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 19 Feb 2021 19:44:21 +0100
+Subject: [PATCH] Implement read-only mode for ssids
+
+With this change it's possible to define `network=`-sections in a second
+config file specified via `-I` without having changes written to
+`/etc/wpa_supplicant.conf`.
+
+This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
+and imperative (i.e. mutable) networks.
+---
+ wpa_supplicant/config.h         | 2 +-
+ wpa_supplicant/config_file.c    | 5 +++--
+ wpa_supplicant/config_none.c    | 2 +-
+ wpa_supplicant/config_ssid.h    | 2 ++
+ wpa_supplicant/wpa_supplicant.c | 8 ++++----
+ 5 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
+index 6a297ecfe..adaf4d398 100644
+--- a/wpa_supplicant/config.h
++++ b/wpa_supplicant/config.h
+@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
+  *
+  * Each configuration backend needs to implement this function.
+  */
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
+ 
+ /**
+  * wpa_config_write - Write or update configuration data
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 77c326df5..d5ed051b9 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
+ #endif /* CONFIG_NO_CONFIG_BLOBS */
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	FILE *f;
+ 	char buf[512], *pos;
+@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
+ 		if (os_strcmp(pos, "network={") == 0) {
+ 			ssid = wpa_config_read_network(f, &line, id++);
++			ssid->ro = ro;
+ 			if (ssid == NULL) {
+ 				wpa_printf(MSG_ERROR, "Line %d: failed to "
+ 					   "parse network block.", line);
+@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
+ 	}
+ 
+ 	for (ssid = config->ssid; ssid; ssid = ssid->next) {
+-		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
++		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
+ 			continue; /* do not save temporary networks */
+ 		if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
+ 		    !ssid->passphrase)
+diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
+index 2aac28fa3..02191b425 100644
+--- a/wpa_supplicant/config_none.c
++++ b/wpa_supplicant/config_none.c
+@@ -17,7 +17,7 @@
+ #include "base64.h"
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	struct wpa_config *config;
+ 
+diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
+index d5c5c00a9..fd80c079c 100644
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -93,6 +93,8 @@ struct wpa_ssid {
+ 	 */
+ 	int id;
+ 
++	int ro;
++
+ 	/**
+ 	 * priority - Priority group
+ 	 *
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 911d79d17..cb0cb99b1 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
+ 
+ 	if (wpa_s->confname == NULL)
+ 		return -1;
+-	conf = wpa_config_read(wpa_s->confname, NULL);
++	conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 	if (conf == NULL) {
+ 		wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
+ 			"file '%s' - exiting", wpa_s->confname);
+ 		return -1;
+ 	}
+ 	if (wpa_s->confanother &&
+-	    !wpa_config_read(wpa_s->confanother, conf)) {
++	    !wpa_config_read(wpa_s->confanother, conf, 1)) {
+ 		wpa_msg(wpa_s, MSG_ERROR,
+ 			"Failed to parse the configuration file '%s' - exiting",
+ 			wpa_s->confanother);
+@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ #else /* CONFIG_BACKEND_FILE */
+ 		wpa_s->confname = os_strdup(iface->confname);
+ #endif /* CONFIG_BACKEND_FILE */
+-		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
++		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 		if (wpa_s->conf == NULL) {
+ 			wpa_printf(MSG_ERROR, "Failed to read or parse "
+ 				   "configuration '%s'.", wpa_s->confname);
+@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ 		}
+ 		wpa_s->confanother = os_rel2abs_path(iface->confanother);
+ 		if (wpa_s->confanother &&
+-		    !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
++		    !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
+ 			wpa_printf(MSG_ERROR,
+ 				   "Failed to read or parse configuration '%s'.",
+ 				   wpa_s->confanother);
+-- 
+2.29.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
new file mode 100644
index 000000000000..09e5b3673ac4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
@@ -0,0 +1,32 @@
+The id and cred_id variables are reset to 0 every time the
+wpa_config_read function is called, which is fine as long as it is only
+called once. However, this is not the case when using both the -c and -I
+options to specify two config files.
+
+This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
+relies on the network IDs being unique (and increasing), and might get
+into an infinite loop otherwise.
+
+This is solved by simply making the variables static.
+---
+ wpa_supplicant/config_file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 6db5010db..c996e3916 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	struct wpa_ssid *ssid, *tail, *head;
+ 	struct wpa_cred *cred, *cred_tail, *cred_head;
+ 	struct wpa_config *config;
+-	int id = 0;
+-	int cred_id = 0;
++	static int id = 0;
++	static int cred_id = 0;
+
+ 	if (name == NULL)
+ 		return NULL;
+--
+2.34.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix
new file mode 100644
index 000000000000..621cd5d79a27
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -0,0 +1,143 @@
+{ lib, stdenv, fetchurl, openssl, pkg-config, libnl
+, nixosTests, wpa_supplicant_gui
+, dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
+, withReadline ? true, readline
+, withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
+, readOnlyModeSSIDs ? false
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  version = "2.10";
+
+  pname = "wpa_supplicant";
+
+  src = fetchurl {
+    url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
+  };
+
+  patches = [
+    # Fix a bug when using two config files
+    ./Use-unique-IDs-for-networks-and-credentials.patch
+  ] ++ lib.optionals readOnlyModeSSIDs [
+    # Allow read-only networks
+    ./0001-Implement-read-only-mode-for-ssids.patch
+  ];
+
+  # TODO: Patch epoll so that the dbus actually responds
+  # TODO: Figure out how to get privsep working, currently getting SIGBUS
+  extraConfig = ''
+    #CONFIG_ELOOP_EPOLL=y
+    #CONFIG_PRIVSEP=y
+    #CONFIG_TLSV12=y see #8332
+    CONFIG_AP=y
+    CONFIG_BGSCAN_LEARN=y
+    CONFIG_BGSCAN_SIMPLE=y
+    CONFIG_DEBUG_SYSLOG=y
+    CONFIG_EAP_EKE=y
+    CONFIG_EAP_FAST=y
+    CONFIG_EAP_GPSK=y
+    CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_EAP_IKEV2=y
+    CONFIG_EAP_PAX=y
+    CONFIG_EAP_PWD=y
+    CONFIG_EAP_SAKE=y
+    CONFIG_ELOOP=eloop
+    CONFIG_EXT_PASSWORD_FILE=y
+    CONFIG_HS20=y
+    CONFIG_HT_OVERRIDES=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_IEEE80211AX=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211W=y
+    CONFIG_INTERNETWORKING=y
+    CONFIG_L2_PACKET=linux
+    CONFIG_LIBNL32=y
+    CONFIG_OWE=y
+    CONFIG_P2P=y
+    CONFIG_SAE_PK=y
+    CONFIG_TDLS=y
+    CONFIG_TLS=openssl
+    CONFIG_TLSV11=y
+    CONFIG_VHT_OVERRIDES=y
+    CONFIG_WNM=y
+    CONFIG_WPS=y
+    CONFIG_WPS_ER=y
+    CONFIG_WPS_NFS=y
+  '' + optionalString withPcsclite ''
+    CONFIG_EAP_SIM=y
+    CONFIG_EAP_AKA=y
+    CONFIG_EAP_AKA_PRIME=y
+    CONFIG_PCSC=y
+  '' + optionalString dbusSupport ''
+    CONFIG_CTRL_IFACE_DBUS=y
+    CONFIG_CTRL_IFACE_DBUS_NEW=y
+    CONFIG_CTRL_IFACE_DBUS_INTRO=y
+  ''
+    # Upstream uses conditionals based on ifdef, so opposite of =y is
+    # not =n, as one may expect, but undefine.
+    #
+    # This config is sourced into makefile.
+    + optionalString (!dbusSupport) ''
+    undefine CONFIG_CTRL_IFACE_DBUS
+    undefine CONFIG_CTRL_IFACE_DBUS_NEW
+    undefine CONFIG_CTRL_IFACE_DBUS_INTRO
+  '' + (if withReadline then ''
+    CONFIG_READLINE=y
+  '' else ''
+    CONFIG_WPA_CLI_EDIT=y
+  '');
+
+  preBuild = ''
+    for manpage in wpa_supplicant/doc/docbook/wpa_supplicant.conf* ; do
+      substituteInPlace "$manpage" --replace /usr/share/doc $out/share/doc
+    done
+    cd wpa_supplicant
+    cp -v defconfig .config
+    echo "$extraConfig" >> .config
+    cat -n .config
+    substituteInPlace Makefile --replace /usr/local $out
+    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \
+      -I$(echo "${lib.getDev libnl}"/include/libnl*/) \
+      ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}"
+  '';
+
+  buildInputs = [ openssl libnl ]
+    ++ optional dbusSupport dbus
+    ++ optional withReadline readline
+    ++ optional withPcsclite pcsclite;
+
+  nativeBuildInputs = [ pkg-config ];
+
+  postInstall = ''
+    mkdir -p $out/share/man/man5 $out/share/man/man8
+    cp -v "doc/docbook/"*.5 $out/share/man/man5/
+    cp -v "doc/docbook/"*.8 $out/share/man/man8/
+  ''
+  + lib.optionalString dbusSupport ''
+    mkdir -p $out/share/dbus-1/system.d $out/share/dbus-1/system-services $out/etc/systemd/system
+    cp -v "dbus/"*service $out/share/dbus-1/system-services
+    sed -e "s@/sbin/wpa_supplicant@$out&@" -i "$out/share/dbus-1/system-services/"*
+    cp -v dbus/dbus-wpa_supplicant.conf $out/share/dbus-1/system.d
+    cp -v "systemd/"*.service $out/etc/systemd/system
+  ''
+  + ''
+    rm $out/share/man/man8/wpa_priv.8
+    install -Dm444 wpa_supplicant.conf $out/share/doc/wpa_supplicant/wpa_supplicant.conf.example
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) wpa_supplicant;
+    inherit wpa_supplicant_gui; # inherits the src+version updates
+  };
+
+  meta = with lib; {
+    homepage = "https://w1.fi/wpa_supplicant/";
+    description = "A tool for connecting to WPA and WPA2-protected wireless networks";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ marcweber ma27 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix
new file mode 100644
index 000000000000..82e104cac3aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix
@@ -0,0 +1,31 @@
+{ lib, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
+
+mkDerivation {
+  pname = "wpa_gui";
+  inherit (wpa_supplicant) version src;
+
+  buildInputs = [ qtbase ];
+  nativeBuildInputs = [ qmake inkscape imagemagick ];
+
+  postPatch = ''
+    cd wpa_supplicant/wpa_gui-qt4
+  '';
+
+  postBuild = ''
+    make -C icons
+  '';
+
+  postInstall = ''
+    mkdir -pv $out/{bin,share/applications,share/icons}
+    cp -v wpa_gui $out/bin
+    cp -v wpa_gui.desktop $out/share/applications
+    cp -av icons/hicolor $out/share/icons
+  '';
+
+  meta = with lib; {
+    description = "Qt-based GUI for wpa_supplicant";
+    homepage = "https://hostap.epitest.fi/wpa_supplicant/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix b/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
new file mode 100644
index 000000000000..d636f928f249
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  pname = "x86_energy_perf_policy";
+  version = kernel.version;
+
+  src = kernel.src;
+
+  postPatch = ''
+    cd tools/power/x86/x86_energy_perf_policy
+    sed -i 's,/usr,,g' Makefile
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin $out/share/man/man8
+  '';
+
+  makeFlags = [ "DESTDIR=$(out)" ];
+
+  meta = with lib; {
+    description = "Set the energy versus performance policy preference bias on recent X86 processors";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/x86info/default.nix b/nixpkgs/pkgs/os-specific/linux/x86info/default.nix
new file mode 100644
index 000000000000..f330fbbe6c7a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/x86info/default.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, pciutils
+, pkg-config
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "x86info";
+  version = "unstable-2021-08-07";
+
+  src = fetchFromGitHub {
+    owner = "kernelslacker";
+    repo = pname;
+    rev = "061ea35ecb0697761b6260998fa2045b8bb0be68";
+    hash = "sha256-/qWioC4dV1bQkU4SiTR8duYqoGIMIH7s8vuAXi75juo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    pciutils
+  ];
+
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
+  postBuild = ''
+    patchShebangs lsmsr/createheader.py
+    make -C lsmsr
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp x86info $out/bin
+    cp lsmsr/lsmsr $out/bin
+  '';
+
+  meta = {
+    description = "Identification utility for the x86 series of processors";
+    longDescription = ''
+      x86info will identify all Intel/AMD/Centaur/Cyrix/VIA CPUs. It leverages
+      the cpuid kernel module where possible.  it supports parsing model specific
+      registers (MSRs) via the msr kernel module.  it will approximate processor
+      frequency, and identify the cache sizes and layout.
+    '';
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+    homepage = "https://github.com/kernelslacker/x86info";
+    maintainers = with lib.maintainers; [ jcumming ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix
new file mode 100644
index 000000000000..a973f844fd4a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, xorgserver, xorgproto,
+  utilmacros, libgestures, libevdevc }:
+
+stdenv.mkDerivation rec {
+  pname = "xf86-input-cmt";
+  version = "2.0.2";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "xf86-input-cmt";
+    rev = "v${version}";
+    sha256 = "1cnwf518nc0ybc1r3rsgc1gcql1k3785khffv0i4v3akrm9wdw98";
+  };
+
+  postPatch = ''
+    patchShebangs ./apply_patches.sh
+    ./apply_patches.sh
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    xorgserver xorgproto utilmacros
+    libgestures libevdevc
+  ];
+
+  configureFlags = [
+    "--with-sdkdir=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    description = "Chromebook touchpad driver";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://www.github.com/hugegreenbug/xf86-input-cmt";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix
new file mode 100644
index 000000000000..7b7687bc3063
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, stdenv
+, autoreconfHook
+, fetchFromGitHub
+, xorgproto
+, libX11
+, libXext
+, libXi
+, libXinerama
+, libXrandr
+, libXrender
+, ncurses
+, pixman
+, pkg-config
+, udev
+, utilmacros
+, xorgserver
+}:
+
+stdenv.mkDerivation rec {
+  pname = "xf86-input-wacom";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "linuxwacom";
+    repo = pname;
+    rev = "${pname}-${version}";
+    sha256 = "sha256-PuIfeHlkcoin7w2v822P8uhWBNhYQGuOA7yD62L3qto=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  buildInputs = [
+    libX11
+    libXext
+    libXi
+    libXinerama
+    libXrandr
+    libXrender
+    ncurses
+    udev
+    utilmacros
+    pixman
+    xorgproto
+    xorgserver
+  ];
+
+  configureFlags = [
+    "--with-xorg-module-dir=${placeholder "out"}/lib/xorg/modules"
+    "--with-sdkdir=${placeholder "out"}/include/xorg"
+    "--with-xorg-conf-dir=${placeholder "out"}/share/X11/xorg.conf.d"
+  ];
+
+  meta = with lib; {
+    maintainers = with maintainers; [ goibhniu fortuneteller2k ];
+    description = "Wacom digitizer driver for X11";
+    homepage = "https://linuxwacom.sourceforge.net";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux; # Probably, works with other unixes as well
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix
new file mode 100644
index 000000000000..4092e3797c2f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchgit, autoreconfHook, xorgproto, libX11, libXext
+, pixman, pkg-config, utilmacros, xorgserver
+}:
+
+stdenv.mkDerivation {
+  pname = "xf86-video-nested";
+  version = "unstable-2017-06-12";
+
+  src = fetchgit {
+    url = "git://anongit.freedesktop.org/xorg/driver/xf86-video-nested";
+    rev = "6a48b385c41ea89354d0b2ee7f4649a1d1d9ec70";
+    sha256 = "133rd2kvr2q2wmwpx82bb93qbi8wm8qp1vlmbhgc7aslz0j4cqqv";
+  };
+
+  nativeBuildInputs = [ pkg-config autoreconfHook ];
+
+  buildInputs =
+    [ xorgproto libX11 libXext pixman
+      utilmacros xorgserver
+    ];
+
+  hardeningDisable = [ "fortify" ];
+
+  CFLAGS = "-I${pixman}/include/pixman-1";
+
+  meta = with lib; {
+    homepage = "https://cgit.freedesktop.org/xorg/driver/xf86-video-nested";
+    description = "A driver to run Xorg on top of Xorg or something else";
+    maintainers = [ maintainers.goibhniu ];
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xone/default.nix b/nixpkgs/pkgs/os-specific/linux/xone/default.nix
new file mode 100644
index 000000000000..104b7952f2be
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xone/default.nix
@@ -0,0 +1,48 @@
+{ stdenv, lib, fetchFromGitHub, kernel, fetchurl, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  pname = "xone";
+  version = "0.3";
+
+  src = fetchFromGitHub {
+    owner = "medusalix";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-h+j4xCV9R6hp9trsv1NByh9m0UBafOz42ZuYUjclILE=";
+  };
+
+  patches = [
+    # Fix build on kernel 6.3
+    (fetchpatch {
+      name = "kernel-6.3.patch";
+      url = "https://github.com/medusalix/xone/commit/bbf0dcc484c3f5611f4e375da43e0e0ef08f3d18.patch";
+      hash = "sha256-A2OzRRk4XT++rS6k6EIyiPy/LJptvVRUxoP7CIGrPWU=";
+    })
+  ];
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/${src.name}
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+    "VERSION=${version}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "Linux kernel driver for Xbox One and Xbox Series X|S accessories";
+    homepage = "https://github.com/medusalix/xone";
+    license = licenses.gpl2;
+    maintainers = with lib.maintainers; [ rhysmdnz ];
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix
new file mode 100644
index 000000000000..8ae426269a86
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix
@@ -0,0 +1,83 @@
+{ lib
+, stdenv
+, fetchzip
+, libusb1
+, glibc
+, libGL
+, xorg
+, makeWrapper
+, qtx11extras
+, wrapQtAppsHook
+, autoPatchelfHook
+, libX11
+, libXtst
+, libXi
+, libXrandr
+, libXinerama
+}:
+
+let
+  dataDir = "var/lib/xppend1v2";
+in
+stdenv.mkDerivation rec {
+  pname = "xp-pen-deco-01-v2-driver";
+  version = "3.2.3.230215-1";
+
+  src = fetchzip {
+    url = "https://download01.xp-pen.com/file/2023/03/XPPen-pentablet-${version}.x86_64.tar.gz";
+    name = "xp-pen-deco-01-v2-driver-${version}.tar.gz";
+    sha256 = "sha256-CV4ZaGCFFcfy2J0O8leYgcyzFVwJQFQJsShOv9B7jfI=";
+  };
+
+  nativeBuildInputs = [
+    wrapQtAppsHook
+    autoPatchelfHook
+    makeWrapper
+  ];
+
+  dontBuild = true;
+
+  dontWrapQtApps = true; # this is done manually
+
+  buildInputs = [
+    libusb1
+    libX11
+    libXtst
+    libXi
+    libXrandr
+    libXinerama
+    glibc
+    libGL
+    stdenv.cc.cc.lib
+    qtx11extras
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{opt,bin}
+    cp -r App/usr/lib/pentablet/{pentablet,resource.rcc,conf} $out/opt
+    chmod +x $out/opt/pentablet
+    cp -r App/lib $out/lib
+    sed -i 's#usr/lib/pentablet#${dataDir}#g' $out/opt/pentablet
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    makeWrapper $out/opt/pentablet $out/bin/xp-pen-deco-01-v2-driver \
+      "''${qtWrapperArgs[@]}" \
+      --run 'if [ "$EUID" -ne 0 ]; then echo "Please run as root."; exit 1; fi' \
+      --run 'if [ ! -d /${dataDir} ]; then mkdir -p /${dataDir}; cp -r '$out'/opt/conf /${dataDir}; chmod u+w -R /${dataDir}; fi'
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.xp-pen.com/product/461.html";
+    description = "Drivers for the XP-PEN Deco 01 v2 drawing tablet";
+    platforms = [ "x86_64-linux" ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ virchau13 ];
+    license = licenses.unfree;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix
new file mode 100644
index 000000000000..ad983662109a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, mkDerivation, fetchzip, autoPatchelfHook, libusb1, libX11, libXtst, qtbase, libglvnd }:
+
+mkDerivation rec {
+  pname = "xp-pen-g430-driver";
+  version = "1.2.13.1";
+
+  src = fetchzip {
+    url = "https://download01.xp-pen.com/file/2020/04/Linux_Pentablet_V${version}.tar.gz(20200428).zip";
+    sha256 = "1r423hcpi26v82pzl59br1zw5vablikclqsy6mcqi0v5p84hfrdd";
+  } + /Linux_Pentablet_V1.2.13.1.tar.gz;
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+  ];
+
+  buildInputs = [
+    libusb1
+    libX11
+    libXtst
+    qtbase
+    libglvnd
+    stdenv.cc.cc.lib
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp Pentablet_Driver $out/bin/pentablet-driver
+    cp config.xml $out/bin/config.xml
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.xp-pen.com/download-46.html";
+    description = "Driver for XP-PEN Pentablet drawing tablets";
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+    license = licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix b/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix
new file mode 100644
index 000000000000..e470fa66adf3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix
@@ -0,0 +1,49 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+, bluez
+, nixosTests
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "xpadneo";
+  version = "0.9.5";
+
+  src = fetchFromGitHub {
+    owner = "atar-axis";
+    repo = "xpadneo";
+    rev = "refs/tags/v${finalAttrs.version}";
+    sha256 = "sha256-rT2Mq40fE055FemDG7PBjt+cxgIHJG9tTjtw2nW6B98=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/${finalAttrs.src.name}/hid-xpadneo/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  buildInputs = [ bluez ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+    "VERSION=${finalAttrs.version}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  passthru.tests = {
+    xpadneo = nixosTests.xpadneo;
+  };
+
+  meta = with lib; {
+    description = "Advanced Linux driver for Xbox One wireless controllers";
+    homepage = "https://atar-axis.github.io/xpadneo";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ kira-bruneau ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix b/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix
new file mode 100644
index 000000000000..e3639fefffa4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchurl, gtk2, pkg-config, lm_sensors }:
+
+stdenv.mkDerivation rec {
+  pname = "xsensors";
+  version = "0.70";
+  src = fetchurl {
+    url = "http://www.linuxhardware.org/xsensors/xsensors-${version}.tar.gz";
+    sha256 = "1siplsfgvcxamyqf44h71jx6jdfmvhfm7mh0y1q8ps4zs6pj2zwh";
+  };
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    gtk2 lm_sensors
+  ];
+  patches = [
+    ./remove-unused-variables.patch
+    ./replace-deprecated-gtk.patch
+  ];
+  meta = with lib; {
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch b/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch
new file mode 100644
index 000000000000..7da97a0e56e8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch
@@ -0,0 +1,39 @@
+Author: Nanley Chery <nanleychery@gmail.com>
+From: Jean Delvare <khali@linux-fr.org>
+Subject: Remove declared, but unused variables
+Bug-Debian: http://bugs.debian.org/625435
+---
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -257,10 +257,9 @@
+ 
+ /* Start the sensor info update timer. */
+ gint start_timer( GtkWidget *widget, gpointer data ) {
+-    gint timer;
+ 
+     /* Setup timer for updates. */
+-    timer = g_timeout_add( update_time * 1000, 
++    g_timeout_add( update_time * 1000,
+                              (GtkFunction) update_sensor_data, 
+ 			     (gpointer) data );
+ 
+@@ -287,7 +286,7 @@
+ 
+     /* feature data */
+     updates *head = NULL;
+-    updates *current = NULL, *prev = NULL;
++    updates *current = NULL;
+ 
+     const sensors_feature *feature;
+ 
+@@ -347,10 +346,8 @@
+             new_node->pbar = featpbar;
+ 
+             if ( head == NULL ) {
+-                prev = head;
+                 head = current = new_node;
+             } else {
+-                prev = current;
+                 current = current->next = new_node;
+             }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch b/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch
new file mode 100644
index 000000000000..fed4c7dc4c95
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch
@@ -0,0 +1,168 @@
+Author: Nanley Chery <nanleychery@gmail.com>
+Subject: Update deprecated gtk casts and replace deprecated function calls with their analogous cairo counterparts.
+Bug-Debian: http://bugs.debian.org/622005
+Bug-Debian: http://bugs.debian.org/610321
+---
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -27,10 +27,10 @@
+ GtkWidget *mainwindow = NULL;
+ 
+ GdkColor colorWhite = { 0, 0xFFFF, 0xFFFF, 0xFFFF };
+-    
+-GdkColormap *cmap = NULL;
+ 
+-GdkPixmap *theme = NULL;
++GdkPixbuf *theme = NULL;
++
++cairo_surface_t *surface = NULL;
+ 
+ /* Destroy the main window. */
+ gint destroy_gui( GtkWidget *widget, gpointer data ) {
+@@ -76,17 +76,16 @@
+     }
+ }
+ 
+-static void draw_digits( GtkWidget *widget, const gchar *digits, int highLow )
++static void draw_digits( GtkWidget *widget, cairo_t *cr, const gchar *digits, int highLow )
+ {
+     const gchar *digit = digits;
+     int pos = 0, x = 0, y = 0, w = 0;
+ 
+     while ( *digit ) {
+         get_pm_location( *digit, &x, &y, &w );
+-        gdk_draw_drawable( widget->window,
+-                           widget->style->fg_gc[ GTK_WIDGET_STATE
+-                           (widget) ], theme, x, y + highLow,
+-                           pos, 0, w, 30 );
++        cairo_set_source_surface (cr, surface, pos-x, 0-(y + highLow));
++		cairo_rectangle(cr, pos, 0, w, 30);
++		cairo_fill(cr);
+         pos += w;
+         digit++;
+     }
+@@ -102,6 +101,8 @@
+ 
+     gchar result[7];
+ 
++    cairo_t *cr = gdk_cairo_create(widget->window);
++
+ #ifdef DEBUG_XSENSORS
+     printf( "area.width = %d, area.height = %d\n", event->area.width,
+             event->area.height );
+@@ -117,13 +118,11 @@
+ 
+             /* Display the digits */
+             if ( g_snprintf( result, 6, "%5.0f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display RPM */
+-            gdk_draw_drawable( widget->window, 
+-                               widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                               (widget) ], theme, 0, 120 + highLow, 
+-                               90, 0, 57, 30 );
++            cairo_set_source_surface (cr, surface, 90-0, 0-(120 + highLow));
++     	    cairo_rectangle(cr, 90, 0, 57, 30);
+             break;
+         case TEMP:
+             if ( current->curvalue > current->curmax )
+@@ -134,17 +133,15 @@
+ 
+             /* Display the digits */
+             if ( g_snprintf( result, 7, "%6.1f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display degree symbol */
+             if ( tf == FALSE )
+                 x = 0;
+             else
+                 x = 57;
+-            gdk_draw_drawable( widget->window, 
+-                             widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                             (widget) ], theme, x, 60 + highLow, 
+-                             96, 0, 57, 30 );
++            cairo_set_source_surface (cr, surface, 96-x, 0-(60 + highLow));
++     	    cairo_rectangle(cr, 96, 0, 57, 30);
+             
+             break;
+         case VOLT:
+@@ -154,20 +151,17 @@
+             
+             /* Display the digits */
+             if ( g_snprintf( result, 7, "%6.2f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display V */
+-            gdk_draw_drawable( widget->window, 
+-                             widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                             (widget) ], theme, 114, 60 + highLow, 
+-                             96, 0, 57, 30 );
+-
+-
++            cairo_set_source_surface (cr, surface, 96-114, 0-(60 + highLow));
++     	    cairo_rectangle(cr, 96, 0, 57, 30);
+             break;
+         default:
+             break;
+     }
+-            
++    cairo_fill(cr);
++    cairo_destroy(cr);
+     return TRUE;
+ }
+ 
+@@ -260,7 +254,7 @@
+ 
+     /* Setup timer for updates. */
+     g_timeout_add( update_time * 1000,
+-                             (GtkFunction) update_sensor_data, 
++                             (GSourceFunc) update_sensor_data,
+ 			     (gpointer) data );
+ 
+     return SUCCESS;
+@@ -460,8 +454,6 @@
+     g_signal_connect( G_OBJECT (mainwindow), "delete_event",
+                       G_CALLBACK (destroy_gui), NULL );
+ 
+-    /* Graphics needed for drawing info. */
+-    cmap = gtk_widget_get_colormap( mainwindow );
+ 
+     /* Set up the image file used for displaying characters. */
+     if ( imagefile == NULL ) {
+@@ -481,12 +473,10 @@
+                        "Image file not found in either location!  Exiting!\n" );
+                 exit( 1 );
+             } else {
+-                theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                        NULL, NULL, "./images/default.xpm" );
++                theme = gdk_pixbuf_new_from_file("./images/default.xpm", NULL );
+             }
+         } else {
+-            theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                    NULL, NULL, imagefile );
++            theme = gdk_pixbuf_new_from_file(imagefile, NULL );
+         }
+     } else {
+         if ( stat( imagefile, &sbuf ) != 0 ) {
+@@ -495,11 +485,15 @@
+                     "Image file not found in specified location!  Exiting!\n" );
+             exit( 1 );
+         } else {
+-            theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                    NULL, NULL, imagefile );
++            theme = gdk_pixbuf_new_from_file(imagefile, NULL );
+         }
+     }
+-    
++    surface = cairo_image_surface_create_for_data(gdk_pixbuf_get_pixels(theme),
++                                        CAIRO_FORMAT_RGB24,
++										gdk_pixbuf_get_width(theme),
++										gdk_pixbuf_get_height(theme),
++										gdk_pixbuf_get_rowstride(theme));
++
+     /* Create notebook for sensors. */
+     notebook = gtk_notebook_new( );
+     gtk_widget_modify_bg( notebook, GTK_STATE_NORMAL, &colorWhite );
diff --git a/nixpkgs/pkgs/os-specific/linux/xsos/default.nix b/nixpkgs/pkgs/os-specific/linux/xsos/default.nix
new file mode 100644
index 000000000000..56516aee8b7b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsos/default.nix
@@ -0,0 +1,52 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, makeWrapper
+, installShellFiles
+, dmidecode
+, ethtool
+, pciutils
+, multipath-tools
+, iproute2
+, sysvinit
+}:
+let
+  binPath = [
+    iproute2
+    dmidecode
+    ethtool
+    pciutils
+    multipath-tools
+    iproute2
+    sysvinit
+  ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "xsos";
+  version = "0.7.19";
+
+  src = fetchFromGitHub {
+    owner = "ryran";
+    repo = "xsos";
+    rev = "v${version}";
+    sha256 = "11cc8z3pz4gl0mwl2fc701mn4cgx50fybygx0rvs9bhvb0jnphay";
+  };
+
+  nativeBuildInputs = [ makeWrapper installShellFiles ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a xsos $out/bin
+    wrapProgram "$out/bin/xsos" --prefix PATH : ${lib.makeBinPath binPath}
+    installShellCompletion --bash --name xsos.bash xsos-bash-completion.bash
+  '';
+
+  meta = with lib; {
+    description = "Summarize system info from sosreports";
+    homepage = "https://github.com/ryran/xsos";
+    license = licenses.gpl3;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.nixinator ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix b/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix
new file mode 100644
index 000000000000..8414ac7a1e14
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, gtk3, wrapGAppsHook }:
+
+stdenv.mkDerivation rec {
+  pname = "zenmonitor";
+  version = "2.0.0";
+
+  src = fetchFromGitHub {
+    owner = "Ta180m";
+    repo = "zenmonitor3";
+    rev = "v${version}";
+    sha256 = "sha256-2EsuSMXnnMg0e0JD1TXJplsi7sOg9em0qqge2WlC6ro=";
+  };
+
+  buildInputs = [ gtk3 ];
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Monitoring software for AMD Zen-based CPUs";
+    homepage = "https://github.com/Ta180m/zenmonitor3";
+    license = licenses.mit;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = with maintainers; [ alexbakker artturin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix b/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix
new file mode 100644
index 000000000000..bf1240610f8c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, kernel, fetchFromGitea }:
+
+stdenv.mkDerivation rec {
+  pname = "zenpower";
+  version = "unstable-2022-11-04";
+
+  src = fetchFromGitea {
+    domain = "git.exozy.me";
+    owner = "a";
+    repo = "zenpower3";
+    rev = "c176fdb0d5bcba6ba2aba99ea36812e40f47751f";
+    sha256 = "sha256-d2WH8Zv7F0phZmEKcDiaak9On+Mo9bAFhMulT/N5FWI=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [ "KERNEL_BUILD=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  installPhase = ''
+    install -D zenpower.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon/zenpower/"
+  '';
+
+  meta = with lib; {
+    inherit (src.meta) homepage;
+    description = "Linux kernel driver for reading temperature, voltage(SVI2), current(SVI2) and power(SVI2) for AMD Zen family CPUs.";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ alexbakker artturin ];
+    platforms = [ "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix b/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix
new file mode 100644
index 000000000000..8e31073151ba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix
@@ -0,0 +1,52 @@
+# Zenstates provides access to a variety of CPU tunables no Ryzen processors.
+#
+# In particular, I am adding Zenstates because I need it to disable the C6
+# sleep state to stabilize wake from sleep on my Lenovo x395 system. After
+# installing Zenstates, I need a before-sleep script like so:
+#
+# before-sleep = pkgs.writeScript "before-sleep" ''
+#   #!${pkgs.bash}/bin/bash
+#   ${pkgs.zenstates}/bin/zenstates --c6-disable
+# '';
+#
+# ...
+#
+# systemd.services.before-sleep = {
+#     description = "Jobs to run before going to sleep";
+#     serviceConfig = {
+#       Type = "oneshot";
+#       ExecStart = "${before-sleep}";
+#     };
+#     wantedBy = [ "sleep.target" ];
+#     before = [ "sleep.target" ];
+#   };
+
+{ lib, stdenv, fetchFromGitHub, python3 }:
+stdenv.mkDerivation rec {
+  pname = "zenstates";
+  version = "0.0.1";
+
+  src = fetchFromGitHub {
+    owner = "r4m0n";
+    repo = "ZenStates-Linux";
+    rev = "0bc27f4740e382f2a2896dc1dabfec1d0ac96818";
+    sha256 = "1h1h2n50d2cwcyw3zp4lamfvrdjy1gjghffvl3qrp6arfsfa615y";
+  };
+
+  buildInputs = [ python3 ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp $src/zenstates.py $out/bin/zenstates
+    chmod +x $out/bin/zenstates
+    patchShebangs --build $out/bin/zenstates
+    '';
+
+  meta = with lib; {
+    description = "Linux utility for Ryzen processors and motherboards";
+    homepage = "https://github.com/r4m0n/ZenStates-Linux";
+    license = licenses.mit;
+    maintainers = with maintainers; [ savannidgerinel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zfs/generic.nix b/nixpkgs/pkgs/os-specific/linux/zfs/generic.nix
new file mode 100644
index 000000000000..8adbb8cab8f9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zfs/generic.nix
@@ -0,0 +1,222 @@
+{ pkgs, lib, stdenv, fetchFromGitHub, fetchpatch
+, autoreconfHook269, util-linux, nukeReferences, coreutils
+, perl, nixosTests
+, configFile ? "all"
+
+# Userspace dependencies
+, zlib, libuuid, python3, attr, openssl
+, libtirpc
+, nfs-utils, samba
+, gawk, gnugrep, gnused, systemd
+, smartmontools, enableMail ? false
+, sysstat, pkg-config
+, curl
+, pam
+
+# Kernel dependencies
+, kernel ? null
+, enablePython ? true
+, ...
+}:
+
+{ version
+, sha256
+, extraPatches ? []
+, rev ? "zfs-${version}"
+, isUnstable ? false
+, latestCompatibleLinuxPackages
+, kernelCompatible ? null
+}:
+
+let
+  inherit (lib) any optionalString optionals optional makeBinPath;
+
+  smartmon = smartmontools.override { inherit enableMail; };
+
+  buildKernel = any (n: n == configFile) [ "kernel" "all" ];
+  buildUser = any (n: n == configFile) [ "user" "all" ];
+
+  # XXX: You always want to build kernel modules with the same stdenv as the
+  # kernel was built with. However, since zfs can also be built for userspace we
+  # need to correctly pick between the provided/default stdenv, and the one used
+  # by the kernel.
+  # If you don't do this your ZFS builds will fail on any non-standard (e.g.
+  # clang-built) kernels.
+  stdenv' = if kernel == null then stdenv else kernel.stdenv;
+in
+
+stdenv'.mkDerivation {
+  name = "zfs-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}";
+
+  src = fetchFromGitHub {
+    owner = "openzfs";
+    repo = "zfs";
+    inherit rev sha256;
+  };
+
+  patches = extraPatches;
+
+  postPatch = optionalString buildKernel ''
+    patchShebangs scripts
+    # The arrays must remain the same length, so we repeat a flag that is
+    # already part of the command and therefore has no effect.
+    substituteInPlace ./module/os/linux/zfs/zfs_ctldir.c \
+      --replace '"/usr/bin/env", "umount"' '"${util-linux}/bin/umount", "-n"' \
+      --replace '"/usr/bin/env", "mount"'  '"${util-linux}/bin/mount", "-n"'
+  '' + optionalString buildUser ''
+    substituteInPlace ./lib/libshare/os/linux/nfs.c --replace "/usr/sbin/exportfs" "${
+      # We don't *need* python support, but we set it like this to minimize closure size:
+      # If it's disabled by default, no need to enable it, even if we have python enabled
+      # And if it's enabled by default, only change that if we explicitly disable python to remove python from the closure
+      nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; })
+    }/bin/exportfs"
+    substituteInPlace ./lib/libshare/smb.h        --replace "/usr/bin/net"            "${samba}/bin/net"
+    # Disable dynamic loading of libcurl
+    substituteInPlace ./config/user-libfetch.m4   --replace "curl-config --built-shared" "true"
+    substituteInPlace ./config/user-systemd.m4    --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d"
+    substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d" \
+                                                  --replace "/etc/default"            "$out/etc/default"
+    substituteInPlace ./contrib/initramfs/Makefile.am \
+      --replace "/usr/share/initramfs-tools" "$out/usr/share/initramfs-tools"
+    substituteInPlace ./udev/vdev_id \
+      --replace "PATH=/bin:/sbin:/usr/bin:/usr/sbin" \
+       "PATH=${makeBinPath [ coreutils gawk gnused gnugrep systemd ]}"
+    substituteInPlace ./config/zfs-build.m4 \
+      --replace "bashcompletiondir=/etc/bash_completion.d" \
+        "bashcompletiondir=$out/share/bash-completion/completions"
+  '';
+
+  nativeBuildInputs = [ autoreconfHook269 nukeReferences ]
+    ++ optionals buildKernel (kernel.moduleBuildDependencies ++ [ perl ])
+    ++ optional buildUser pkg-config;
+  buildInputs = optionals buildUser [ zlib libuuid attr libtirpc pam ]
+    ++ optional buildUser openssl
+    ++ optional buildUser curl
+    ++ optional (buildUser && enablePython) python3;
+
+  # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
+  NIX_CFLAGS_LINK = "-lgcc_s";
+
+  hardeningDisable = [ "fortify" "stackprotector" "pic" ];
+
+  configureFlags = [
+    "--with-config=${configFile}"
+    "--with-tirpc=1"
+    (lib.withFeatureAs (buildUser && enablePython) "python" python3.interpreter)
+  ] ++ optionals buildUser [
+    "--with-dracutdir=$(out)/lib/dracut"
+    "--with-udevdir=$(out)/lib/udev"
+    "--with-systemdunitdir=$(out)/etc/systemd/system"
+    "--with-systemdpresetdir=$(out)/etc/systemd/system-preset"
+    "--with-systemdgeneratordir=$(out)/lib/systemd/system-generator"
+    "--with-mounthelperdir=$(out)/bin"
+    "--libexecdir=$(out)/libexec"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--enable-systemd"
+    "--enable-pam"
+  ] ++ optionals buildKernel ([
+    "--with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+    "--with-linux-obj=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ] ++ kernel.makeFlags);
+
+  makeFlags = optionals buildKernel kernel.makeFlags;
+
+  enableParallelBuilding = true;
+
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+    "DEFAULT_INITCONF_DIR=\${out}/default"
+    "INSTALL_MOD_PATH=\${out}"
+  ];
+
+  preConfigure = ''
+    # The kernel module builds some tests during the configurePhase, this envvar controls their parallelism
+    export TEST_JOBS=$NIX_BUILD_CORES
+    if [ -z "$enableParallelBuilding" ]; then
+      export TEST_JOBS=1
+    fi
+  '';
+
+  # Enabling BTF causes zfs to be build with debug symbols.
+  # Since zfs compress kernel modules on installation, our strip hooks skip stripping them.
+  # Hence we strip modules prior to compression.
+  postBuild = optionalString buildKernel ''
+     find . -name "*.ko" -print0 | xargs -0 -P$NIX_BUILD_CORES ${stdenv.cc.targetPrefix}strip --strip-debug
+  '';
+
+  postInstall = optionalString buildKernel ''
+    # Add reference that cannot be detected due to compressed kernel module
+    mkdir -p "$out/nix-support"
+    echo "${util-linux}" >> "$out/nix-support/extra-refs"
+  '' + optionalString buildUser ''
+    # Remove provided services as they are buggy
+    rm $out/etc/systemd/system/zfs-import-*.service
+
+    for i in $out/etc/systemd/system/*; do
+       if [ -L $i ]; then
+         continue
+       fi
+       sed -i '/zfs-import-scan.service/d' $i
+       substituteInPlace $i --replace "zfs-import-cache.service" "zfs-import.target"
+    done
+
+    # Remove tests because they add a runtime dependency on gcc
+    rm -rf $out/share/zfs/zfs-tests
+
+    # Add Bash completions.
+    install -v -m444 -D -t $out/share/bash-completion/completions contrib/bash_completion.d/zfs
+    (cd $out/share/bash-completion/completions; ln -s zfs zpool)
+  '';
+
+  postFixup = let
+    path = "PATH=${makeBinPath [ coreutils gawk gnused gnugrep util-linux smartmon sysstat ]}:$PATH";
+  in ''
+    for i in $out/libexec/zfs/zpool.d/*; do
+      sed -i '2i${path}' $i
+    done
+  '';
+
+  outputs = [ "out" ] ++ optionals buildUser [ "dev" ];
+
+  passthru = {
+    inherit enableMail latestCompatibleLinuxPackages;
+
+    tests =
+      if isUnstable then [
+        nixosTests.zfs.unstable
+      ] else [
+        nixosTests.zfs.installer
+        nixosTests.zfs.stable
+      ];
+  };
+
+  meta = {
+    description = "ZFS Filesystem Linux Kernel module";
+    longDescription = ''
+      ZFS is a filesystem that combines a logical volume manager with a
+      Copy-On-Write filesystem with data integrity detection and repair,
+      snapshotting, cloning, block devices, deduplication, and more.
+    '';
+    homepage = "https://github.com/openzfs/zfs";
+    changelog = "https://github.com/openzfs/zfs/releases/tag/zfs-${version}";
+    license = lib.licenses.cddl;
+
+    # The case-block for TARGET_CPU has branches for only some CPU families,
+    # which prevents ZFS from building on any other platform.  Since the NixOS
+    # `boot.zfs.enabled` property is `readOnly`, excluding platforms where ZFS
+    # does not build is the only way to produce a NixOS installer on such
+    # platforms.
+    # https://github.com/openzfs/zfs/blob/6723d1110f6daf93be93db74d5ea9f6b64c9bce5/config/always-arch.m4#L12
+    platforms =
+      with lib.systems.inspect.patterns;
+      map (p: p // isLinux) ([ isx86_32 isx86_64 isPower isAarch64 isSparc ] ++ isArmv7);
+
+    maintainers = with lib.maintainers; [ jcumming jonringer globin raitobezarius ];
+    mainProgram = "zfs";
+    # If your Linux kernel version is not yet supported by zfs, try zfsUnstable.
+    # On NixOS set the option boot.zfs.enableUnstable.
+    broken = buildKernel && (kernelCompatible != null) && !kernelCompatible;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/zfs/stable.nix b/nixpkgs/pkgs/os-specific/linux/zfs/stable.nix
new file mode 100644
index 000000000000..3e53ba902cbd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zfs/stable.nix
@@ -0,0 +1,28 @@
+{ callPackage
+, kernel ? null
+, stdenv
+, linuxKernel
+, removeLinuxDRM ? false
+, fetchpatch
+, ...
+} @ args:
+
+let
+  stdenv' = if kernel == null then stdenv else kernel.stdenv;
+in
+callPackage ./generic.nix args {
+  # check the release notes for compatible kernels
+  kernelCompatible =
+    if stdenv'.isx86_64 || removeLinuxDRM
+    then kernel.kernelOlder "6.6"
+    else kernel.kernelOlder "6.2";
+
+  latestCompatibleLinuxPackages = if stdenv'.isx86_64 || removeLinuxDRM
+    then linuxKernel.packages.linux_6_5
+    else linuxKernel.packages.linux_6_1;
+
+  # this package should point to the latest release.
+  version = "2.2.0";
+
+  sha256 = "sha256-s1sdXSrLu6uSOmjprbUa4cFsE2Vj7JX5i75e4vRnlvg=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zfs/unstable.nix b/nixpkgs/pkgs/os-specific/linux/zfs/unstable.nix
new file mode 100644
index 000000000000..9c7e14c31bf3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zfs/unstable.nix
@@ -0,0 +1,32 @@
+{ callPackage
+, kernel ? null
+, stdenv
+, linuxKernel
+, removeLinuxDRM ? false
+, ...
+} @ args:
+
+let
+  stdenv' = if kernel == null then stdenv else kernel.stdenv;
+in
+callPackage ./generic.nix args {
+  # check the release notes for compatible kernels
+  kernelCompatible = if stdenv'.isx86_64 || removeLinuxDRM
+    then kernel.kernelOlder "6.6"
+    else kernel.kernelOlder "6.2";
+
+  latestCompatibleLinuxPackages = if stdenv'.isx86_64 || removeLinuxDRM
+    then linuxKernel.packages.linux_6_5
+    else linuxKernel.packages.linux_6_1;
+
+  # this package should point to a version / git revision compatible with the latest kernel release
+  # IMPORTANT: Always use a tagged release candidate or commits from the
+  # zfs-<version>-staging branch, because this is tested by the OpenZFS
+  # maintainers.
+  version = "2.2.1-unstable-2023-10-21";
+  rev = "95785196f26e92d82cf4445654ba84e4a9671c57";
+
+  sha256 = "sha256-s1sdXSrLu6uSOmjprbUa4cFsE2Vj7JX5i75e4vRnlvg=";
+
+  isUnstable = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix
new file mode 100644
index 000000000000..c015da7456a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "zsa-udev-rules";
+  version = "unstable-2022-10-26";
+
+  src = fetchFromGitHub {
+    owner = "zsa";
+    repo = "wally";
+    rev = "623a50d0e0b90486e42ad8ad42b0a7313f7a37b3";
+    hash = "sha256-meR2V7T4hrJFXFPLENHoAgmOILxxynDBk0BLqzsAZvQ=";
+  };
+
+  # Only copies udevs rules
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    mkdir -p $out/lib/udev/rules.d
+    cp dist/linux64/50-oryx.rules $out/lib/udev/rules.d/
+    cp dist/linux64/50-wally.rules $out/lib/udev/rules.d/
+  '';
+
+  meta = with lib; {
+    description = "udev rules for ZSA devices";
+    license = licenses.mit;
+    maintainers = with maintainers; [ davidak ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/zsa/wally/wiki/Linux-install#2-create-a-udev-rule-file";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/solo5/default.nix b/nixpkgs/pkgs/os-specific/solo5/default.nix
new file mode 100644
index 000000000000..f235902a91cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/solo5/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchurl, dosfstools, libseccomp, makeWrapper, mtools, parted
+, pkg-config, qemu, syslinux, util-linux }:
+
+let
+  version = "0.8.0";
+  # list of all theoretically available targets
+  targets = [
+    "genode"
+    "hvt"
+    "muen"
+    "spt"
+    "virtio"
+    "xen"
+  ];
+in stdenv.mkDerivation {
+  pname = "solo5";
+  inherit version;
+
+  nativeBuildInputs = [ makeWrapper pkg-config ];
+  buildInputs = lib.optional (stdenv.hostPlatform.isLinux) libseccomp;
+
+  src = fetchurl {
+    url = "https://github.com/Solo5/solo5/releases/download/v${version}/solo5-v${version}.tar.gz";
+    sha256 = "sha256-t80VOZ8Tr1Dq+mJfRPVLGqYprCaqegcQtDqdoHaSXW0=";
+  };
+
+  hardeningEnable = [ "pie" ];
+
+  configurePhase = ''
+    runHook preConfigure
+    sh configure.sh --prefix=/
+    runHook postConfigure
+  '';
+
+  enableParallelBuilding = true;
+
+  separateDebugInfo = true;
+    # debugging requires information for both the unikernel and the tender
+
+  installPhase = ''
+    runHook preInstall
+    export DESTDIR=$out
+    export PREFIX=$out
+    make install
+
+    substituteInPlace $out/bin/solo5-virtio-mkimage \
+      --replace "/usr/lib/syslinux" "${syslinux}/share/syslinux" \
+      --replace "/usr/share/syslinux" "${syslinux}/share/syslinux" \
+      --replace "cp " "cp --no-preserve=mode "
+
+    wrapProgram $out/bin/solo5-virtio-mkimage \
+      --prefix PATH : ${lib.makeBinPath [ dosfstools mtools parted syslinux ]}
+
+    runHook postInstall
+  '';
+
+  doCheck = stdenv.hostPlatform.isLinux;
+  nativeCheckInputs = [ util-linux qemu ];
+  checkPhase = ''
+    runHook preCheck
+    patchShebangs tests
+    ./tests/bats-core/bats ./tests/tests.bats
+    runHook postCheck
+  '';
+
+  meta = with lib; {
+    description = "Sandboxed execution environment";
+    homepage = "https://github.com/solo5/solo5";
+    license = licenses.isc;
+    maintainers = [ maintainers.ehmry ];
+    platforms = builtins.map ({arch, os}: "${arch}-${os}")
+      (cartesianProductOfSets {
+        arch = [ "aarch64" "x86_64" ];
+        os = [ "freebsd" "genode" "linux" "openbsd" ];
+      });
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix b/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix
new file mode 100644
index 000000000000..91dad81f1f52
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchcvs, autoconf, automake, libtool, flex, bison, pkg-config
+, zlib, bzip2, xz, libgcrypt
+}:
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "cygwin-setup";
+  version = "20131101";
+
+  src = fetchcvs {
+    cvsRoot = ":pserver:anoncvs@cygwin.com:/cvs/cygwin-apps";
+    module = "setup";
+    date = version;
+    sha256 = "024wxaaxkf7p1i78bh5xrsqmfz7ss2amigbfl2r5w9h87zqn9aq3";
+  };
+
+  nativeBuildInputs = [ autoconf automake libtool flex bison pkg-config ];
+
+  buildInputs = let
+    mkStatic = flip overrideDerivation (o: {
+      dontDisableStatic = true;
+      configureFlags = toList (o.configureFlags or []) ++ [ "--enable-static" ];
+      buildInputs = map mkStatic (o.buildInputs or []);
+      propagatedBuildInputs = map mkStatic (o.propagatedBuildInputs or []);
+    });
+  in map mkStatic [ zlib bzip2 xz libgcrypt ];
+
+  configureFlags = [ "--disable-shared" ];
+
+  dontDisableStatic = true;
+
+  preConfigure = ''
+    autoreconf -vfi
+  '';
+
+  installPhase = ''
+    install -vD setup.exe "$out/bin/setup.exe"
+  '';
+
+  meta = {
+    homepage = "https://sourceware.org/cygwin-apps/setup.html";
+    description = "A tool for installing Cygwin";
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/default.nix b/nixpkgs/pkgs/os-specific/windows/default.nix
new file mode 100644
index 000000000000..95df515c6bfd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, buildPackages
+, newScope, overrideCC, crossLibcStdenv, libcCross
+}:
+
+lib.makeScope newScope (self: with self; {
+
+  cygwinSetup = callPackage ./cygwin-setup { };
+
+  dlfcn = callPackage ./dlfcn { };
+
+  w32api = callPackage ./w32api { };
+
+  mingwrt = callPackage ./mingwrt { };
+  mingw_runtime = mingwrt;
+
+  mingw_w64 = callPackage ./mingw-w64 {
+    stdenv = crossLibcStdenv;
+  };
+
+  crossThreadsStdenv = overrideCC crossLibcStdenv
+    (if stdenv.hostPlatform.useLLVM or false
+     then buildPackages.llvmPackages_8.clangNoLibcxx
+     else buildPackages.gccWithoutTargetLibc.override (old: {
+       bintools = old.bintools.override {
+         libc = libcCross;
+       };
+       libc = libcCross;
+     }));
+
+  mingw_w64_headers = callPackage ./mingw-w64/headers.nix { };
+
+  mingw_w64_pthreads = callPackage ./mingw-w64/pthreads.nix {
+    stdenv = crossThreadsStdenv;
+  };
+
+  mcfgthreads_pre_gcc_13 = callPackage ./mcfgthreads/pre_gcc_13.nix {
+    stdenv = crossThreadsStdenv;
+  };
+
+  mcfgthreads = callPackage ./mcfgthreads {
+    stdenv = crossThreadsStdenv;
+  };
+
+  npiperelay = callPackage ./npiperelay { };
+
+  pthreads = callPackage ./pthread-w32 { };
+
+  wxMSW = callPackage ./wxMSW-2.8 { };
+
+  libgnurx = callPackage ./libgnurx { };
+})
diff --git a/nixpkgs/pkgs/os-specific/windows/dlfcn/default.nix b/nixpkgs/pkgs/os-specific/windows/dlfcn/default.nix
new file mode 100644
index 000000000000..d1fba98e840a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/dlfcn/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchFromGitHub, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "dlfcn";
+  version = "1.3.1";
+
+  src = fetchFromGitHub {
+    owner = "dlfcn-win32";
+    repo = "dlfcn-win32";
+    rev = "v${version}";
+    sha256 = "sha256-ljVTMBiGp8TPufrQcK4zQtcVH1To4zcfBAbUOb+v910=";
+  };
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    homepage = "https://github.com/dlfcn-win32/dlfcn-win32";
+    description = "Set of functions that allows runtime dynamic library loading";
+    license = licenses.mit;
+    platforms = platforms.windows;
+    maintainers = with maintainers; [ marius851000 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix b/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix
new file mode 100644
index 000000000000..e760bddabfbf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+let
+  version = "2.5.1";
+in stdenv.mkDerivation rec {
+  pname = "libgnurx";
+  inherit version;
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/Other/UserContributed/regex/mingw-regex-${version}/mingw-${pname}-${version}-src.tar.gz";
+    sha256 = "0xjxcxgws3bblybw5zsp9a4naz2v5bs1k3mk8dw00ggc0vwbfivi";
+  };
+
+  # file looks for libgnurx.a when compiling statically
+  postInstall = lib.optionalString stdenv.hostPlatform.isStatic ''
+    ln -s $out/lib/libgnurx{.dll.a,.a}
+  '';
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix
new file mode 100644
index 000000000000..e0635efd0a54
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation {
+  pname = "mcfgthreads";
+  version = "unstable-2023-06-06";
+
+  src = fetchFromGitHub {
+    owner = "lhmouse";
+    repo = "mcfgthread";
+    rev = "f0a335ce926906d634c787249a89220045bf0f7e";
+    hash = "sha256-PLGIyoLdWgWvkHgRe0vHLIvnCxFpmHtbjS8xRhNM9Xw=";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix
new file mode 100644
index 000000000000..6be64814c93a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation {
+  pname = "mcfgthreads";
+  version = "git"; # unstable-2021-03-12, not in any branch
+
+  src = fetchFromGitHub {
+    owner = "lhmouse";
+    repo = "mcfgthread";
+    rev = "c446cf4fcdc262fc899a188a4bb7136284c34222";
+    sha256 = "1ib90lrd4dz8irq4yvzwhxqa86i5vxl2q2z3z04sf1i8hw427p2f";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Don't want prebuilt binaries sneaking in.
+  postUnpack = ''
+    rm -r "$sourceRoot/debug" "$sourceRoot/release"
+  '';
+
+  nativeBuildInputs = [
+    autoreconfHook
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix
new file mode 100644
index 000000000000..3bfc7a58e727
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix
@@ -0,0 +1,52 @@
+{ lib
+, stdenv
+, windows
+, fetchurl
+, fetchpatch
+, autoreconfHook
+}:
+
+let
+  version = "10.0.0";
+in stdenv.mkDerivation {
+  pname = "mingw-w64";
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw-w64/mingw-w64-v${version}.tar.bz2";
+    hash = "sha256-umtDCu1yxjo3aFMfaj/8Kw/eLFejslFFDc9ImolPCJQ=";
+  };
+
+  patches = [
+    # Upstream patches to fix build parallelism
+    (fetchpatch {
+      name = "crt-suff-make-4.4.patch";
+      url = "https://github.com/mirror/mingw-w64/commit/953bcd32ae470c4647e94de8548dda5a8f07d82d.patch";
+      hash = "sha256-lrS4ZDa/Uwsj5DXajOUv+knZXan0JVU70KHHdIjJ07Y=";
+    })
+    (fetchpatch {
+      name = "dll-dep-make-4.4.patch";
+      url = "https://github.com/mirror/mingw-w64/commit/e1b0c1420bbd52ef505c71737c57393ac1397b0a.patch";
+      hash = "sha256-/56Cmmy0UYTaDKIWG7CgXsThvCHK6lSbekbBOoOJSIQ=";
+    })
+  ];
+
+  outputs = [ "out" "dev" ];
+
+  configureFlags = [
+    "--enable-idl"
+    "--enable-secure-api"
+  ] ++ lib.optionals (stdenv.targetPlatform.libc == "ucrt") [
+    "--with-default-msvcrt=ucrt"
+  ];
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ windows.mingw_w64_headers ];
+  hardeningDisable = [ "stackprotector" "fortify" ];
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix
new file mode 100644
index 000000000000..1fd27a8c4573
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix
@@ -0,0 +1,11 @@
+{ stdenvNoCC, mingw_w64 }:
+
+stdenvNoCC.mkDerivation {
+  name = "${mingw_w64.name}-headers";
+  inherit (mingw_w64) src meta;
+
+  preConfigure = ''
+    cd mingw-w64-headers
+  '';
+
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix
new file mode 100644
index 000000000000..3b143efed1d7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix
@@ -0,0 +1,16 @@
+{ stdenv, mingw_w64 }:
+
+stdenv.mkDerivation {
+  name = "${mingw_w64.name}-pthreads";
+  inherit (mingw_w64) src meta;
+
+  configureFlags = [
+    # Rustc require 'libpthread.a' when targeting 'x86_64-pc-windows-gnu'.
+    # Enabling this makes it work out of the box instead of failing.
+    "--enable-static"
+  ];
+
+  preConfigure = ''
+    cd mingw-w64-libraries/winpthreads
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix b/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix
new file mode 100644
index 000000000000..5bf6951cd434
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix
@@ -0,0 +1,18 @@
+{ stdenv, lib, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mingwrt";
+  version = "5.0.2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/MinGW/Base/mingwrt/mingwrt-${version}/mingwrt-${version}-mingw32-src.tar.xz";
+    sha256 = "1vj6f578wcffdmy7zzf7xz1lw57kxjy08j0k1n28f0j4ylrk68vp";
+  };
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+
+  dontStrip = true;
+  hardeningDisable = [ "stackprotector" "fortify" ];
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix b/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix
new file mode 100644
index 000000000000..d2347edcbaff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix
@@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "npiperelay";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "jstarks";
+    repo = "npiperelay";
+    rev = "v${version}";
+    sha256 = "sha256-cg4aZmpTysc8m1euxIO2XPv8OMnBk1DwhFcuIFHF/1o=";
+  };
+
+  vendorHash = null;
+
+  meta = {
+    description = "Access Windows named pipes from WSL";
+    homepage = "https://github.com/jstarks/npiperelay";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix b/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix
new file mode 100644
index 000000000000..da0fe569a480
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchzip }:
+
+stdenv.mkDerivation {
+  pname = "pthreads-w32";
+  version = "2.9.1";
+
+  src = fetchzip {
+    url = "https://sourceware.org/pub/pthreads-win32/pthreads-w32-2-9-1-release.tar.gz";
+    sha256 = "1s8iny7g06z289ahdj0kzaxj0cd3wvjbd8j3bh9xlg7g444lhy9w";
+  };
+
+  makeFlags = [ "CROSS=${stdenv.cc.targetPrefix}" "GC-static" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D libpthreadGC2.a $out/lib/libpthread.a
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "POSIX threads library for Windows";
+    homepage = "https://sourceware.org/pthreads-win32";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ yana ];
+    platforms = platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/w32api/default.nix b/nixpkgs/pkgs/os-specific/windows/w32api/default.nix
new file mode 100644
index 000000000000..99faeeb7a8bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/w32api/default.nix
@@ -0,0 +1,17 @@
+{ stdenv, fetchurl, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "w32api";
+  version = "3.17-2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/MinGW/Base/w32api/w32api-${lib.versions.majorMinor version}/w32api-${version}-mingw32-src.tar.lzma";
+    sha256 = "09rhnl6zikmdyb960im55jck0rdy5z9nlg3akx68ixn7khf3j8wb";
+  };
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+
+  dontStrip = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix b/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix
new file mode 100644
index 000000000000..091897b69343
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchurl, compat24 ? false, compat26 ? true, unicode ? true }:
+
+stdenv.mkDerivation rec {
+  pname = "wxMSW";
+  version = "2.8.11";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/wxwindows/wxWidgets-${version}.tar.gz";
+    sha256 = "0icxd21g18d42n1ygshkpw0jnflm03iqki6r623pb5hhd7fm2ksj";
+  };
+
+  configureFlags = [
+    (if compat24 then "--enable-compat24" else "--disable-compat24")
+    (if compat26 then "--enable-compat26" else "--disable-compat26")
+    "--disable-precomp-headers"
+    (lib.optionalString unicode "--enable-unicode")
+    "--with-opengl"
+  ];
+
+  preConfigure = "
+    substituteInPlace configure --replace /usr /no-such-path
+  ";
+
+  postBuild = "(cd contrib/src && make)";
+
+  postInstall = "
+    (cd contrib/src && make install)
+    (cd $out/include && ln -s wx-*/* .)
+  ";
+
+  passthru = { inherit compat24 compat26 unicode; };
+
+  meta = {
+    platforms = lib.platforms.windows;
+
+    broken = true;
+  };
+}